CtrlK
BlogDocsLog inGet started
Tessl Logo

nitinjain999/platform-skills

Production-grade platform engineering handbook — Kubernetes, Terraform, Flux CD, GitHub Actions, AWS, and more.

64

Quality

80%

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Advisory

Suggest reviewing before use

Overview
Quality
Evals
Security
Files

checkov.mdcommands/

name:
checkov
description:
Bootstrap Checkov on a developer laptop, run static or plan-level Terraform security scanning for AWS/Azure/GCP/EKS, resolve private GitHub modules via gh CLI, generate pre-commit hooks, produce multi-format output (cli/json/sarif/junit), and fix violations with AI-generated patches. Use when asked to "scan my Terraform", "run checkov", "check my IaC for security issues", "set up checkov pre-commit", or "fix checkov findings".
argument-hint:
[static|plan|secrets|audit|multi|baseline|fix|scaffold] [path]

Bootstrap Checkov and scan Terraform code for security misconfigurations — locally, before CI catches them.

Read references/checkov.md before responding. It contains all mode logic, bootstrap steps, provider detection, and fix patterns.

Mode dispatch

Parse the first word of $ARGUMENTS as the mode. When $ARGUMENTS is empty, run the interactive wizard.

ModeWhat it does
staticScan .tf source files with --download-external-modules true
planterraform init → plan → JSON → Checkov --deep-analysis (use --upgrade flag to also upgrade providers)
secretsScan entire repo for hardcoded secrets (--framework secrets --enable-secret-scan-all-files)
auditOne-time secrets history scan across all commits (--scan-secrets-history)
multiScan Terraform + GitHub Actions + Dockerfiles + Helm in a single run
baselineCreate .checkov.baseline to snapshot existing violations
fixRe-run scan and apply AI-generated patches to .tf files
scaffoldGenerate .checkov.yaml config (SOC 2 / CIS / PCI / HIPAA variants) and/or custom-checks/
(empty)Interactive wizard — ask Q1 (mode) then Q2 (path/context)

Interactive Wizard

Q1 — Mode?

What do you need?
  1. static    — scan .tf source files  [default]
  2. plan      — terraform plan → Checkov deep analysis
  3. secrets   — scan entire repo for hardcoded secrets and tokens
  4. audit     — one-time scan of git commit history for leaked secrets
  5. multi     — scan Terraform + GitHub Actions + Dockerfiles + Helm together
  6. baseline  — snapshot existing violations (first-run brownfield)
  7. fix       — scan and apply AI-generated fixes to .tf files
  8. scaffold  — generate .checkov.yaml (SOC 2 / CIS / PCI / HIPAA) or custom-checks/

Enter 1–8 or mode name:

Q2 — Path? (ask after Q1)

Terraform root directory, or press Enter to scan current directory [default: .]:

Then proceed into the relevant mode section in references/checkov.md.

Agent behavior

Intent classification

Before asking any question, classify the user's intent from their free-text request:

Intent signalsMode
"scan", "check", "lint", "review my Terraform", "check my IaC"static
"plan", "deep analysis", "live values", "against real state"plan
"secrets", "hardcoded", "leaked credentials", "tokens in code", "secret scan"secrets
"git history", "scan history", "ever committed", "old commits", "audit history"audit
"scan everything", "multi-framework", "github actions", "dockerfiles", "helm"multi
"existing repo", "too many findings", "noisy", "brownfield", "baseline"baseline
"fix", "remediate", "resolve", "CKV_*"fix
"set up", "configure", "pre-commit", "custom checks", ".checkov.yaml", "scaffold"scaffold

Ask only for missing high-risk inputs

Do not pepper the user with questions. Only prompt for inputs where getting it wrong causes real harm:

When to askQuestion
Multiple Terraform roots detected"Which root? (1. terraform/aws/ 2. terraform/azure/ 3. All)"
Plan mode, multiple *.tfvars found"Which var file? (1. staging.tfvars 2. production.tfvars 3. None)"
Plan mode, non-default workspace detected"Currently on workspace '' — continue? (y/N)"
Fix → Apply mode"Apply these changes? (y/N)" — show unified diff first
scaffold writes a new file"Write .checkov.yaml to ? (y/N)"

Never ask about: output format (default to cli), whether to run bootstrap (always do it), whether to gitignore output files (always do it), or pre-commit detection (always check silently).

Cross-references

  • /platform-skills:terraform — full validation pipeline (fmt → validate → tflint → checkov → plan)
  • /platform-skills:compliance — SOC 2 control mapping and Checkov check IDs by TSC criterion
  • /platform-skills:supply-chain — image signing, SBOM, and CVE scanning beyond IaC

commands

awesome-docs.md

aws-profile.md

aws.md

chaos.md

checkov.md

commit.md

compliance.md

composite-actions.md

datadog.md

debug.md

document.md

dora.md

dynatrace.md

fluxcd.md

gitops.md

helmcheck.md

karpenter.md

keda.md

kyverno.md

linkerd.md

linux.md

mcp.md

observability.md

opa.md

pr-review.md

product.md

renovate.md

review.md

runtime-security.md

self-improve.md

setup-agents.md

supply-chain.md

terraform.md

triage.md

trivy.md

BEFORE_AFTER.md

CHANGELOG.md

CODE_OF_CONDUCT.md

COMMANDS.md

CONTRIBUTING.md

EDITOR_INTEGRATIONS.md

GETTING_STARTED.md

HOW_IT_WORKS.md

install.sh

INSTALLATION.md

LAUNCH.md

PROMPTS.md

QUICKSTART.md

README.md

renovate.json

SECURITY.md

SKILL.md

tessl.json

tile.json