CtrlK
BlogDocsLog inGet started
Tessl Logo

checking-infrastructure-compliance

Execute use when you need to work with compliance checking. This skill provides compliance monitoring and validation with comprehensive guidance and automation. Trigger with phrases like "check compliance", "validate policies", or "audit compliance".

48

Quality

37%

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

Optimize this skill with Tessl

npx tessl skill review --optimize ./plugins/devops/compliance-checker/skills/checking-infrastructure-compliance/SKILL.md
SKILL.md
Quality
Evals
Security

Checking Infrastructure Compliance

Overview

Audit infrastructure configurations against compliance frameworks (CIS Benchmarks, SOC 2, HIPAA, PCI-DSS, GDPR) using policy-as-code tools like Open Policy Agent (OPA), Checkov, and tfsec. Generate compliance reports, identify violations, and produce remediation plans for Terraform, Kubernetes, and cloud provider configurations.

Prerequisites

  • Policy-as-code tool installed: checkov, tfsec, opa, or kube-bench
  • Infrastructure-as-code files (Terraform, CloudFormation, Kubernetes manifests) in the project
  • Cloud provider CLI authenticated with read access to resources
  • Compliance framework requirements documented (CIS, SOC 2, HIPAA, PCI-DSS)
  • jq for parsing JSON policy outputs

Instructions

  1. Identify the applicable compliance framework(s) based on industry and data classification
  2. Scan Terraform files with checkov -d . or tfsec . to detect misconfigurations
  3. Scan Kubernetes manifests for security issues: missing resource limits, privileged containers, missing network policies
  4. Validate IAM policies for least-privilege violations using cloud-native tools (aws iam access-analyzer)
  5. Check encryption at rest and in transit: verify S3 bucket encryption, database TLS, and EBS volume encryption
  6. Audit logging configurations: confirm CloudTrail/Cloud Audit Logs are enabled and sent to immutable storage
  7. Generate a compliance report mapping each finding to the relevant control (e.g., CIS AWS 2.1.1)
  8. Produce remediation Terraform/YAML patches for each violation with severity ranking (Critical, High, Medium, Low)
  9. Set up CI/CD integration so compliance checks block merges on Critical/High violations

Output

  • Compliance scan results in JSON/SARIF format for CI integration
  • Markdown compliance report with control mappings and pass/fail status
  • Remediation code patches (Terraform diffs, Kubernetes manifest updates)
  • OPA/Rego policy files for custom organizational rules
  • CI/CD pipeline step configuration for automated compliance gating

Error Handling

ErrorCauseSolution
checkov: no Terraform files foundScanner run from wrong directorySpecify path explicitly with -d path/to/terraform/
tfsec: failed to parse HCLSyntax error in Terraform filesRun terraform validate first to fix HCL syntax before compliance scan
False positive on compliance checkRule too broad for the specific use caseAdd inline skip comments (#checkov:skip=CKV_AWS_18:Reason) or create a .checkov.yml skip list
OPA policy evaluation errorRego syntax error or missing input dataTest policies with opa eval -d policy.rego -i input.json and validate Rego syntax
Scan timeout on large codebaseToo many files or complex module referencesUse --compact mode, scan directories individually, or increase timeout limits

Examples

  • "Run a CIS Benchmark compliance check against all Terraform files and generate a report with remediation steps for Critical findings."
  • "Create OPA policies that enforce: all S3 buckets must have encryption, all EC2 instances must have IMDSv2, and all security groups must not allow 0.0.0.0/0 ingress."
  • "Scan Kubernetes manifests for PCI-DSS compliance: verify no privileged containers, all pods have resource limits, and network policies exist for every namespace."

Resources

  • Checkov: https://www.checkov.io/
  • tfsec: https://aquasecurity.github.io/tfsec/
  • Open Policy Agent: https://www.openpolicyagent.org/docs/latest/
  • CIS Benchmarks: https://www.cisecurity.org/cis-benchmarks
  • kube-bench (CIS for Kubernetes): https://github.com/aquasecurity/kube-bench
Repository
jeremylongshore/claude-code-plugins-plus-skills
Commit

3a2d27d

Last updated
Created

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.

Claim skill