CtrlK
BlogDocsLog inGet started
Tessl Logo

auditing-terraform-infrastructure-for-security

Auditing Terraform infrastructure-as-code for security misconfigurations using Checkov, tfsec, Terrascan, and OPA/Rego policies to detect overly permissive IAM policies, public resource exposure, missing encryption, and insecure defaults before cloud deployment.

73

1.01x
Quality

62%

Does it follow best practices?

Impact

91%

1.01x

Average score across 3 eval scenarios

SecuritybySnyk

Passed

No known issues

Optimize this skill with Tessl

npx tessl skill review --optimize ./skills/auditing-terraform-infrastructure-for-security/SKILL.md
SKILL.md
Quality
Evals
Security

Quality

Discovery

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is a strong, highly specific description that names concrete tools and detection targets, making it very distinctive among skills. Its main weakness is the lack of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill. The trigger term coverage is excellent for the infrastructure security domain.

Suggestions

Add an explicit 'Use when...' clause, e.g., 'Use when the user asks to scan Terraform code for security issues, run Checkov/tfsec/Terrascan, review IaC for compliance, or check cloud infrastructure configurations before deployment.'

DimensionReasoningScore

Specificity

Lists multiple specific concrete actions: auditing Terraform IaC, detecting overly permissive IAM policies, public resource exposure, missing encryption, and insecure defaults. Also names specific tools: Checkov, tfsec, Terrascan, and OPA/Rego policies.

3 / 3

Completeness

The 'what' is thoroughly covered with specific tools and detection targets, but there is no explicit 'Use when...' clause or equivalent trigger guidance. The 'when' is only implied by the phrase 'before cloud deployment'. Per rubric guidelines, missing explicit trigger guidance caps completeness at 2.

2 / 3

Trigger Term Quality

Excellent coverage of natural terms users would say: 'Terraform', 'security', 'Checkov', 'tfsec', 'Terrascan', 'OPA', 'Rego', 'IAM policies', 'encryption', 'cloud deployment', 'infrastructure-as-code'. These are terms a user working in this domain would naturally use.

3 / 3

Distinctiveness Conflict Risk

Highly distinctive with a clear niche: Terraform-specific security auditing using named tools (Checkov, tfsec, Terrascan, OPA/Rego). This is unlikely to conflict with general coding skills, generic security skills, or other IaC tools.

3 / 3

Total

11

/

12

Passed

Implementation

42%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The skill provides highly actionable, executable content with real commands, policies, and CI/CD configurations, which is its primary strength. However, it is significantly bloated with unnecessary explanations of concepts Claude already knows (IaC definitions, tool descriptions), redundant command variations, and a monolithic structure that dumps everything into a single file. The workflow lacks explicit validation checkpoints and feedback loops for what is inherently a multi-step, iterative process.

Suggestions

Remove the 'Key Concepts' table entirely — Claude knows what IaC, shift-left security, and Terraform plans are. Remove the 'Tools & Systems' section as the tools are already demonstrated in the workflow.

Add explicit validation checkpoints between steps: after each scan, include a 'Review findings → fix critical issues → re-scan to confirm resolution' feedback loop before proceeding to the next tool.

Split content into separate files: move OPA policies to a POLICIES.md, CI/CD pipeline to CI_CD.md, the common scenario to SCENARIOS.md, and keep SKILL.md as a concise overview with references.

Trim redundant command variations — show one primary command per tool with the most useful flags, and reference a separate file for additional options.

DimensionReasoningScore

Conciseness

Extremely verbose at ~250+ lines. The 'Key Concepts' table explains things Claude already knows (what IaC is, what 'shift left' means, what a Terraform plan is). The 'Tools & Systems' section repeats information already demonstrated in the workflow. The 'When to Use' and 'Do not use' sections are unnecessarily detailed. Multiple redundant command variations are shown without clear justification.

1 / 3

Actionability

Provides fully executable bash commands, complete Rego policy files, and a working GitHub Actions YAML pipeline. Commands are copy-paste ready with real flags and options, and the OPA policies are concrete and functional.

3 / 3

Workflow Clarity

Steps are clearly sequenced (1-6) and logically ordered from scanning through CI/CD integration. However, there are no explicit validation checkpoints or feedback loops between steps — for example, no guidance on what to do when Checkov finds issues before proceeding to tfsec, or how to verify that fixes actually resolve findings before moving forward.

2 / 3

Progressive Disclosure

Monolithic wall of content with no references to external files. Everything is inline — the OPA policies, the CI/CD pipeline, the common scenarios, the output format, and the glossary table could all be split into separate referenced files. No bundle files exist to support progressive disclosure.

1 / 3

Total

7

/

12

Passed

Validation

90%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation10 / 11 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

10

/

11

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.