iac-security
Infrastructure as Code security scanning for Terraform, Kubernetes, CloudFormation, and Azure ARM. Detects misconfigurations, security risks, and compliance violations before deployment. Use when: - User asks to scan Terraform files or modules - User mentions "infrastructure security" or "IaC scan" - User is working with Kubernetes manifests - User asks about CloudFormation or ARM template security - Agent is generating or modifying infrastructure code
65
77%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./command_directives/synchronous_remediation/skills/iac-security/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines its scope (IaC security scanning across four major platforms), specifies concrete actions (detecting misconfigurations, security risks, compliance violations), and provides explicit trigger conditions via a well-structured 'Use when' list. It uses proper third-person voice throughout and includes natural keywords users would actually use.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple concrete actions: 'security scanning', 'detects misconfigurations, security risks, and compliance violations before deployment' across four specific platforms (Terraform, Kubernetes, CloudFormation, Azure ARM). | 3 / 3 |
Completeness | Clearly answers both 'what' (IaC security scanning, detecting misconfigurations/security risks/compliance violations) and 'when' with an explicit 'Use when:' clause listing five specific trigger scenarios. | 3 / 3 |
Trigger Term Quality | Includes highly natural trigger terms users would say: 'Terraform files', 'infrastructure security', 'IaC scan', 'Kubernetes manifests', 'CloudFormation', 'ARM template security', and 'infrastructure code'. Good coverage of common variations. | 3 / 3 |
Distinctiveness Conflict Risk | Occupies a clear niche: IaC security scanning specifically for infrastructure-as-code tools. The combination of security scanning + specific IaC platforms makes it highly distinct and unlikely to conflict with general code review or generic security skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
55%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill has a strong workflow structure with clear phases and a verification feedback loop, but suffers from being a monolithic document that tries to cover too much inline. The core scanning instructions lack executable specificity—the tool invocation syntax is ambiguous—while the remediation examples, though concrete, bloat the file and should be split into separate references. Trimming general knowledge (severity definitions, best practices) and clarifying the actual tool interface would significantly improve quality.
Suggestions
Split remediation examples into separate files per platform (e.g., TERRAFORM_FIXES.md, K8S_FIXES.md, CFN_FIXES.md) and reference them from the main skill to improve progressive disclosure and reduce token cost.
Clarify the snyk_iac_scan tool interface—show the exact tool call syntax, function signature, or CLI command rather than pseudocode bullet lists like 'Run snyk_iac_scan with: - path: <dir>'.
Remove or significantly condense the severity assessment table and Best Practices section, as these contain general DevSecOps knowledge Claude already possesses.
Add a brief 'Quick Reference' section at the top listing the exact tool name and its key parameters for fast lookup.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably well-structured but includes some content Claude already knows (e.g., the supported file types table is largely inferrable, the severity assessment table with generic examples, and the 'Best Practices' section with general DevSecOps advice). The remediation examples are extensive and could be trimmed or moved to a separate reference file. | 2 / 3 |
Actionability | The scan invocations use pseudocode-style descriptions ('Run snyk_iac_scan with: - path: <directory>') rather than actual executable commands or proper tool call syntax. The remediation code examples are concrete and copy-paste ready, but the core scanning workflow lacks executable specificity—it's unclear what the actual tool interface looks like (CLI? MCP tool? function call?). | 2 / 3 |
Workflow Clarity | The five-phase workflow (Discovery → Execute → Analyze → Remediate → Verify) is clearly sequenced with explicit goals per phase. Phase 5 includes a verification re-scan step with a before/after comparison template, creating a proper feedback loop for confirming fixes are effective. | 3 / 3 |
Progressive Disclosure | The skill is a monolithic document with no references to external files despite being ~250 lines with extensive remediation examples across Terraform, Kubernetes, and CloudFormation that would be better split into separate reference files. There are no bundle files to support this content, and no navigation structure to help find specific sections quickly. | 1 / 3 |
Total | 8 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- snyk/studio-recipes
- Commit
786986d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.