Skills
skills/thomast1906/github-copilot-skills-terraform/terraform-security-scan

terraform-security-scan

SKILL.md

Terraform Security Scan Skill

This skill helps you perform comprehensive security scanning and compliance checking of Terraform configurations for Azure infrastructure.

When to Use This Skill

  • Reviewing Terraform code for security vulnerabilities
  • Checking compliance with security frameworks
  • Pre-deployment security gates
  • Security audits and assessments
  • Pull request security reviews

Security Check Categories

Authentication and Secrets

Check: No Hardcoded Credentials

Bad:

output "storage_key" {
  value = azurerm_storage_account.example.primary_access_key
}

Good:

data "azurerm_key_vault_secret" "storage_connection" {
  name         = "storage-connection-string"
  key_vault_id = data.azurerm_key_vault.main.id
}

Encryption

Check: Storage Encryption

resource "azurerm_storage_account" "secure" {
  name                     = "stsecuredata"
  resource_group_name      = azurerm_resource_group.main.name
  location                 = azurerm_resource_group.main.location
  account_tier             = "Standard"
  account_replication_type = "GRS"

  min_tls_version                 = "TLS1_2"
  enable_https_traffic_only       = true
  allow_nested_items_to_be_public = false
}

Network Security

Check: NSG Rules

resource "azurerm_network_security_group" "web" {
  name                = "nsg-web-tier"
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name

  security_rule {
    name                       = "AllowHTTPS"
    priority                   = 100
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "443"
    source_address_prefix      = "Internet"
    destination_address_prefix = "*"
  }
}

RBAC and Access Control

Check: Least Privilege

resource "azurerm_role_assignment" "storage_reader" {
  scope                = azurerm_storage_account.main.id
  role_definition_name = "Storage Blob Data Reader"
  principal_id         = azurerm_user_assigned_identity.app.principal_id
}

Security Scanning Commands

Static Analysis with tfsec

brew install tfsec
tfsec .
tfsec . --format json > security-report.json

Checkov Scanning

pip install checkov
checkov -d .
checkov -d . --framework terraform --check CKV_AZURE

Compliance Frameworks

Azure Security Benchmark

Key controls to verify:

  • Network security controls
  • Identity management
  • Data protection
  • Asset management
  • Logging and threat detection

CIS Azure Foundations

Check these sections:

  • 1.x - Identity and Access Management
  • 3.x - Storage Accounts
  • 4.x - Database Services
  • 5.x - Logging and Monitoring
  • 6.x - Networking

Integration with CI/CD

GitHub Actions Security Gate

name: Security Scan

on: [pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Run tfsec
        uses: aquasecurity/tfsec-action@v1.0.0
        with:
          soft_fail: false
      
      - name: Run Checkov
        uses: bridgecrewio/checkov-action@master
        with:
          directory: .
          framework: terraform
          soft_fail: false

Additional Resources

For detailed compliance checklists, security patterns, and scanning tool configurations, see the reference guide.

Weekly Installs
1
Repository
thomast1906/git…erraform
GitHub Stars
13
First Seen
12 days ago
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
Installed on
amp1
cline1
opencode1
cursor1
kimi-cli1
codex1