Use this skill to review and analyze infrastructure configuration files. MANDATORY TRIGGERS: Dockerfile, docker-compose, Kubernetes, k8s, Terraform, Helm chart, infrastructure review, container config, deployment config, YAML config, infra audit, cloud config, IaC. Also use when: reviewing Docker multi-stage builds, checking k8s resource limits, auditing Terraform security groups, optimizing container images, checking environment variable management. Do NOT use for: CI/CD pipeline files (use pipeline-auditor) or application architecture (use architecture-analyzer).
Analyzes infrastructure-as-code and container configurations (Docker, Kubernetes, Terraform, Helm) for security, performance, and best practices. Produces a structured audit with severity-rated findings and fix suggestions.
Glob for infra files: Dockerfile*, docker-compose*.yml, k8s/, terraform/, helm/, *.tf, deployment.yaml, etc.□ Uses specific base image tag (not :latest)
□ Multi-stage build to minimize final image
□ Non-root user configured (USER directive)
□ .dockerignore present and covers node_modules, .git, etc.
□ COPY before RUN for layer cache efficiency
□ No secrets in build args or layers
□ HEALTHCHECK defined
□ Minimal final image (alpine/distroless where possible)
□ Resource requests AND limits set for CPU and memory
□ Liveness and readiness probes configured
□ Security context: runAsNonRoot, readOnlyRootFilesystem
□ No :latest image tags
□ Namespace specified (not default)
□ Pod disruption budget set for HA
□ Horizontal Pod Autoscaler configured (if applicable)
□ Secrets managed via external store (not plain k8s secrets)
□ Network policies defined
□ Service accounts with minimal RBAC
□ State stored remotely with locking (S3+DynamoDB, GCS, etc.)
□ State file encrypted
□ Variables have descriptions and type constraints
□ Sensitive variables marked as sensitive = true
□ Modules used for reusable components
□ Provider versions pinned
□ No hardcoded credentials
□ Outputs defined for cross-module references
□ terraform fmt and validate pass
□ No hardcoded secrets in config files
□ .env files excluded from version control (.gitignore)
□ Secret management solution in place (Vault, AWS Secrets Manager, etc.)
□ Environment-specific configs separated (dev/staging/prod)
□ Sensitive env vars not logged or exposed
# Infrastructure Config Audit: [Project Name]
## Infra Inventory
| File | Type | Environment | Status |
|------|------|-------------|--------|
| Dockerfile | Container | All | ⚠️ 3 findings |
| k8s/deployment.yaml | Kubernetes | Production | ⛔ 1 critical |
| terraform/main.tf | IaC | All | ✅ Clean |
## Architecture Overview
\`\`\`mermaid
graph TD
LB[Load Balancer] --> SVC[K8s Service]
SVC --> POD1[Pod: API]
SVC --> POD2[Pod: API]
POD1 --> DB[(RDS)]
POD1 --> CACHE[(Redis)]
\`\`\`
## Findings
### ⛔ Critical
- **[Finding]** — file:line — [explanation + fix snippet]
### ⚠️ Warning
- **[Finding]** — file:line — [explanation + fix snippet]
### 💡 Suggestion
- **[Finding]** — file:line — [explanation + fix snippet]
## Score: X/10