Audit applications against your platform engineering constitution. Use when validating that code, configurations, and deployments align with organizational infrastructure standards.
Audit applications and their infrastructure configurations against the standards defined in your Platform-Engineering-Constitution.md.
Platform-Engineering-Constitution.md and extract all auditable standards (providers, regions, naming, tags, container standards, IaC conventions, network policies, secret management)..bicep, .tf, *.yaml), Dockerfiles, Kubernetes manifests, CI/CD configs, and application code.Check that all infrastructure targets only approved providers and regions.
| Check | What to look for | Severity |
|---|---|---|
| Approved providers only | Provider blocks in Terraform, resource types in Bicep | 🔴 Critical |
| Approved regions only | location, region parameters in IaC | 🔴 Critical |
| No hardcoded cloud-specific resources in app.bicep | Should use portable Radius types | 🟡 Warning |
Verify Dockerfiles and container configurations meet standards.
| Check | What to look for | Severity |
|---|---|---|
| Non-root user | USER directive in Dockerfile (not root) | 🔴 Critical |
| Health endpoints | /healthz and /readyz endpoints in application code | 🟡 Warning |
| Multi-stage build | Multiple FROM stages in Dockerfile | 🟡 Warning |
| Image registry | Images reference approved registries (ACR, ECR) | 🟡 Warning |
No latest tag in production | Image tags should be pinned | 🟡 Warning |
Validate Terraform/Bicep follows constitution conventions.
| Check | What to look for | Severity |
|---|---|---|
| Approved IaC tooling | Only uses tooling listed in constitution | 🔴 Critical |
| Module versions pinned | version = "~> X.Y" in module blocks | 🟡 Warning |
| Remote state backend | backend block configured in Terraform | 🟡 Warning |
| Variables have descriptions | All variable blocks have description | 🟢 Info |
| Variables have type constraints | All variable blocks have type | 🟢 Info |
terraform fmt clean | Code passes terraform fmt -check | 🟢 Info |
Verify resource names follow the constitution's pattern.
| Check | What to look for | Severity |
|---|---|---|
| Resource names match pattern | Names follow <org>-<env>-<region>-<service>-<type> | 🟡 Warning |
| Consistent casing | All lowercase, hyphens as separators | 🟢 Info |
Ensure all required tags are present.
| Check | What to look for | Severity |
|---|---|---|
| Required tags present | All tags from constitution (environment, team, service, managed-by, cost-center) | 🟡 Warning |
| No missing tags on resources | Every resource has all required tags | 🟡 Warning |
Validate network and security configurations.
| Check | What to look for | Severity |
|---|---|---|
| NetworkPolicies defined | Kubernetes NetworkPolicy manifests exist | 🟡 Warning |
| No secrets in source code | Grep for API keys, passwords, tokens | 🔴 Critical |
| Secret management aligned | Uses approved secret management (K8s Secrets, Key Vault, Secrets Manager) | 🟡 Warning |
| RBAC enabled | Cluster configs enable RBAC | 🟡 Warning |
If the app uses Radius, validate Radius configuration.
| Check | What to look for | Severity |
|---|---|---|
bicepconfig.json exists | Required for Radius Bicep extensions | 🔴 Critical |
| Portable resource types used | Radius.* or Applications.Datastores/* instead of cloud-specific | 🟡 Warning |
environment parameter present | All Radius resources include environment | 🔴 Critical |
| Recipe properties set | Properties expected by recipes are declared (e.g., size) | 🟡 Warning |
| Connection env var handling | App code handles both _PROPERTIES JSON and individual vars | 🟡 Warning |
| Health probes configured | Container resources include readiness/liveness probes | 🟡 Warning |
| No local file paths in recipes | Recipe template paths use OCI registry URLs | 🔴 Critical |
No localhost in image/recipe refs | Should use host.docker.internal or cloud registry | 🟡 Warning |
# Application Audit Report
**Repository:** <repo-name>
**Date:** <date>
**Constitution Version:** <version from changelog>
## Summary
| Severity | Count |
|----------|-------|
| 🔴 Critical | N |
| 🟡 Warning | N |
| 🟢 Info | N |
| ✅ Pass | N |
## Findings
### 🔴 Critical
#### [C1] <Finding Title>
- **File:** `path/to/file:line`
- **Issue:** Description of what's wrong
- **Constitution Reference:** Section N — <section title>
- **Remediation:** How to fix it
### 🟡 Warning
#### [W1] <Finding Title>
- **File:** `path/to/file:line`
- **Issue:** Description of what's wrong
- **Constitution Reference:** Section N — <section title>
- **Remediation:** How to fix it
### 🟢 Info
#### [I1] <Finding Title>
- **Recommendation:** Suggested improvement
### ✅ Passing Checks
- Provider compliance: ✅
- Region compliance: ✅
- Container non-root: ✅
- ...
When invoked, perform these steps:
Find the constitution:
Look for Platform-Engineering-Constitution.md in repo root or parent directories
Scan for artifacts:
# Find all auditable files
find . -name "*.bicep" -o -name "*.tf" -o -name "Dockerfile*" \
-o -name "*.yaml" -o -name "*.yml" -o -name "bicepconfig.json"
Run checks by reading each file and comparing against constitution rules.
Check application code for health endpoints, connection handling, and secret exposure:
# Health endpoints
grep -rn "healthz\|readyz" --include="*.go" --include="*.js" --include="*.py"
# Secret patterns (flag for review)
grep -rn "password\s*=\s*['\"]" --include="*.tf" --include="*.bicep"
grep -rn "API_KEY\|SECRET_KEY\|PRIVATE_KEY" --include="*.go" --include="*.js" --include="*.py"
# Connection handling
grep -rn "CONNECTION_.*_PROPERTIES" --include="*.go" --include="*.js" --include="*.py"
Generate the report using the format above.
platform-constitution skill to create one first.