GRIMSEC Agent 10 — Infrastructure-as-Code security scanning and policy enforcement. Use when asked to scan IaC files, run Checkov, evaluate OPA/Rego policies, generate SBOMs, map compliance controls, or audit Terraform, Kubernetes, Docker, CloudFormation, Ansible, or GitHub Actions configurations. Trigger phrases include: scan infrastructure code, check IaC security, run Checkov, evaluate Rego policies, CIS benchmark compliance, SOC2 IaC controls, NIST 800-53 infrastructure, policy enforcement, SBOM generation, Dockerfile security, K8s security policies, Terraform security review.
Agent 10 in the GRIMSEC DevSecOps suite. Performs comprehensive Infrastructure-as-Code security scanning using Checkov (750+ built-in policies) and Open Policy Agent (custom organization-specific Rego policies). Covers all major IaC frameworks and maps findings to CIS, NIST 800-53, SOC 2, HIPAA, and PCI-DSS compliance frameworks.
Use this skill when:
inventory.jsondevsecops-repo-analyzer Stage 3 (Trivy IaC) — this agent provides deeper scanning with 750+ Checkov policies plus custom OPA rulescicd-pipeline-auditor — GitHub Actions policies overlap, but OPA custom rules add organization-specific enforcementiac-policy/
iac-policy/checkov-results.jsoniac-policy/opa-results.jsoniac-policy/sbom/ (SPDX and CycloneDX formats)iac-policy/compliance-map.jsoniac-policy/iac-report.mdexecutive-reporting-agent for compliance coverage aggregationBefore first use, run the installer:
bash scripts/install-iac-tools.sh
This installs Checkov, OPA, conftest, and Syft. The script is idempotent — safe to run again.
Input: Repository path (auto-detects IaC files)
│
├─► Phase 1: IaC Discovery
├─► Phase 2: Checkov Scan (750+ built-in policies)
├─► Phase 3: OPA Custom Policies
├─► Phase 4: SBOM Generation (Syft)
├─► Phase 5: Compliance Mapping
└─► Phase 6: Report Generation
Identify all IaC files in the target repository before scanning.
Step 1.1 — If inventory.json exists from a prior devsecops-repo-analyzer run, read it to get the pre-enumerated IaC file list. Skip manual discovery for any already-catalogued paths.
Step 1.2 — Walk the repository tree to find IaC files by extension and filename pattern:
| Framework | Patterns |
|---|---|
| Terraform | *.tf, *.tfvars, *.tfvars.json |
| CloudFormation | template.yaml, template.json, *-stack.yaml, cloudformation/*.yaml |
| Kubernetes | *deployment*.yaml, *service*.yaml, *ingress*.yaml, Helm Chart.yaml + values.yaml |
| Docker | Dockerfile*, docker-compose*.yml, docker-compose*.yaml |
| Ansible | playbook*.yml, roles/*/tasks/main.yml, site.yml |
| ARM Templates | azuredeploy.json, *.arm.json |
| GitHub Actions | .github/workflows/*.yml, .github/workflows/*.yaml |
Step 1.3 — Produce a discovery summary:
{
"terraform": [...file paths...],
"cloudformation": [...],
"kubernetes": [...],
"docker": [...],
"ansible": [...],
"arm": [...],
"github_actions": [...]
}
Step 1.4 — Create the output directory: mkdir -p iac-policy/sbom
Run scripts/run-checkov.py (or invoke Checkov directly). See references/checkov-frameworks.md for supported frameworks, policy IDs, and flags.
Step 2.1 — Run Checkov against the repository root, outputting JSON:
python scripts/run-checkov.py --directory <repo_path> --output iac-policy/checkov-results.json
The wrapper auto-selects frameworks based on discovered IaC types. For targeted scanning:
checkov -d <dir> --framework terraform --output-file-path iac-policy/ --output json
checkov -d <dir> --framework kubernetes --output-file-path iac-policy/ --output json
checkov -d <dir> --framework dockerfile --output-file-path iac-policy/ --output json
checkov -d <dir> --framework github_actions --output-file-path iac-policy/ --output json
Step 2.2 — Parse iac-policy/checkov-results.json:
Step 2.3 — Flag CRITICAL failures (any check matching CIS Level 1 or scoring ≥7.0 CVSS equivalent):
Consult references/checkov-frameworks.md for the full policy ID reference.
Run scripts/run-opa.py with the custom Rego policies in assets/policies/. See references/opa-policy-guide.md for Rego syntax guidance.
Step 3.1 — For each IaC type, evaluate the relevant Rego policy:
python scripts/run-opa.py \
--policy assets/policies/docker-security.rego \
--input <dockerfile_parsed_json> \
--output iac-policy/opa-results.json
| Policy File | Applies To |
|---|---|
assets/policies/docker-security.rego | Dockerfiles, docker-compose |
assets/policies/k8s-security.rego | K8s manifests, Helm templates |
assets/policies/terraform-security.rego | Terraform .tf files |
assets/policies/github-actions.rego | .github/workflows/*.yml |
Step 3.2 — Key rules enforced per policy:
Docker (docker-security.rego):
deny_root_user: USER directive must be present and non-rootdeny_unpinned_base: Base image must use @sha256:... digestdeny_secrets_in_env: ENV/ARG keys must not match secret name patternswarn_no_multistage: Single-stage builds flagged as warningwarn_no_healthcheck: Missing HEALTHCHECK flagged as warningKubernetes (k8s-security.rego):
deny_root_container: securityContext.runAsNonRoot: true requireddeny_writable_root_fs: readOnlyRootFilesystem: true requireddeny_privilege_escalation: allowPrivilegeEscalation: false requireddeny_all_capabilities: capabilities.drop: ["ALL"] requireddeny_no_limits: CPU and memory limits required on all containersdeny_host_network: hostNetwork, hostPID, hostIPC must be falsewarn_no_network_policy: Namespace should have a NetworkPolicyTerraform (terraform-security.rego):
deny_public_s3: aws_s3_bucket_public_access_block with all true requireddeny_unencrypted_s3: Bucket encryption requireddeny_unversioned_s3: S3 versioning must be enableddeny_public_rds: publicly_accessible = false requireddeny_unencrypted_rds: storage_encrypted = true requireddeny_single_az_rds: multi_az = true recommendeddeny_open_sg: Security groups must not allow 0.0.0.0/0 on non-80/443 portsdeny_untagged: All resources require mandatory tags (Name, Environment, Owner)GitHub Actions (github-actions.rego):
deny_unpinned_action: Third-party actions must be pinned to full 40-char SHAdeny_missing_permissions: Workflow/job must have explicit permissions: blockdeny_pull_request_target_checkout: pull_request_target + checkout of ${{ github.event.pull_request.head.ref }} is forbiddendeny_expression_injection: ${{ github.event.*}} in run: steps is flaggeddeny_secret_in_arg: Secrets must not be passed as CLI argumentsStep 3.3 — Merge OPA results into iac-policy/opa-results.json:
{
"docker": {"violations": [...], "warnings": [...]},
"kubernetes": {"violations": [...], "warnings": [...]},
"terraform": {"violations": [...], "warnings": [...]},
"github_actions": {"violations": [...], "warnings": [...]}
}
Generate Software Bill of Materials for container images and filesystems using Syft.
Step 4.1 — For each Dockerfile discovered, attempt SBOM generation:
# From filesystem (always works without building)
syft dir:<repo_path> -o spdx-json > iac-policy/sbom/filesystem-sbom.spdx.json
syft dir:<repo_path> -o cyclonedx-json > iac-policy/sbom/filesystem-sbom.cdx.json
Step 4.2 — If container images are referenced and available locally:
syft <image:tag> -o spdx-json > iac-policy/sbom/<image-name>-sbom.spdx.json
syft <image:tag> -o cyclonedx-json > iac-policy/sbom/<image-name>-sbom.cdx.json
Step 4.3 — Summarize SBOM contents:
Step 4.4 — If Syft is not available, note in report: "SBOM generation skipped — run bash scripts/install-iac-tools.sh to install Syft."
Map Checkov and OPA findings to compliance framework controls. See references/compliance-mappings.md for the full control mapping table.
Step 5.1 — Load the compliance mapping table from references/compliance-mappings.md.
Step 5.2 — For each Checkov check_id in the results, look up its compliance mappings:
Step 5.3 — For each control, determine status:
Step 5.4 — Write iac-policy/compliance-map.json:
{
"cis_aws": {
"1.1": {"status": "PASS", "checks": ["CKV_AWS_9"], "description": "..."},
"2.1.1": {"status": "FAIL", "checks": ["CKV_AWS_19"], "failing_resources": [...]}
},
"soc2": { ... },
"nist_800_53": { ... },
"hipaa": { ... },
"pci_dss": { ... }
}
Step 5.5 — Calculate per-framework pass rate:
(PASS controls) / (PASS + FAIL + PARTIAL controls) * 100Produce the final security report using the template at assets/templates/iac-report-template.md.
Step 6.1 — Fill in all sections of the template:
Step 6.2 — Write to iac-policy/iac-report.md.
Step 6.3 — Print a brief console summary:
IaC Policy Agent — Scan Complete
=================================
Frameworks scanned: Terraform, Kubernetes, Docker, GitHub Actions
Checkov checks run: 847 | Passed: 623 | Failed: 224
OPA violations: 37 | Warnings: 12
SBOM packages: 1,842
Compliance coverage: CIS AWS 74% | SOC2 68% | NIST 71%
Critical findings: 8 — see iac-policy/iac-report.md
| Situation | Action |
|---|---|
| Checkov not installed | Run bash scripts/install-iac-tools.sh, then retry |
| OPA not in PATH | Run bash scripts/install-iac-tools.sh, then retry |
| No IaC files found | Report "No IaC files detected in <path>" and exit cleanly |
| Checkov parse error on a file | Log the file, skip it, continue scanning others |
| OPA policy evaluation error | Log the policy name and input file, skip that combination |
| Syft unavailable | Skip SBOM phase, note in report |
inventory.json absent | Skip Step 1.1, perform full discovery |
| File | Description |
|---|---|
iac-policy/checkov-results.json | Raw Checkov JSON output with all check results |
iac-policy/opa-results.json | Aggregated OPA policy evaluation results |
iac-policy/sbom/filesystem-sbom.spdx.json | SPDX-format filesystem SBOM |
iac-policy/sbom/filesystem-sbom.cdx.json | CycloneDX-format filesystem SBOM |
iac-policy/compliance-map.json | Control-by-control compliance status |
iac-policy/iac-report.md | Full human-readable security report |
references/checkov-frameworks.md — All supported frameworks, policy IDs, and CLI flagsreferences/opa-policy-guide.md — Writing and testing Rego policiesreferences/compliance-mappings.md — CIS, NIST 800-53, SOC 2, HIPAA, PCI-DSS control mappings