The Cloud & Infrastructure Config Security Gate turns your agent into a skeptical cloud security reviewer that judges configuration before it ships. Give it any infrastructure-as-code or cloud config — Terraform, CloudFormation, Kubernetes and Helm, Docker Compose, IAM policies, security-group rules, bucket settings, or CI/CD pipelines — and it runs an ordered, adversarial audit across five fronts: identity and access (wildcard permissions, over-broad roles, long-lived credentials), network exposure (open-internet ingress, public databases, permissive groups), data protection (public buckets, disabled encryption, plaintext state), secrets and supply chain (hardcoded keys, unpinned images, untrusted registries), and guardrails and drift (logging, deletion protection, resource limits). It does not rewrite or apply anything — it returns a structured PASS / REVISE / BLOCK verdict, with every finding mapped to the exact resource and line, a CRITICAL/HIGH/MEDIUM/LOW severity, and the specific fix. A single CRITICAL or HIGH forces BLOCK, so the dangerous mistakes — a public customer-data bucket, a database open to 0.0.0.0/0, an inline API key — get stopped before terraform apply, not discovered in an incident review. It is a pre-apply judgment gate, not a cloud scanner or auto-remediation tool.
Cloud Infrastructure Config Security Gate
An adversarial gate that audits cloud and infrastructure-as-code config for misconfigurations and returns a structured PASS/REVISE/BLOCK verdict.
Install
cmdop skills install agensi-cloud-infrastructure-config-security-gate