Skill Being Reviewed
Skill name: iac-security
Skill path: skills/cloud/iac-security/SKILL.md
False Positive Analysis
Benign code/configuration that can be over-flagged:
terraform { backend "s3" { bucket="tf-state" key="prod.tfstate" encrypt=true dynamodb_table="locks" } }
# bucket has restricted IAM and versioning
Why this is a false positive:
terraform { backend "s3" { bucket="tf-state" key="prod.tfstate" encrypt=true dynamodb_table="locks" } } can be safe when the missing compensating evidence is present, but the current skill does not ask reviewers to distinguish that evidence from the risky pattern. The review should require proof of the guardrail before escalating severity.
Coverage Gaps
Missed variant 1:
terraform { backend "s3" { bucket="shared-state" key="prod.tfstate" } }
# no encryption, public access block not evidenced, state includes secrets
Why it should be caught:
This variant leaves a realistic attack path open while still satisfying the current high-level checklist language.
Missed variant 2:
resource "aws_db_instance" "db" { password = var.db_password }
# secret lands in state even if variable is marked sensitive
Why it should be caught:
This is a common production edge case where policy exists on paper but does not bind the runtime behavior or evidence trail.
Edge Cases
A plan can pass IaC policy checks while the remote state backend is the real exposure path. Sensitive values, stale drift, and unlocked state can undermine otherwise secure resources.
Remediation Quality
Comparison to Other Tools
| Tool |
Catches this? |
Notes |
| Checkov |
Partial |
Has backend and secret-in-state checks but varies by provider. |
| tfsec |
Partial |
Finds many resource misconfigs, less state-governance focused. |
| Terraform Cloud/Enterprise |
Partial |
Provides controls if used, but reviewers need evidence of configuration. |
Overall Assessment
Strengths:
The skill gives useful coverage of IaC misconfiguration and suppression governance.
Needs improvement:
Remote state handling should be treated as a first-class secret/control-plane asset rather than a footnote.
Priority recommendations:
- Add a Terraform/OpenTofu state backend evidence section.
- Require drift detection and state access review evidence.
- Flag sensitive provider attributes that persist in state even when variables are marked sensitive.
Bounty Info
Skill Being Reviewed
Skill name: iac-security
Skill path:
skills/cloud/iac-security/SKILL.mdFalse Positive Analysis
Benign code/configuration that can be over-flagged:
Why this is a false positive:
terraform { backend "s3" { bucket="tf-state" key="prod.tfstate" encrypt=true dynamodb_table="locks" } } can be safe when the missing compensating evidence is present, but the current skill does not ask reviewers to distinguish that evidence from the risky pattern. The review should require proof of the guardrail before escalating severity.
Coverage Gaps
Missed variant 1:
Why it should be caught:
This variant leaves a realistic attack path open while still satisfying the current high-level checklist language.
Missed variant 2:
Why it should be caught:
This is a common production edge case where policy exists on paper but does not bind the runtime behavior or evidence trail.
Edge Cases
A plan can pass IaC policy checks while the remote state backend is the real exposure path. Sensitive values, stale drift, and unlocked state can undermine otherwise secure resources.
Remediation Quality
Comparison to Other Tools
Overall Assessment
Strengths:
The skill gives useful coverage of IaC misconfiguration and suppression governance.
Needs improvement:
Remote state handling should be treated as a first-class secret/control-plane asset rather than a footnote.
Priority recommendations:
Bounty Info