Execute use when you need to work with compliance checking.
This skill provides compliance monitoring and validation with comprehensive guidance and automation.
Trigger with phrases like "check compliance", "validate policies",
or "audit compliance".
Audit infrastructure configurations against compliance frameworks (CIS Benchmarks, SOC 2, HIPAA, PCI-DSS, GDPR) using policy-as-code tools like Open Policy Agent (OPA), Checkov, and tfsec. Generate compliance reports, identify violations, and produce remediation plans for Terraform, Kubernetes, and cloud provider configurations.
Prerequisites
Policy-as-code tool installed: checkov, tfsec, opa, or kube-bench
Infrastructure-as-code files (Terraform, CloudFormation, Kubernetes manifests) in the project
Cloud provider CLI authenticated with read access to resources
OPA/Rego policy files for custom organizational rules
CI/CD pipeline step configuration for automated compliance gating
Error Handling
Error
Cause
Solution
checkov: no Terraform files found
Scanner run from wrong directory
Specify path explicitly with -d path/to/terraform/
tfsec: failed to parse HCL
Syntax error in Terraform files
Run terraform validate first to fix HCL syntax before compliance scan
False positive on compliance check
Rule too broad for the specific use case
Add inline skip comments (#checkov:skip=CKV_AWS_18:Reason) or create a .checkov.yml skip list
OPA policy evaluation error
Rego syntax error or missing input data
Test policies with opa eval -d policy.rego -i input.json and validate Rego syntax
Scan timeout on large codebase
Too many files or complex module references
Use --compact mode, scan directories individually, or increase timeout limits
Examples
"Run a CIS Benchmark compliance check against all Terraform files and generate a report with remediation steps for Critical findings."
"Create OPA policies that enforce: all S3 buckets must have encryption, all EC2 instances must have IMDSv2, and all security groups must not allow 0.0.0.0/0 ingress."
"Scan Kubernetes manifests for PCI-DSS compliance: verify no privileged containers, all pods have resource limits, and network policies exist for every namespace."