Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From shield
Use when analyzing Terraform plan output for security, cost, and operational impact — parses terraform plan JSON to surface destructive changes, IAM modifications, cost-impacting resources, and drift before apply
npx claudepluginhub infraspecdev/tesseract --plugin shieldHow this skill is triggered — by the user, by Claude, or both
Slash command
/shield:plan-analysisThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Analyzes `terraform plan -json` output to surface security-sensitive changes, cost-impacting resources, destructive actions, and drift before `terraform apply`. Complements static code review by showing what will actually change.
Use when analyzing terraform/tofu plan output for risks, security issues, and potential service disruptions. Required before any apply operation.
Downloads and analyzes Terraform Cloud plan JSON for resource change summaries, creates/updates/deletes lists, and infrastructure diffs using Bash and jq.
Validates IaC using Terraform, CloudFormation, Pulumi, CDK: runs validation, security policy checks, Infracost cost estimation, and drift detection. Activates on terraform plan or infrastructure review.
Share bugs, ideas, or general feedback.
Analyzes terraform plan -json output to surface security-sensitive changes, cost-impacting resources, destructive actions, and drift before terraform apply. Complements static code review by showing what will actually change.
Core principle: Review the plan, not just the code. Static analysis catches bad patterns; plan analysis catches bad outcomes.
terraform apply on any environmentterraform init has not been run and no plan JSON is availableDetect Plan Source -> Parse Plan JSON -> Analyze Changes -> Write Report -> Present Summary
Plan source priority: user-provided JSON > existing .tfplan file (convert via terraform show -json) > generate via terraform plan -json -lock=false (requires .terraform/). If none available, prompt user to run terraform init or provide CI output.
terraform apply — This skill is read-only. Only plan and show commands.-lock=false — Don't acquire state lock for analysis.terraform plan.Locate plan data using the priority from the Workflow section above. Ask user before generating a new plan.
Extract resource changes, output changes, and diagnostics. Format differs between streamed plan -json (line-delimited) and show -json (single object with resource_changes[]). See reference-tables.md for message types and extraction details.
Five analysis passes: change summary (by action type), destructive action warnings (risk-classified), security-sensitive changes (IAM/network/encryption/public access), cost-impacting changes (with estimates), and drift detection. See reference-tables.md for all classifications and thresholds.
Write to claude/infra-review/plan-analysis.md. Include all analysis sections plus a verdict (Safe to Apply / Review Required / Do Not Apply). See templates.md for format and reference-tables.md for verdict criteria.
| Mistake | Why It Fails | Do Instead |
|---|---|---|
Running terraform apply | Causes real infrastructure changes | Only use plan and show commands |
Omitting -lock=false | Blocks other operations by holding state lock | Always pass -lock=false |
| Skipping report when no changes | No record the analysis was performed | Write report documenting "no changes" |
| Treating all destroys equally | Destroying a security group differs from a database | Use risk-level classifications from reference-tables.md |
| Ignoring drift entries | Out-of-band changes may conflict | Always surface drift with likely cause |