From shipyard
Provides validation workflows for Terraform, Ansible, Docker, Kubernetes, and CloudFormation IaC files using linting, syntax checks, security scans, dry runs, and drift detection before apply/plan.
npx claudepluginhub lgbarn/shipyard --plugin shipyardThis skill uses the workspace's default tool permissions.
<!-- TOKEN BUDGET: 140 lines / ~420 tokens -->
Validates IaC files including Dockerfiles (hadolint), Docker Compose (dclint), Kubernetes manifests, and Terraform configs against best practices. Reports violations with severity, locations, and auto-fix suggestions.
Implements IaC security scanning with Checkov, tfsec, KICS for Terraform, CloudFormation, Kubernetes manifests, and Helm charts; integrates into CI/CD to block misconfigurations.
Implements automated security scanning for IaC templates using Checkov, tfsec, KICS. Scans Terraform, CloudFormation, Kubernetes manifests, Helm charts for misconfigurations in CI/CD pipelines.
Share bugs, ideas, or general feedback.
*.tf, *.tfvars, Dockerfile, docker-compose.yml, playbook*.yml, roles/, inventory/.shipyard/config.json has iac_validation set to "auto" or trueAWSTemplateFormatVersion (CloudFormation)apiVersion: (Kubernetes)IaC mistakes don't cause test failures -- they cause outages, breaches, and cost overruns. Validate before every change.
Core principle: Never apply without plan review. Like TDD requires tests before code, IaC requires validation before apply.
Run in order. Each step must pass before proceeding.
terraform fmt -check # 1. Format (auto-fix with fmt if needed)
terraform validate # 2. Syntax validation
terraform plan -out=tfplan # 3. Review every change -- NEVER skip
tflint --recursive # 4. Lint (if installed)
tfsec . OR checkov -d . # 5. Security scan (if installed)
Drift detection: terraform plan -detailed-exitcode -- exit code 2 means drift. Document what drifted and why before overwriting.
yamllint . # 1. YAML syntax
ansible-lint # 2. Best practices
ansible-playbook --syntax-check *.yml # 3. Playbook syntax
ansible-playbook --check *.yml # 4. Dry run (where supported)
molecule test # 5. Role tests (if configured)
hadolint Dockerfile # 1. Lint (if installed)
docker build -t test-build . # 2. Build
trivy image test-build # 3. Security scan (if installed)
docker compose config # 4. Validate compose (if applicable)
kubectl --dry-run=client -f manifest.yml # 1. Client-side validation
kubectl --dry-run=server -f manifest.yml # 2. Server-side validation (if cluster access)
kubeval --strict manifest.yml # 3. Schema validation (if installed)
kubeconform -strict manifest.yml # 4. Schema validation alternative
kube-linter lint . # 5. Best practices (if installed)
helm template . | kubeval --strict # 6. Helm chart validation (if applicable)
| Mistake | Fix |
|---|---|
| Local state file | Use remote backend (S3+DynamoDB, GCS) |
| No state locking | Enable lock table |
| Hardcoded secrets | Use variables + secret manager |
* in security groups | Restrict to specific CIDRs |
| Unpinned provider version | Pin in required_providers |
| Missing tags | Require via policy or module defaults |
| Mistake | Fix |
|---|---|
| Plaintext secrets | ansible-vault encrypt |
shell instead of modules | Use native modules (apt, copy, etc.) |
| Everything as root | become: false by default, escalate only when needed |
| Mistake | Fix |
|---|---|
FROM ubuntu:latest | Pin to digest: FROM ubuntu:22.04@sha256:... |
| Running as root | Add USER nonroot |
COPY . . | Use .dockerignore, copy specific files |
| Secrets in ENV/ARG | Use build secrets or runtime injection |
| No health check | Add HEALTHCHECK instruction |
| Single-stage build | Use multi-stage builds |
| Mistake | Fix |
|---|---|
| No resource limits | Set resources.requests and resources.limits |
| Running as root | securityContext.runAsNonRoot: true |
latest image tag | Pin exact version or digest |
| No liveness/readiness probes | Add probes matching app health endpoints |
| Default namespace for workloads | Use dedicated namespaces with RBAC |
| No network policies | Restrict pod-to-pod traffic with NetworkPolicy |
terraform apply -auto-approve without prior plan review0.0.0.0/0 on non-HTTP ports* action or * resource.tf, .yml, or Dockerfilelatest tag on any base image**IaC-Critical: Overly permissive security group in modules/network/main.tf**
Resource: aws_security_group_rule.allow_all (line 34)
Problem: Ingress rule allows 0.0.0.0/0 on port 22 (SSH).
This exposes SSH to the entire internet.
Fix: Restrict to bastion host CIDR or VPN range:
cidr_blocks = [var.vpn_cidr]
Validation: `tfsec .` flagged this as HIGH severity (AWS018).
**Security Issue: Network configuration may be too open.**
Review the security groups for potential issues.
Referenced by: shipyard:builder (detects IaC files, follows appropriate workflow), shipyard:verifier (IaC validation mode), shipyard:auditor (IaC security checks)
Pairs with: shipyard:security-audit (security lens for IaC), shipyard:shipyard-verification (IaC claims need validation evidence)