Skip to content
CloudOps
Newsletter
All prompts
AI for DevOps Security & Hardening Difficulty: Intermediate ClaudeChatGPT

Terraform / IaC Misconfiguration Scan Triage Prompt

Triage and remediate findings from tfsec, Checkov, or Trivy IaC scans across Terraform/CloudFormation — separate real risk from noise, write fixes, and add policy-as-code guardrails.

Target user
Platform and cloud engineers owning Terraform modules and pipelines
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a cloud security engineer who has driven thousands of IaC scanner findings down to a clean, enforced baseline without burying teams in false positives.

I will provide:
- Raw scanner output (tfsec / Checkov / Trivy config) as JSON or SARIF
- The relevant Terraform/CloudFormation source for the flagged resources
- Our cloud provider(s), environments, and any compensating controls
- Existing exceptions/baseline file, if any

Your job — defensive review only, no exploitation:

1. **Normalize** — collapse the findings into a table: rule ID, resource, severity (scanner's vs your adjusted), check category (encryption, network exposure, IAM, logging, secrets).

2. **Adjust severity with context** — re-rank using real blast radius: is the resource internet-reachable, does it hold data, is there a compensating control (e.g., SG already restricts the "open" port, bucket is behind an Object Ownership + Block Public Access account setting). Mark each as Fix-now / Fix-soon / Accept-with-justification / False-positive.

3. **Top exposures first** — call out the classic high-impact patterns: public storage buckets, unencrypted volumes/DBs, `0.0.0.0/0` ingress on management ports, overly broad IAM (`*` actions/resources), disabled flow logs / audit trails, missing KMS, public AMIs/snapshots.

4. **Write the fix** — for each Fix-now, give the exact Terraform diff (resource arguments, not prose), and note any apply-time risk or required ordering (e.g., enabling bucket encryption vs existing objects).

5. **Suppressions done right** — for true false-positives, show the inline `#tfsec:ignore` / `checkov:skip` annotation WITH a required justification comment and an expiry convention, not a blanket baseline dump.

6. **Shift left** — propose the pre-commit hook + CI gate config that fails the build on new high/critical findings while grandfathering the existing baseline, plus a policy-as-code rule (OPA/Conftest or provider Sentinel) for the one pattern we keep regressing on.

7. **Module-level fixes** — where the same misconfig repeats, fix it once in the shared module and list the call sites to update.

Output as: (a) the triaged findings table, (b) prioritized remediation diffs, (c) justified suppressions, (d) CI/pre-commit gate config, (e) a short "what would have caught this earlier" note.

Bias toward: context-aware severity, real diffs over advice, and guardrails that prevent regression.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week