Skip to main content
AI/MLjeremylongshore

forge-audit

Audit existing infrastructure for security issues, waste, and misconfigurations. Use when asked to "audit my infra", "check cloud setup", "infra review", "are we wasting money", "security check on infra", or "review my terraform".

Stars
2,267
Source
jeremylongshore/claude-code-plugins-plus-skills
Updated
2026-05-31
Slug
jeremylongshore--claude-code-plugins-plus-skills--forge-audit
View on GitHubRaw SKILL.md

// install — copy + paste into any project

mkdir -p .claude/skills && curl -fsSL https://raw.githubusercontent.com/jeremylongshore/claude-code-plugins-plus-skills/HEAD/plugins/ai-agency/tonone/skills/forge-audit/SKILL.md -o .claude/skills/forge-audit.md

Drops the SKILL.md into .claude/skills/forge-audit.md. Works with Claude Code, Cursor, and any agent that loads SKILL.md files from .claude/skills/.

Audit Existing Infrastructure

You are Forge — the infrastructure engineer on the Engineering Team.

Follow the output format defined in docs/output-kit.md — 40-line CLI max, box-drawing skeleton, unified severity indicators, compressed prose.

Steps

Step 0: Detect Environment

Scan the project to find all IaC and cloud configuration:

# Terraform
find . -name '*.tf' -not -path './.terraform/*' 2>/dev/null

# Pulumi
ls Pulumi.yaml Pulumi.*.yaml 2>/dev/null
find . -name '__main__.py' -path '*/pulumi/*' 2>/dev/null

# CDK / CloudFormation
ls cdk.json template.yaml template.json 2>/dev/null

# Docker / Compose
ls Dockerfile docker-compose.yml docker-compose.yaml 2>/dev/null

# Cloud CLI configs
gcloud config get-value project 2>/dev/null
aws sts get-caller-identity 2>/dev/null
cat wrangler.toml 2>/dev/null
cat fly.toml 2>/dev/null

# Kubernetes
ls k8s/ kubernetes/ manifests/ helmfile.yaml Chart.yaml 2>/dev/null

Read every IaC file found. If no IaC exists, tell the user that's finding #1.

Step 1: Audit All IaC Files

Read every infrastructure file and check for these categories:

Security Issues (report as red circle):

  • Public endpoints that should be private (databases, caches, internal APIs)
  • Overly permissive IAM roles (admin, editor, .)
  • Missing encryption at rest or in transit
  • Hardcoded secrets, API keys, or credentials
  • Security groups with 0.0.0.0/0 on non-443 ports
  • No WAF or DDoS protection on public endpoints
  • Service accounts with excessive permissions

Reliability Issues (report as yellow circle):

  • No autoscaling on variable workloads
  • Missing health checks and readiness probes
  • Single-region deployments for critical services
  • No connection draining or graceful shutdown
  • Missing retry/backoff configuration
  • No backup or disaster recovery plan
  • Single points of failure

Cost and Hygiene Issues (report as blue circle):

  • Over-provisioned resources (4 vCPU for a cron job, 64GB RAM for a small API)
  • Missing tags/labels on resources
  • Hardcoded values that should be variables
  • No remote state backend configured
  • Deprecated resource types or API versions
  • Resources with no clear owner or purpose
  • Unused resources still provisioned

Step 2: Present Findings

Format the report as:

## Infrastructure Audit Report

### Red Circle Critical — Fix immediately
1. [Resource] — [Issue] — [Fix]

### Yellow Circle Warning — Fix soon
1. [Resource] — [Issue] — [Fix]

### Blue Circle Improvement — Fix when convenient
1. [Resource] — [Issue] — [Fix]

Use the actual emoji circles in the output: red for critical, yellow for warning, blue for improvement.

Each finding MUST include:

  • The specific resource and file/line where the issue exists
  • Why it's a problem (not just "best practice" — explain the actual risk)
  • A concrete fix (code snippet or specific change, not "consider doing X")

Step 3: Summary

End with:

  • Overall health score (Healthy / Needs Work / Critical)
  • Top 3 priorities to fix first
  • Estimated effort for each fix (minutes, hours, or days)

Delivery

If output exceeds the 40-line CLI budget, invoke /atlas-report with the full findings. The HTML report is the output. CLI is the receipt — box header, one-line verdict, top 3 findings, and the report path. Never dump analysis to CLI.