iac-scanner 0.3.2

CLI to scan and fix Terraform and CDK IaC with LangChain-orchestrated agents

IaC Scanner

Python CLI that scans Terraform and AWS CDK Infrastructure-as-Code, then produces a report and fixed code. Built with a factory pattern (scanner per IaC type) and LangChain orchestration where each task uses a different AI (analysis vs code generation).

License: Personal Use License — personal use permitted; redistribution (including publishing or selling) requires permission. Contributing back via pull request is welcome.

Quickstart (30 seconds, no API key)

pip install iac-scanner
iac-scan scan ./samples/tf -o ./out --scan-only

Example output:

Detected: terraform (entry: .../samples/tf/main.tf)
Scan-only: writing report (no AI).
Output written to: ./out
  - ./out/scan-report.json

Open ./out/scan-report.json for iac_type, metadata.files, and findings. To get findings and fixed code, set OPENAI_API_KEY (or ANTHROPIC_API_KEY) and run without --scan-only:

export OPENAI_API_KEY=sk-...
iac-scan scan ./samples/tf -o ./out

Input (CLI)

• Terraform: path to a directory containing main.tf, or path to main.tf itself.
• CDK: path to a directory containing index.ts or index.js, or path to that file.

Process

1. Factory creates the right scanner (TerraformScanner or CdkScanner) from the given path.
2. Scan: load entry file(s) and gather content.
3. Analysis task (LangChain + analysis AI): security and best-practice findings.
4. Fix task (LangChain + fix AI): generate corrected code from findings.
5. Output: report (JSON) and fixed TF/CDK code under an output directory.

Output

• Report: scan-report.json with iac_type, entry_path, findings, and metadata.
• Fixed code: under fixed/ (same structure as detected files when the model returns multi-file blocks).

Install

cd iac-scanner
pip install -e .
# or
pip install -r requirements.txt

Usage

# Scan Terraform (directory with main.tf or path to main.tf)
iac-scan scan ./my-tf-dir
iac-scan scan ./my-tf-dir/main.tf

# Scan CDK (directory with index.ts or path to index.ts)
iac-scan scan ./my-cdk-app
iac-scan scan ./my-cdk-app/index.ts

# Custom output directory and report name
iac-scan scan ./my-tf-dir -o ./reports --report-name report.json

# Only report, no fix step
iac-scan scan ./my-tf-dir --no-fix

# Scan only (no AI), for testing without API keys
iac-scan scan ./my-tf-dir --scan-only

# Choose AI per task (analysis vs fix)
iac-scan scan ./my-tf-dir --analysis-ai openai --fix-ai anthropic

Environment (different AI per task)

• Analysis task: IAC_ANALYSIS_AI=openai (default) or anthropic; IAC_ANALYSIS_MODEL for model name. Uses OPENAI_API_KEY or ANTHROPIC_API_KEY.
• Fix task: IAC_FIX_AI=openai (default) or anthropic; IAC_FIX_MODEL for model name.

Example:

export OPENAI_API_KEY=sk-...
export ANTHROPIC_API_KEY=sk-ant-...
iac-scan scan ./tf -o ./out

Blog and tutorial

Articles and a step-by-step tutorial are published on GitHub Pages. Enable in the repo under Settings → Pages (source: branch main, folder /docs). The site will be at https://<owner>.github.io/iac-scanner/.

Contributing

Contribution guidelines, development setup, and release process are in CONTRIBUTING.md (in the source repository). If you installed from PyPI, open the project repo to see that file.

Project layout (factory + orchestration)

src/iac_scanner/
  cli.py              # CLI entry (click)
  factory.py          # create_scanner(path) -> TerraformScanner | CdkScanner
  scanners/
    base.py           # IacScanner (abstract), ScanResult
    terraform.py      # TerraformScanner (main.tf)
    cdk.py            # CdkScanner (index.ts / index.js)
  orchestration/
    tasks.py          # analysis_chain() / fix_chain() — different LLM per task
    runner.py         # run_pipeline(scanner) -> PipelineResult
  output/
    report.py         # write_report_and_fixes()