infra 2 credits · ~$0.030 <10ms

IaC Risk Gate

POST /v1/infra/plan/risk

The gate an agent calls before it applies infrastructure changes. Feed it a Terraform plan JSON (terraform show -json), an AWS IAM policy, or a Kubernetes manifest and it statically flags high-blast-radius risks — public 0.0.0.0/0 exposure, public buckets, IAM Action/Resource wildcards, destroy/replace of stateful resources, privileged or hostNetwork pods — with no cloud credentials and no network calls.

Capabilities

  • Terraform plan JSON, AWS IAM, and Kubernetes manifests
  • 20 bundled CIS/OPA-style rules across the three formats
  • Flags public exposure, IAM wildcards, stateful destroys, privileged pods
  • Severity-ranked findings with rule IDs; tunable block threshold
  • Deterministic and offline (no cloud credentials)

Use cases

  • Gate IaC changes an agent proposes before apply
  • PR bots reviewing Terraform / Kubernetes / IAM diffs
  • Guardrails for autonomous DevOps and platform agents
  • Catch blast-radius mistakes before they reach production
example
curl -X POST https://api.agent-toolbox.ai/v1/infra/plan/risk \
  -H "Content-Type: application/json" \
  -d '{"format": "terraform", "plan": "..."}'
response shape
{
  "verdict": "PASS" | "FLAG" | "BLOCK",
  // tool-specific findings…
  "certificate": "sha256:..."
}