IAC Audit Pack
FreeNot checkedFour IaC audits in one call: Compose, Dockerfile, GitHub Actions, Kubernetes. 131 checks.
About
Four IaC audits in one call: Compose, Dockerfile, GitHub Actions, Kubernetes. 131 checks.
README
Unbearable IaC Audit Pack — all four audit Actors under one MCP endpoint. Snyk-comparable scope at a fraction of the cost. Pay-per-event — only billed when a tool is actually called.
64 checks. 20 categories. 4 audit engines. 1 MCP endpoint.
What's included
| Package | Checks | Categories | Primary tool |
|---|---|---|---|
| Docker Compose audit | 25 | 9 | audit_compose |
| Dockerfile audit | 19 | 5 | audit_dockerfile |
| GitHub Actions audit | 21 | 6 | audit_github_actions |
| HU Postcode Validator | 5 tools | — | validate_postcode, lookup_city, … |
Plus two bundle-only tools:
audit_all— paste a dict of filenames → content; auto-detects Dockerfile, compose, and workflow files and runs the right audit on eachlist_all_checks— full cross-package check catalog in one call
Quick start (Claude Desktop)
{
"mcpServers": {
"iac-audit-pack": {
"type": "http",
"url": "https://unbearable-dev--iac-audit-pack.apify.actor/mcp",
"headers": {
"Authorization": "Bearer <your-apify-token>"
}
}
}
}
Tool catalog
Aggregation (bundle-only)
| Tool | Description |
|---|---|
audit_all(files, min_severity?) |
Multi-file detection + combined audit report |
list_all_checks() |
All 64 checks across all three audit packages |
Docker Compose (25 checks, 9 categories)
| Tool | Description |
|---|---|
audit_compose(compose_yaml?, compose_url?, min_severity?) |
Full 25-check audit |
check_privilege |
Privileged mode, cap_add, user namespace |
check_network |
Host networking, exposed dangerous ports |
check_secrets |
Hardcoded passwords, tokens in env vars |
check_filesystem |
Docker socket mounts, host path mounts |
check_resources |
Missing memory/CPU limits |
check_image_hygiene |
Unpinned tags, latest usage |
check_runtime_lifecycle |
Restart policies, healthchecks |
check_logging |
Logging driver config |
check_compose_hygiene |
Version field, service naming |
list_checks_compose(category?) |
Check catalog |
Dockerfile (19 checks, 5 categories)
| Tool | Description |
|---|---|
audit_dockerfile(dockerfile_content?, dockerfile_url?, min_severity?) |
Full 19-check audit |
check_base_image_dockerfile |
Unpinned base, latest, root user in FROM |
check_instructions_dockerfile |
ADD vs COPY, COPY ordering, ENV secrets |
check_security_dockerfile |
USER root, privilege escalation patterns |
check_efficiency_dockerfile |
Layer count, cache busting |
check_secrets_dockerfile |
Hardcoded secrets in RUN/ENV/ARG |
list_checks_dockerfile(category?) |
Check catalog |
GitHub Actions (21 checks, 6 categories)
| Tool | Description |
|---|---|
audit_github_actions(workflow_yaml?, workflow_url?, min_severity?) |
Full 21-check audit |
check_secrets_gha |
Leaked tokens, secret in run: blocks |
check_permissions_gha |
Overly broad write-all permissions |
check_action_pinning_gha |
Unpinned action refs (not SHA-pinned) |
check_runner_security_gha |
Self-hosted runner risks |
check_workflow_config_gha |
pull_request_target misuse, script injection |
check_supply_chain_advanced_gha |
TeamPCP-class supply-chain patterns (GHA-201..208) |
list_checks_github_actions(category?) |
Check catalog |
HU Postcode Validator (5 tools)
| Tool | Description |
|---|---|
validate_postcode(postcode) |
Settlement + county for a HU postcode |
lookup_postcode(postcode) |
Alias for validate_postcode |
lookup_city(city) |
All postcodes for a city (diacritic-insensitive) |
validate_address(postcode, city) |
Postcode/city pairing validation |
list_postcodes_in_county(county_name) |
All postcodes in a county |
budapest_district_lookup(district_number) |
Budapest I-XXIII → postcodes |
Pricing
| Event | USD |
|---|---|
audit_all or any single-domain audit call |
$0.10 |
Single-domain audit (audit_compose, audit_dockerfile, audit_github_actions) |
$0.05 |
list_checks / discovery calls |
$0.005 |
Pay-per-event — no subscription, no monthly minimums. You pay only when a tool is invoked.
Architecture
Package-import (not proxy): all four sub-packages are bundled directly into the
Actor image. Single cold start, single billing rail, no cross-Actor latency.
See DESIGN.md for the full rationale.
Built by Noel @ Unbearable Labs — more like this in the weekly newsletter.
Installing IAC Audit Pack
This server has no published package — it is built from source. Open the repository and follow its README.
▸ github.com/UnbearableDev/iac-audit-packFAQ
Is IAC Audit Pack MCP free?
Yes, IAC Audit Pack MCP is free — one-click install via Unyly at no cost.
Does IAC Audit Pack need an API key?
No, IAC Audit Pack runs without API keys or environment variables.
Is IAC Audit Pack hosted or self-hosted?
A hosted option is available: Unyly runs the server in the cloud, no local setup required.
How do I install IAC Audit Pack in Claude Desktop, Claude Code or Cursor?
Open IAC Audit Pack on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.
Related MCPs
GitHub
PRs, issues, code search, CI status
by GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
by mcpdotdirectCompare IAC Audit Pack with
Not sure what to pick?
Find your stack in 60 seconds
Author?
Embed badge for your README
Browse similar
All development MCPs
