infra 2 credits · ~$0.030 <10ms
IaC Risk Gate
POST /v1/infra/plan/risk The gate an agent calls before it applies infrastructure changes. Feed it a Terraform plan JSON (terraform show -json), an AWS IAM policy, or a Kubernetes manifest and it statically flags high-blast-radius risks — public 0.0.0.0/0 exposure, public buckets, IAM Action/Resource wildcards, destroy/replace of stateful resources, privileged or hostNetwork pods — with no cloud credentials and no network calls.
Capabilities
- ✓ Terraform plan JSON, AWS IAM, and Kubernetes manifests
- ✓ 20 bundled CIS/OPA-style rules across the three formats
- ✓ Flags public exposure, IAM wildcards, stateful destroys, privileged pods
- ✓ Severity-ranked findings with rule IDs; tunable block threshold
- ✓ Deterministic and offline (no cloud credentials)
Use cases
- → Gate IaC changes an agent proposes before apply
- → PR bots reviewing Terraform / Kubernetes / IAM diffs
- → Guardrails for autonomous DevOps and platform agents
- → Catch blast-radius mistakes before they reach production
example
curl -X POST https://api.agent-toolbox.ai/v1/infra/plan/risk \
-H "Content-Type: application/json" \
-d '{"format": "terraform", "plan": "..."}' response shape
{
"verdict": "PASS" | "FLAG" | "BLOCK",
// tool-specific findings…
"certificate": "sha256:..."
}