The Terraform security layer
for coding agents
audytx exposes a free, unauthenticated MCP server. Call it from your agent to scan AWS Terraform for IAM attack paths, misconfigurations, and cost risks — before the PR exists.
claude mcp add --transport http audytx https://audytx.com/mcp
transport = "http" · url = "https://audytx.com/mcp"No API key · No install · 250 calls/month free
Tools
5 availableScan AWS Terraform files for security misconfigurations, IAM privilege-escalation paths, cross-resource attack paths, and cost risks. Returns findings with file/line evidence and fix snippets — plus the findings audytx suppressed as false positives, each with its rationale explaining why.
Inputs
filesrequired Array of{path, content}— all .tf and .tfvars files. Cross-resource reasoning needs the full set.planoptional Output ofterraform show -json. Resolves final values and module-internal resources.
Returns
findings[]Active findings with severity, file, line, message, fix snippetsuppressed[]Context-suppressed findings with rationalesummaryCounts by severity
Apply audytx's sound one-click fixes and re-scan, looping until no auto-applicable findings remain (max 3 passes). Only precisely line-anchored fixes are applied — never a corrupting edit. Returns the fixed file contents, what was fixed, and what remains for you to address.
Inputs
filesrequired Array of{path, content}
Returns
files[]Fixed file contentsapplied[]Which findings were auto-fixedremaining[]Findings needing manual action
Preview what autofix_terraform would do — returns a unified diff per file showing the exact line changes, without modifying any content. Use this before applying fixes to review and confirm the changes.
Inputs
filesrequired Array of{path, content}
Returns
diffs[]Unified diff per filewould_fix[]Which findings would be addressed
Return structured explanation and remediation guidance for a rule ID. Useful when scan_terraform returns a finding ID and you want the full context: what the rule checks, why it matters, MITRE ATT&CK mapping, and how to fix it.
Inputs
rule_idrequired e.g."AWS_IAM_020"
Returns
titleRule title and severitydescriptionFull explanationremediationStep-by-step fix guidance
Return the cross-resource relationship graph audytx computed for the given Terraform files — resources, edges (invocation, runs_as, dlq, network), and the findings the context layer suppressed with their rationale. Use this to understand WHY audytx suppressed a finding before deciding whether to accept the suppression.
Inputs
filesrequired Array of{path, content}
Returns
resources[]All parsed resources and their relationshipsedges[]Graph edges with relationship typesuppressed[]Context-suppressed findings with rationale
Typical agent workflow
.tf files — provisioning IAM roles, Lambda functions, S3 buckets, API Gateway stages..tf files. Get findings with file/line evidence, severity, fix snippets — and suppressed false positives with rationale so the agent knows what was checked.Example agent prompts
audytx scan_terraform on all .tf files in this directory. Show me any High or Critical findings and apply the auto-fixable ones."audytx get_context_graph on these files. I want to understand why the DLQ finding was suppressed — is it because this Lambda is only invoked synchronously?"audytx dry_run_autofix first and show me the diffs. If the changes look right, then run autofix_terraform to apply them."AWS_IAM_020. Call audytx explain_finding with that rule ID so I understand the exact privilege-escalation path before I change the IAM policy."What AI-generated Terraform gets wrong
We prompted frontier models with 50 realistic infra scenarios and catalogued their failure modes — overbroad IAM, hallucinated module arguments, missing companion resources. audytx catches all of them. Read the study →
Rate limits & pricing
per calendar month
No credit card
(up to 500 files)
Limits reset on the first of each month (UTC). Enterprise limits available — get in touch. Full details at /pricing.