loops!IaC Security Review
Diff your branch's Terraform and IAM changes against main, send them to Flare's AI security review API, get findings with severity scores and fix suggestions, apply fixes, and re-scan — repeating until zero critical and high findings remain.
8 copies · 31 views
Use loop copies the kickoff. Share copies the loop link. Open in Cursor / Claude Code only pre-fill that prompt — they do not install hook files. Download loop saves a README and kickoff into .cursor/loops/iac-security-review-mq6r1k5a/ — no hooks required. Full install guide
- Guardrails:
- - Do not modify the check command or exit criteria to force success
- - Do not delete or rename security-relevant files to avoid scanning
- - Only modify files that are already changed on this branch
- - Choose the least-privilege fix when multiple options exist
- - Do not suppress findings by adding inline ignore comments (e.g. tflint-ignore, checkov:skip)
- - Do not weaken security posture to pass the check (e.g. switching from deny to allow)
Branch clean: 4 critical IAM findings fixed
Scanned 3 Terraform files on feature/new-pipeline branch. Found 4 critical findings (2 overly broad roles, 1 public access rule, 1 missing encryption). Fixed all 4 in 3 iterations. Final scan: 0 critical, 0 high.
Try Flarecurl -s -X POST "https://www.tryflare.ai/api/webhooks/pr-check" \
-H "Authorization: Bearer $FLARE_API_KEY" \
-H "Content-Type: application/json" \
-d "{\"diff\": \"$(git diff main -- '*.tf' '*.tfvars' | jq -Rs .)\"}" \
| jq '.findings[] | {severity, file, line, title, fix}'Two separate pieces
- Kickoff prompt — tells the agent the goal, check command, exit condition, and how to self-pace between passes.
- 1
Copy or open the kickoff prompt
Click Use loop to copy the kickoff into your clipboard. Open in Cursor and Open in Claude Code only open the agent with that prompt — they do not configure automation for you.
- 2
Paste into your coding agent
Start a chat in Cursor, Claude Code, Codex, or any agent. Paste the kickoff. The prompt includes the goal, iteration limit, shell check, and first step.
- 3
Agent self-paces until done
The agent runs the loop: act → run check command → read output → repeat until the exit condition is met or max iterations is reached. No install step is required for prompt-only loops.
Full guide with Cursor /loop notes: How to install loops
1. Run loop
/loop Start the loop. Goal: Review all infrastructure-as-code changes on the current branch for security issues using the Flare PR Security Check API, then fix every critical and high finding until the branch is clean. Between iterations run: git diff main --name-only -- '*.tf' '*.tfvars' '*-policy.json' '*-role.json' '*.sentinel' | head -1 Prerequisites: - A free Flare account (https://tryflare.ai) - An API key from Settings → Create API key - Set env var: export FLARE_API_KEY=flr_pr_... Step 1 — Collect the diff. Run `git diff main -- '*.tf' '*.tfvars' '*-policy.json' '*-role.json' '*.sentinel'` to get the full IaC diff on this branch. Step 2 — Send to Flare. POST the diff to the Flare PR check API: curl -s -X POST "https://www.tryflare.ai/api/webhooks/pr-check" \ -H "Authorization: Bearer $FLARE_API_KEY" \ -H "Content-Type: application/json" \ -d "{\"diff\": \"$(git diff main -- '*.tf' '*.tfvars' '*-policy.json' '*-role.json' '*.sentinel' | jq -Rs .)\"}" \ | jq . Read the response. Note the total findings count and the critical + high counts. Step 3 — Fix findings. For each critical or high finding: - Read the file and line referenced in the finding - Apply the fix suggested by Flare (replace overly broad roles, add conditions, remove public access, etc.) - If the fix is ambiguous, choose the least-privilege option Step 4 — Re-check. Go back to Step 1 and re-run the diff + API call. Compare the new findings count to the previous iteration. If critical + high == 0, the loop is done. If findings remain, continue fixing.
/loop Start the loop.
Goal: Review all infrastructure-as-code changes on the current branch for security issues using the Flare PR Security Check API, then fix every critical and high finding until the branch is clean.
Between iterations run: git diff main --name-only -- '*.tf' '*.tfvars' '*-policy.json' '*-role.json' '*.sentinel' | head -1
Prerequisites:
- A free Flare account (https://tryflare.ai)
- An API key from Settings → Create API key
- Set env var: export FLARE_API_KEY=flr_pr_...
Step 1 — Collect the diff.
Run `git diff main -- '*.tf' '*.tfvars' '*-policy.json' '*-role.json' '*.sentinel'` to get the full IaC diff on this branch.
Step 2 — Send to Flare.
POST the diff to the Flare PR check API:
curl -s -X POST "https://www.tryflare.ai/api/webhooks/pr-check" \
-H "Authorization: Bearer $FLARE_API_KEY" \
-H "Content-Type: application/json" \
-d "{\"diff\": \"$(git diff main -- '*.tf' '*.tfvars' '*-policy.json' '*-role.json' '*.sentinel' | jq -Rs .)\"}" \
| jq .
Read the response. Note the total findings count and the critical + high counts.
Step 3 — Fix findings.
For each critical or high finding:
- Read the file and line referenced in the finding
- Apply the fix suggested by Flare (replace overly broad roles, add conditions, remove public access, etc.)
- If the fix is ambiguous, choose the least-privilege option
Step 4 — Re-check.
Go back to Step 1 and re-run the diff + API call. Compare the new findings count to the previous iteration. If critical + high == 0, the loop is done. If findings remain, continue fixing.Related loops
Start the "npm Audit Fix Loop" loop. Goal: no high or critical npm audit vulnerabilities Max iterations: 10 Between iterations run: npm audit --audit-level=high && npm test Exit when: npm audit reports no high/critical issues Step 1: Pick one high/critical advisory, apply the safest fix, run tests, and repeat. Self-pace this loop. After each iteration, run the check command, read the output, and only continue if the exit condition is not met. Stop when the exit condition passes or max iterations is reached. Give a short status update each pass.
/loop 7d Start the "Security Audit Weekly" loop. Goal: deliver a weekly npm audit summary with a remediation plan. Between iterations run: npm audit --json Exit when: summary is posted with prioritized fixes. Step 1: Run npm audit, triage by severity, and propose safe remediation steps.
/loop 7d Start the "Dependency Audit Weekly" loop. Goal: deliver a weekly dependency audit summary. Between iterations run: npm outdated || true Exit when: summary is posted with recommended upgrades. Step 1: Run npm outdated, categorize updates, and propose a safe upgrade plan.