Is Iac Audit Pack free?

Yes, Iac Audit Pack is free to use.

How do I install Iac Audit Pack?

Iac Audit Pack supports both local and remote installation. For local use, install it via the provided package manager and add the configuration to your AI app. For remote access, add the server URL to your MCP configuration.

Is Iac Audit Pack safe to use?

Iac Audit Pack was flagged by MCP Marketplace's security scan, scoring 4.2/10 (high risk). It has 2 high or critical findings to review. Review the security report on this page carefully before installing it.

What AI apps work with Iac Audit Pack?

Iac Audit Pack uses the Model Context Protocol (MCP) and works with any MCP-compatible AI app, including Claude, ChatGPT / Codex, Gemini, Copilot, Cursor, and more.

Back to Browse

Iac Audit Pack MCP Server

by UnbearableDev

Developer ToolsUse Caution4.2MCP RegistryLocalRemote

Free

Server data from the Official MCP Registry

Four IaC audits in one call: Compose, Dockerfile, GitHub Actions, Kubernetes. 131 checks.

About

Four IaC audits in one call: Compose, Dockerfile, GitHub Actions, Kubernetes. 131 checks.

Remote endpoints: streamable-http: https://unbearable-dev--iac-audit-pack.apify.actor/mcp

Security Report

4.2

Use Caution4.2High Risk

This MCP server aggregates four IaC audit packages with appropriate authentication via Apify tokens and reasonable permission scoping for its developer tools category. Code quality is generally good with proper error handling and input validation. However, there are moderate concerns around HTTP request handling without explicit timeouts in some paths, missing HTTPS enforcement for user-supplied URLs, and insufficient input validation on dynamically constructed tool names that could enable injection attacks. Supply chain analysis found 3 known vulnerabilities in dependencies (1 critical, 1 high severity).

4 files analyzed · 10 issues found

Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.

Permissions Required

This plugin requests these system permissions. Most are normal for its category.

env_vars

Check that this permission is expected for this type of plugin.

HTTP Network Access

Connects to external APIs or services over the internet.

File System Read

Reads files on your machine. Normal for tools that analyze or process local data.

How to Install & Connect

Available as Local & Remote

This plugin can run on your machine or connect to a hosted endpoint. during install.

Documentation

View on GitHub

From the project's GitHub README.

Unbearable IaC Audit Pack

Unbearable IaC Audit Pack — all four audit Actors under one MCP endpoint. Snyk-comparable scope at a fraction of the cost. Pay-per-event — only billed when a tool is actually called.

64 checks. 20 categories. 4 audit engines. 1 MCP endpoint.

What's included

Package	Checks	Categories	Primary tool
Docker Compose audit	25	9	`audit_compose`
Dockerfile audit	19	5	`audit_dockerfile`
GitHub Actions audit	21	6	`audit_github_actions`
HU Postcode Validator	5 tools	—	`validate_postcode`, `lookup_city`, …

Plus two bundle-only tools:

audit_all — paste a dict of filenames → content; auto-detects Dockerfile, compose, and workflow files and runs the right audit on each
list_all_checks — full cross-package check catalog in one call

Quick start (Claude Desktop)

{
  "mcpServers": {
    "iac-audit-pack": {
      "type": "http",
      "url": "https://unbearable-dev--iac-audit-pack.apify.actor/mcp",
      "headers": {
        "Authorization": "Bearer <your-apify-token>"
      }
    }
  }
}

Tool catalog

Aggregation (bundle-only)

Tool	Description
`audit_all(files, min_severity?)`	Multi-file detection + combined audit report
`list_all_checks()`	All 64 checks across all three audit packages

Docker Compose (25 checks, 9 categories)

Tool	Description
`audit_compose(compose_yaml?, compose_url?, min_severity?)`	Full 25-check audit
`check_privilege`	Privileged mode, cap_add, user namespace
`check_network`	Host networking, exposed dangerous ports
`check_secrets`	Hardcoded passwords, tokens in env vars
`check_filesystem`	Docker socket mounts, host path mounts
`check_resources`	Missing memory/CPU limits
`check_image_hygiene`	Unpinned tags, `latest` usage
`check_runtime_lifecycle`	Restart policies, healthchecks
`check_logging`	Logging driver config
`check_compose_hygiene`	Version field, service naming
`list_checks_compose(category?)`	Check catalog

Dockerfile (19 checks, 5 categories)

Tool	Description
`audit_dockerfile(dockerfile_content?, dockerfile_url?, min_severity?)`	Full 19-check audit
`check_base_image_dockerfile`	Unpinned base, `latest`, root user in FROM
`check_instructions_dockerfile`	ADD vs COPY, COPY ordering, ENV secrets
`check_security_dockerfile`	USER root, privilege escalation patterns
`check_efficiency_dockerfile`	Layer count, cache busting
`check_secrets_dockerfile`	Hardcoded secrets in RUN/ENV/ARG
`list_checks_dockerfile(category?)`	Check catalog

GitHub Actions (21 checks, 6 categories)

Tool	Description
`audit_github_actions(workflow_yaml?, workflow_url?, min_severity?)`	Full 21-check audit
`check_secrets_gha`	Leaked tokens, secret in run: blocks
`check_permissions_gha`	Overly broad write-all permissions
`check_action_pinning_gha`	Unpinned action refs (not SHA-pinned)
`check_runner_security_gha`	Self-hosted runner risks
`check_workflow_config_gha`	pull_request_target misuse, script injection
`check_supply_chain_advanced_gha`	TeamPCP-class supply-chain patterns (GHA-201..208)
`list_checks_github_actions(category?)`	Check catalog

HU Postcode Validator (5 tools)

Tool	Description
`validate_postcode(postcode)`	Settlement + county for a HU postcode
`lookup_postcode(postcode)`	Alias for validate_postcode
`lookup_city(city)`	All postcodes for a city (diacritic-insensitive)
`validate_address(postcode, city)`	Postcode/city pairing validation
`list_postcodes_in_county(county_name)`	All postcodes in a county
`budapest_district_lookup(district_number)`	Budapest I-XXIII → postcodes

Pricing

Event	USD
`audit_all` or any single-domain audit call	$0.10
Single-domain audit (`audit_compose`, `audit_dockerfile`, `audit_github_actions`)	$0.05
`list_checks` / discovery calls	$0.005

Pay-per-event — no subscription, no monthly minimums. You pay only when a tool is invoked.

Architecture

Package-import (not proxy): all four sub-packages are bundled directly into the Actor image. Single cold start, single billing rail, no cross-Actor latency. See DESIGN.md for the full rationale.

Built by Noel @ Unbearable Labs — more like this in the weekly newsletter.

Reviews

No reviews yet

Be the first to review this server!

More Developer Tools MCP Servers

Fetch

Free

by Modelcontextprotocol · Developer Tools

Web content fetching and conversion for efficient LLM usage

Toleno

Free

by Toleno · Developer Tools

Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.

mcp-creator-python

Free

by mcp-marketplace · Developer Tools

Create, build, and publish Python MCP servers to PyPI — conversationally.

Iac Audit Pack MCP Server

About

Security Report

Findings (10)Action required

Permissions Required

How to Install & Connect

Documentation

Unbearable IaC Audit Pack

What's included

Quick start (Claude Desktop)

Tool catalog

Aggregation (bundle-only)

Docker Compose (25 checks, 9 categories)

Dockerfile (19 checks, 5 categories)

GitHub Actions (21 checks, 6 categories)

HU Postcode Validator (5 tools)

Pricing

Architecture

Reviews

No reviews yet

More Developer Tools MCP Servers

Fetch

Toleno

mcp-creator-python

MarkItDown

FinAgent

mcp-creator-typescript