Unbearable IaC Audit Pack

Unbearable IaC Audit Pack — all four audit Actors under one MCP endpoint. Snyk-comparable scope at a fraction of the cost. Pay-per-event — only billed when a tool is actually called.

64 checks. 20 categories. 4 audit engines. 1 MCP endpoint.

What's included

Package	Checks	Categories	Primary tool
Docker Compose audit	25	9	`audit_compose`
Dockerfile audit	19	5	`audit_dockerfile`
GitHub Actions audit	21	6	`audit_github_actions`
HU Postcode Validator	5 tools	—	`validate_postcode`, `lookup_city`, …

Plus two bundle-only tools:

audit_all — paste a dict of filenames → content; auto-detects Dockerfile, compose, and workflow files and runs the right audit on each
list_all_checks — full cross-package check catalog in one call

Quick start (Claude Desktop)

{
  "mcpServers": {
    "iac-audit-pack": {
      "type": "http",
      "url": "https://unbearable-dev--iac-audit-pack.apify.actor/mcp",
      "headers": {
        "Authorization": "Bearer <your-apify-token>"
      }
    }
  }
}

Tool catalog

Aggregation (bundle-only)

Tool	Description
`audit_all(files, min_severity?)`	Multi-file detection + combined audit report
`list_all_checks()`	All 64 checks across all three audit packages

Docker Compose (25 checks, 9 categories)

Tool	Description
`audit_compose(compose_yaml?, compose_url?, min_severity?)`	Full 25-check audit
`check_privilege`	Privileged mode, cap_add, user namespace
`check_network`	Host networking, exposed dangerous ports
`check_secrets`	Hardcoded passwords, tokens in env vars
`check_filesystem`	Docker socket mounts, host path mounts
`check_resources`	Missing memory/CPU limits
`check_image_hygiene`	Unpinned tags, `latest` usage
`check_runtime_lifecycle`	Restart policies, healthchecks
`check_logging`	Logging driver config
`check_compose_hygiene`	Version field, service naming
`list_checks_compose(category?)`	Check catalog

Dockerfile (19 checks, 5 categories)

Tool	Description
`audit_dockerfile(dockerfile_content?, dockerfile_url?, min_severity?)`	Full 19-check audit
`check_base_image_dockerfile`	Unpinned base, `latest`, root user in FROM
`check_instructions_dockerfile`	ADD vs COPY, COPY ordering, ENV secrets
`check_security_dockerfile`	USER root, privilege escalation patterns
`check_efficiency_dockerfile`	Layer count, cache busting
`check_secrets_dockerfile`	Hardcoded secrets in RUN/ENV/ARG
`list_checks_dockerfile(category?)`	Check catalog

GitHub Actions (21 checks, 6 categories)

Tool	Description
`audit_github_actions(workflow_yaml?, workflow_url?, min_severity?)`	Full 21-check audit
`check_secrets_gha`	Leaked tokens, secret in run: blocks
`check_permissions_gha`	Overly broad write-all permissions
`check_action_pinning_gha`	Unpinned action refs (not SHA-pinned)
`check_runner_security_gha`	Self-hosted runner risks
`check_workflow_config_gha`	pull_request_target misuse, script injection
`check_supply_chain_advanced_gha`	TeamPCP-class supply-chain patterns (GHA-201..208)
`list_checks_github_actions(category?)`	Check catalog

HU Postcode Validator (5 tools)

Tool	Description
`validate_postcode(postcode)`	Settlement + county for a HU postcode
`lookup_postcode(postcode)`	Alias for validate_postcode
`lookup_city(city)`	All postcodes for a city (diacritic-insensitive)
`validate_address(postcode, city)`	Postcode/city pairing validation
`list_postcodes_in_county(county_name)`	All postcodes in a county
`budapest_district_lookup(district_number)`	Budapest I-XXIII → postcodes

Pricing

Event	USD
`audit_all` or any single-domain audit call	$0.10
Single-domain audit (`audit_compose`, `audit_dockerfile`, `audit_github_actions`)	$0.05
`list_checks` / discovery calls	$0.005

Pay-per-event — no subscription, no monthly minimums. You pay only when a tool is invoked.

Architecture

Package-import (not proxy): all four sub-packages are bundled directly into the Actor image. Single cold start, single billing rail, no cross-Actor latency. See DESIGN.md for the full rationale.

Built by Noel @ Unbearable Labs — more like this in the weekly newsletter.

IAC Audit Pack