# Unbearable IaC Audit Pack (`unbearable_dev/iac-audit-pack`) Actor All four Unbearable TechTips audit Actors under one MCP endpoint: docker-compose (25 checks), Dockerfile (26 checks), GitHub Actions (21 checks), HU postcode validator (5 tools). Snyk-comparable IaC coverage at 10x cheaper. Pay-per-event. Built by Unbearable TechTips. - **URL**: https://apify.com/unbearable\_dev/iac-audit-pack.md - **Developed by:** [Noel Himer](https://apify.com/unbearable_dev) (community) - **Categories:** Developer tools, Automation, MCP servers - **Stats:** 1 total users, 0 monthly users, 0.0% runs succeeded, NaN bookmarks - **User rating**: No ratings yet ## Pricing Pay per usage This Actor is paid per platform usage. The Actor is free to use, and you only pay for the Apify platform usage, which gets cheaper the higher subscription plan you have. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-usage ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## Unbearable IaC Audit Pack **Unbearable IaC Audit Pack** — all four audit Actors under one MCP endpoint. Snyk-comparable scope at 10x cheaper. $19/mo unlimited individual audits. 56 checks. 19 categories. 4 audit engines. 1 MCP endpoint. One subscription. --- ### What's included | Package | Checks | Categories | Primary tool | |---------|--------|------------|--------------| | Docker Compose audit | 25 | 9 | `audit_compose` | | Dockerfile audit | 18 | 5 | `audit_dockerfile` | | GitHub Actions audit | 13 | 5 | `audit_github_actions` | | HU Postcode Validator | 5 tools | — | `validate_postcode`, `lookup_city`, … | Plus two bundle-only tools: - **`audit_all`** — paste a dict of filenames → content; auto-detects Dockerfile, compose, and workflow files and runs the right audit on each - **`list_all_checks`** — full cross-package check catalog in one call ### Quick start (Claude Desktop) ```json { "mcpServers": { "iac-audit-pack": { "type": "http", "url": "https://unbearable-dev--iac-audit-pack.apify.actor/mcp", "headers": { "Authorization": "Bearer " } } } } ```` ### Tool catalog #### Aggregation (bundle-only) | Tool | Description | |------|-------------| | `audit_all(files, min_severity?)` | Multi-file detection + combined audit report | | `list_all_checks()` | All 56 checks across all three audit packages | #### Docker Compose (25 checks, 9 categories) | Tool | Description | |------|-------------| | `audit_compose(compose_yaml?, compose_url?, min_severity?)` | Full 25-check audit | | `check_privilege` | Privileged mode, cap\_add, user namespace | | `check_network` | Host networking, exposed dangerous ports | | `check_secrets` | Hardcoded passwords, tokens in env vars | | `check_filesystem` | Docker socket mounts, host path mounts | | `check_resources` | Missing memory/CPU limits | | `check_image_hygiene` | Unpinned tags, `latest` usage | | `check_runtime_lifecycle` | Restart policies, healthchecks | | `check_logging` | Logging driver config | | `check_compose_hygiene` | Version field, service naming | | `list_checks_compose(category?)` | Check catalog | #### Dockerfile (18 checks, 5 categories) | Tool | Description | |------|-------------| | `audit_dockerfile(dockerfile_content?, dockerfile_url?, min_severity?)` | Full 18-check audit | | `check_base_image_dockerfile` | Unpinned base, `latest`, root user in FROM | | `check_instructions_dockerfile` | ADD vs COPY, COPY ordering, ENV secrets | | `check_security_dockerfile` | USER root, privilege escalation patterns | | `check_efficiency_dockerfile` | Layer count, cache busting | | `check_secrets_dockerfile` | Hardcoded secrets in RUN/ENV/ARG | | `list_checks_dockerfile(category?)` | Check catalog | #### GitHub Actions (13 checks, 5 categories) | Tool | Description | |------|-------------| | `audit_github_actions(workflow_yaml?, workflow_url?, min_severity?)` | Full 13-check audit | | `check_secrets_gha` | Leaked tokens, secret in run: blocks | | `check_permissions_gha` | Overly broad write-all permissions | | `check_action_pinning_gha` | Unpinned action refs (not SHA-pinned) | | `check_runner_security_gha` | Self-hosted runner risks | | `check_workflow_config_gha` | pull\_request\_target misuse, script injection | | `list_checks_github_actions(category?)` | Check catalog | #### HU Postcode Validator (5 tools) | Tool | Description | |------|-------------| | `validate_postcode(postcode)` | Settlement + county for a HU postcode | | `lookup_postcode(postcode)` | Alias for validate\_postcode | | `lookup_city(city)` | All postcodes for a city (diacritic-insensitive) | | `validate_address(postcode, city)` | Postcode/city pairing validation | | `list_postcodes_in_county(county_name)` | All postcodes in a county | | `budapest_district_lookup(district_number)` | Budapest I-XXIII → postcodes | ### Pricing **$19/mo unlimited individual audits** — flat monthly rental via Apify Console. No per-call billing. Run as many audits as you need. Cancel anytime. ### Architecture Package-import (not proxy): all four sub-packages are bundled directly into the Actor image. Single cold start, single billing rail, no cross-Actor latency. See `DESIGN.md` for the full rationale. *** Built by Noel @ Unbearable TechTips — more like this in the weekly newsletter \[link]. # Actor input Schema ## Actor input object example ```json {} ``` # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = {}; // Run the Actor and wait for it to finish const run = await client.actor("unbearable_dev/iac-audit-pack").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = {} # Run the Actor and wait for it to finish run = client.actor("unbearable_dev/iac-audit-pack").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{}' | apify call unbearable_dev/iac-audit-pack --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=unbearable_dev/iac-audit-pack", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "Unbearable IaC Audit Pack", "description": "All four Unbearable TechTips audit Actors under one MCP endpoint: docker-compose (25 checks), Dockerfile (26 checks), GitHub Actions (21 checks), HU postcode validator (5 tools). Snyk-comparable IaC coverage at 10x cheaper. Pay-per-event. Built by Unbearable TechTips.", "version": "0.1", "x-build-id": "aN7emxSRUU6j1xolb" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/unbearable_dev~iac-audit-pack/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-unbearable_dev-iac-audit-pack", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/unbearable_dev~iac-audit-pack/runs": { "post": { "operationId": "runs-sync-unbearable_dev-iac-audit-pack", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/unbearable_dev~iac-audit-pack/run-sync": { "post": { "operationId": "run-sync-unbearable_dev-iac-audit-pack", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "properties": {} }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```