@ethanolivertroy: Had the idea for the compliance version of @cursor_ai bugpot last night and started pulling the pieces together with cu…

X AI KOLs Following Tools
terraform compliance nist-800-53 infrastructure-as-code pr-review github-actions open-source

Summary

ControlBot is an open-source tool that reviews Terraform PRs for NIST 800-53 compliance using Checkov and Cursor SDK, providing inline comments and merge gates.

Had the idea for the compliance version of @cursor_ai bugpot last night and started pulling the pieces together with cursor sdk https://github.com/ethanolivertroy/controlbot… It checks the terraform in PRs and aligns them to nist 800-53 controls
Original Article
View Cached Full Text

Cached at: 05/27/26, 07:03 AM

Had the idea for the compliance version of @cursor_ai bugpot last night and started pulling the pieces together with cursor sdk https://github.com/ethanolivertroy/controlbot… It checks the terraform in PRs and aligns them to nist 800-53 controls

ethanolivertroy/controlbot

Source: https://github.com/ethanolivertroy/controlbot

ControlBot

Bugbot for compliance on infrastructure code.

ControlBot reviews Terraform PRs like Cursor Bugbot reviews code — inline comments on the exact lines, NIST 800-53 control mapping, control intent, and a merge gate when findings block your baseline.

Built on Checkov (deterministic facts) + Cursor SDK (assessor-grade narratives).

Today: IaC → controls → PR reviews
Tomorrow: SSP narratives, POA&M seeds, risk scoring, audit packages — one bot, growing into full GRC

Demo

Repo: https://github.com/ethanolivertroy/controlbot
Sample PR: https://github.com/ethanolivertroy/controlbot/pull/1

How it works

PR with Terraform
  → Checkov (deterministic scan)
  → NIST 800-53 mapping
  → ControlBot (inline PR comments + merge gate)
  → Optional: Cursor agent (full report artifact)

The agent never invents findings — it enriches Checkov output with control intent and remediation language.

Quick start

npm install
pip install checkov

npm run scan
npm run review -- --scan-only
npm run controlbot

cat review-payload.json   # Bugbot-style inline comment payload

Full agent report (optional):

export CURSOR_API_KEY="cursor_..."
npm run review

GitHub Actions

  1. Add CURSOR_API_KEY secret (optional — inline bot works without it)
  2. PRs touching *.tf trigger .github/workflows/controlbot.yml
  3. ControlBot posts inline NIST comments and fails the check on blocking findings

Configure

.controlbot/profile.yaml:

baseline: fedramp-moderate
inherited_controls: [PE-1, PE-2]   # CSP-inherited — skip
block_on_severity: [HIGH, CRITICAL]
inline_comments: true
bot_name: ControlBot

Extend mappings/checkov-to-nist.yaml for your rule → control mappings.

Example Terraform

fixtures/terraform/main.tf — intentionally weak config for demos.

Commands

CommandPurpose
npm run scanCheckov → findings.json
npm run reviewAgent or scan-only → report.md
npm run controlbotBuild PR review payload, exit 2 if blocking
npm run post-reviewPost to GitHub (CI)

Exit codes

CodeMeaning
0Pass
1Tooling error
2Blocking control findings

License

MIT

Similar Articles

Faster Code Review with Cursor's Bugbot (3 minute read)

TLDR AI

Cursor's Bugbot code review tool is now over 3x faster, 22% cheaper, and finds 10% more bugs, with most runs finishing under three minutes. The update also adds new features like running reviews before pushing and only reviewing new changes.

@mattpocockuk: Here's the skill:

X AI KOLs Following

A GitHub repository containing official Cursor plugins for developer tools, including agent workflows, code review, documentation, and CI integration.