Create an `atlantis.yaml` at the repo root defining a custom `workflows` block with a `plan` stage that adds `extra_args` or uses a `run` step to execute `checkov -d . --output cli --quiet` before the Terraform plan step.
Add a `run` step after the plan step that calls `infracost diff --path . --compare-to /tmp/base.json --format json --out-file /tmp/diff.json` followed by `infracost comment github ...` to post the cost estimate on the PR.
Map the custom workflow to specific projects using `projects[].workflow: custom-workflow-name` in the same `atlantis.yaml`.
Ensure the Atlantis server has `checkov` and `infracost` binaries in its PATH (install them in the Docker image or via the `atlantis.yaml` `run` step with a setup block).
Set `allow_custom_workflows: true` in the Atlantis server configuration (`atlantis server --allow-custom-workflows`) to permit `run` steps in `atlantis.yaml`.
Test by opening a PR that changes a Terraform file; the Atlantis PR comment should include both the Checkov summary and the Infracost cost diff.
Known gotchas
`allow_custom_workflows: true` permits arbitrary shell commands defined in `atlantis.yaml`; restrict who can merge to protected branches and who can modify `atlantis.yaml` to prevent privilege escalation.
Atlantis `run` steps execute in the context of the changed Terraform directory, not the repo root; use absolute paths or `$REPO_ROOT` environment variable for tool binaries and config files.
Infracost's `breakdown` and `diff` commands require `INFRACOST_API_KEY` to be set in the Atlantis server environment; missing the key produces an authentication error during the run step.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp