From appsec
This skill should be used when the user asks to "check for misconfigurations", "analyze security headers", "find misconfigured settings", "check CORS policy", "find debug mode", "audit server configuration", or mentions "misconfiguration" in a security context. Maps to OWASP Top 10 2021 A05: Security Misconfiguration.
npx claudepluginhub florianbuetow/claude-code --plugin appsecThis skill uses the workspace's default tool permissions.
Analyze application and infrastructure configuration for security misconfigurations
Acquire memory dumps from live systems/VMs and analyze with Volatility 3 for processes, networks, DLLs, injections in incident response or malware hunts.
Provides x86-64/ARM disassembly patterns, calling conventions, control flow recognition for static analysis of executables and compiled binaries.
Identifies anti-debugging checks like IsDebuggerPresent, NtQueryInformationProcess in Windows binaries; suggests bypasses via patches/hooks/scripts for malware analysis, CTFs, authorized RE.
Analyze application and infrastructure configuration for security misconfigurations that could expose the system to attack. Covers missing security headers, debug modes left enabled, overly permissive CORS, default credentials, verbose error handling, unnecessary features, and directory listing.
Read ../../shared/schemas/flags.md for full flag
documentation. This skill supports all cross-cutting flags.
Key flags for this skill:
| Flag | Effect |
|---|---|
--scope <value> | Target scope (default: changed). Config-heavy scopes like path: and full are common. |
--depth <value> | Analysis depth (default: standard). deep traces config inheritance chains. |
--severity <value> | Minimum severity to report (default: all). |
--format <value> | Output format: text, json, sarif, md. |
--fix | Generate remediation patches for each finding. |
--explain | Add OWASP context and learning material to each finding. |
OWASP Top 10 2021 -- A05: Security Misconfiguration
Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive CORS, and verbose error messages containing sensitive information.
CWE Mappings:
STRIDE Mapping: All categories -- misconfigurations can enable spoofing, tampering, information disclosure, denial of service, and elevation of privilege.
Read references/detection-patterns.md before
running analysis. It contains Grep regex patterns, language-specific examples, scanner
coverage, and false positive guidance for each detection category.
--scope flag (default: changed).*.yaml, *.yml, *.toml, *.ini, *.cfg, *.conf, *.json, *.properties, *.env, *.env.*nginx.conf, httpd.conf, apache2.conf, Caddyfile, traefik.ymlsettings.py, config/*.rb, application.properties, next.config.*, nuxt.config.**.tf, *.hcl, Dockerfile, docker-compose*.yml, *.k8s.yml, k8s/*.yaml.github/workflows/*.yml, .gitlab-ci.yml, Jenkinsfile, .circleci/config.ymlDetect available scanners in priority order:
| Scanner | Detect | Best For |
|---|---|---|
| checkov | which checkov | IaC misconfigurations (Terraform, K8s, Docker) |
| tfsec | which tfsec | Terraform-specific security |
| kics | which kics | Multi-IaC scanning |
| trivy | which trivy | Filesystem misconfigs, Dockerfiles, K8s |
| semgrep | which semgrep | Code-level misconfiguration patterns |
If no scanners are found, proceed with Claude analysis only and note this in output.
For each detected scanner, run against the scoped files:
checkov -d <target> -o json --quiettfsec <target> --format jsonkics scan -p <target> --type jsontrivy fs --format json --scanners misconfig <target>semgrep scan --config auto --json --quiet <target>Normalize scanner output to the findings schema per
../../shared/schemas/scanners.md.
Using Grep and Read, search for patterns from references/detection-patterns.md.
For each match:
Output findings using the schema from
../../shared/schemas/findings.md.
Use the MSCFG prefix for finding IDs (e.g., MSCFG-001, MSCFG-002).
DEBUG=True, NODE_ENV=development,
FLASK_DEBUG=1, RAILS_ENV=development in production-bound configs.Access-Control-Allow-Origin: *
or reflecting arbitrary Origin headers without validation.See ../../shared/schemas/scanners.md for full scanner
invocation details. This skill primarily uses:
| Scanner | What It Catches |
|---|---|
| checkov | IaC misconfigurations: open security groups, missing encryption, public S3 buckets |
| tfsec | Terraform-specific: missing tags, public subnets, insecure defaults |
| kics | Multi-IaC: Docker, K8s, Terraform, CloudFormation misconfigurations |
| trivy | Dockerfile and K8s manifest misconfigurations, misconfigured filesystem |
| semgrep | Code patterns: missing headers, debug flags, insecure cookie settings |
When scanners are unavailable, Claude falls back to Grep-based detection using the
patterns in references/detection-patterns.md and reports findings with
confidence: medium.
All findings use the schema defined in
../../shared/schemas/findings.md.
ID Prefix: MSCFG (e.g., MSCFG-001)
References for each finding:
references.owasp: A05:2021references.cwe: Appropriate CWE from the list abovereferences.stride: Relevant STRIDE categorymetadata.tool: misconfigmetadata.framework: owaspmetadata.category: A05Summary table after all findings:
| Severity | Count |
|----------|-------|
| CRITICAL | N |
| HIGH | N |
| MEDIUM | N |
| LOW | N |
Followed by top 3 priorities and an overall assessment paragraph.