Skill

config-scan

Detect security misconfigurations in config files, Docker, and IaC. Use when reviewing configuration security for containers, Kubernetes, Terraform, or application settings.

Install

npx claudepluginhub joshuarweaver/cascade-content-creation-misc-1 --plugin jwynia-agent-skills-1

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Security review of configuration files and infrastructure as code.

SKILL.md

Similar Skills

cache-components

Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.

cache-components

139.2k

mcp-builder

9 files

Guides building MCP servers enabling LLMs to interact with external services via tools. Covers best practices, TypeScript/Node (MCP SDK), Python (FastMCP).

anthropics-skills-13

124.2k

canvas-design

20 files

Generates original PNG/PDF visual art via design philosophy manifestos for posters, graphics, and static designs on user request.

anthropics-skills-13

124.2k

Stats

Stars65

Forks11

Last CommitFeb 15, 2026

Actions

View Source View Plugin View on GitHub View README

Config Scan

Security review of configuration files and infrastructure as code.

Quick Start

/config-scan                      # Scan all config files
/config-scan --docker             # Docker files only
/config-scan --k8s                # Kubernetes manifests
/config-scan --terraform          # Terraform files
/config-scan --env                # Environment files

What This Skill Detects

Environment Files

Secrets in .env files
Insecure default values
Missing required security variables

Docker Security

Running as root
Exposed sensitive ports
Insecure base images
Missing security options

Kubernetes Security

Privileged containers
Missing resource limits
Insecure service accounts
Network policy gaps

Infrastructure as Code

Overly permissive IAM policies
Public S3 buckets
Unencrypted storage
Missing security groups

Application Config

Debug mode enabled
Verbose error messages
Insecure defaults

Scan Categories

Environment Files

Files scanned: .env, .env.*, *.env

Issue	Severity	Description
Secrets in .env	HIGH	Credentials should use secrets manager
.env committed	CRITICAL	Should be in .gitignore
DEBUG=true	HIGH	Debug mode in production config
Weak secrets	MEDIUM	Short or simple values

Detection patterns:

# Committed .env files
git ls-files | grep -E '\.env$|\.env\.'

# Secrets in env files
(PASSWORD|SECRET|KEY|TOKEN|CREDENTIAL)=.+

# Debug flags
DEBUG=(true|1|yes)
NODE_ENV=development

Docker Security

Files scanned: Dockerfile, docker-compose.yml

Issue	Severity	Description
USER root	HIGH	Container runs as root
COPY secrets	CRITICAL	Secrets copied into image
Latest tag	MEDIUM	Unpinned base image
Exposed ports	LOW	Wide port exposure
No healthcheck	LOW	Missing health monitoring

Detection patterns:

# Running as root (no USER directive)
FROM.*\n(?!.*USER)

# Copying secrets
COPY.*\.(pem|key|crt|env)
COPY.*secret
COPY.*password

# Unpinned images
FROM\s+\w+:latest
FROM\s+\w+\s*$

# Dangerous capabilities
--privileged
--cap-add

docker-compose.yml issues:

# Privileged mode
privileged: true

# All capabilities
cap_add:
  - ALL

# Host network
network_mode: host

# Sensitive mounts
volumes:
  - /:/host
  - /var/run/docker.sock

Kubernetes Security

Files scanned: *.yaml, *.yml (k8s manifests)

Issue	Severity	Description
privileged: true	CRITICAL	Full host access
runAsRoot	HIGH	Container runs as root
No resource limits	MEDIUM	DoS risk
hostNetwork	HIGH	Pod uses host network
No securityContext	MEDIUM	Missing security settings

Detection patterns:

# Privileged containers
securityContext:
  privileged: true

# Running as root
securityContext:
  runAsUser: 0
runAsNonRoot: false

# Host access
hostNetwork: true
hostPID: true
hostIPC: true

# Dangerous volume mounts
volumes:
  - hostPath:
      path: /

# Missing limits
# (absence of resources.limits)

# Wildcard RBAC
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]

Terraform/IaC

Files scanned: *.tf, *.tfvars

Issue	Severity	Description
Public S3 bucket	CRITICAL	Data exposure
* in IAM policy	HIGH	Overly permissive
No encryption	HIGH	Data at rest unencrypted
0.0.0.0/0 ingress	HIGH	Open to internet
Hardcoded secrets	CRITICAL	Credentials in TF

Detection patterns:

# Public S3
acl = "public-read"
acl = "public-read-write"

# Overly permissive IAM
"Action": "*"
"Resource": "*"
"Principal": "*"

# Open security groups
cidr_blocks = ["0.0.0.0/0"]
ingress {
  from_port = 0
  to_port   = 65535

# Missing encryption
encrypted = false
# (or absence of encryption settings)

# Hardcoded secrets
password = "..."
secret_key = "..."

Application Config

Files scanned: config/*.json, *.config.js, application.yml

Issue	Severity	Description
DEBUG=true	HIGH	Debug in production
Verbose errors	MEDIUM	Stack traces exposed
CORS *	HIGH	All origins allowed
No HTTPS	MEDIUM	Unencrypted transport

Detection patterns:

// Debug mode
debug: true,
DEBUG: true,
NODE_ENV: 'development'

// Verbose errors
showStackTrace: true
detailedErrors: true

// CORS
origin: '*'
origin: true
Access-Control-Allow-Origin: *

// Session security
secure: false  // cookies
httpOnly: false
sameSite: 'none'

Output Format

CONFIG SCAN RESULTS
===================

Files scanned: 23
Issues found: 15

CRITICAL (2)
------------
[!] Dockerfile:1 - Running as root
    No USER directive found
    Fix: Add "USER node" or similar non-root user

[!] terraform/s3.tf:12 - Public S3 bucket
    acl = "public-read"
    Fix: Remove public ACL, use bucket policies

HIGH (5)
--------
[H] docker-compose.yml:15 - Privileged container
    privileged: true
    Fix: Remove privileged flag, use specific capabilities

[H] k8s/deployment.yaml:34 - Missing resource limits
    No CPU/memory limits defined
    Fix: Add resources.limits section

...

MEDIUM (8)
----------
...

Configuration

Ignore Rules

Create .config-scan-ignore:

# Ignore specific files
files:
  - "docker-compose.dev.yml"
  - "terraform/modules/test/**"

# Ignore specific rules
rules:
  - id: "docker-root-user"
    files: ["Dockerfile.dev"]
    reason: "Development only"

  - id: "k8s-no-limits"
    reason: "Handled by LimitRange"

Scan Profiles

# .config-scan.yaml
profile: production  # or: development, strict

# Custom thresholds
thresholds:
  fail_on: high
  warn_on: medium

# Specific scanners
scanners:
  docker: true
  kubernetes: true
  terraform: true
  env_files: true
  app_config: true

Best Practices Checked

Docker

Kubernetes

Terraform

Remediation Examples

Docker: Run as Non-Root

# Before
FROM node:18

# After
FROM node:18
RUN groupadd -r app && useradd -r -g app app
USER app

Kubernetes: Security Context

# Before
containers:
  - name: app
    image: myapp

# After
containers:
  - name: app
    image: myapp
    securityContext:
      runAsNonRoot: true
      runAsUser: 1000
      readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false

Terraform: Private S3

# Before
resource "aws_s3_bucket" "data" {
  acl = "public-read"
}

# After
resource "aws_s3_bucket" "data" {
  # No ACL (private by default)
}

resource "aws_s3_bucket_public_access_block" "data" {
  bucket = aws_s3_bucket.data.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

CI/CD Integration

# GitHub Actions
- name: Config Security Scan
  run: |
    /config-scan --fail-on high

- name: Docker Scan
  run: |
    /config-scan --docker --fail-on critical

Related Skills

/security-scan - Full security analysis
/secrets-scan - Credential detection
/dependency-scan - Package vulnerabilities