Performs comprehensive security audits of KrakenD configurations to identify vulnerabilities, authentication gaps, and security best practices violations with Flexible Configuration support
/plugin marketplace add krakend/claude-code-plugin/plugin install krakend-ai-assistant@krakendThis skill inherits all available tools. When active, it can use any tool Claude has access to.
Performs comprehensive security audits of KrakenD configurations using the native krakend audit command with intelligent fallback and automatic Flexible Configuration support. Identifies authentication gaps, authorization issues, exposure risks, and security best practices violations with actionable remediation steps.
Performs comprehensive security audit using smart three-tier approach:
krakend audit command (most comprehensive)Auto-detects Flexible Configuration (CE and EE variants) and adjusts audit accordingly
Categorizes issues by severity: Critical → High → Medium → Low → Info
Provides specific remediation with:
Checks common vulnerabilities:
Understanding these helps interpret audit results:
audit_security - Comprehensive security audit (smart 3-tier fallback: native → Docker → basic checks)list_features - Browse available security features and edition requirementsget_feature_config_template - Get configuration templates for security featuressearch_documentation - Find relevant security documentationvalidate_config - Validate configuration structure alongside security checksUse audit_security tool which automatically:
$schema fieldWhen showing users how to manually audit, provide command based on: (1) Version from $schema, (2) Edition (CE/EE by features), (3) FC detection, (4) LICENSE for EE.
Examples:
# CE audit
docker run --rm -v $(pwd):/etc/krakend krakend:VERSION audit -c /etc/krakend/krakend.json
# EE audit (LICENSE file present)
docker run --rm -v $(pwd):/etc/krakend krakend/krakend-ee:VERSION audit -c /etc/krakend/krakend.json
Accuracy: Native krakend audit (most comprehensive) > Docker > Basic checks (limited scope).
Images: krakend:VERSION (CE), krakend/krakend-ee:VERSION (EE).
Provide a clear, actionable security report:
# KrakenD Security Audit Report
## Summary
🔍 Audit Method: Native KrakenD (most comprehensive)
⚠️ Issues Found: 3 high, 2 medium, 1 low
🎯 Priority: Address high severity issues immediately
## Critical Issues
None found ✓
## High Severity Issues
### 1. Missing Authentication on Sensitive Endpoints
**Severity**: HIGH
**Category**: authentication
**Location**: $.endpoints[2] (POST /api/users)
**Issue**:
Endpoint accepts POST requests without any authentication mechanism. This allows anonymous users to create resources.
**Remediation**:
1. Add JWT validation to the endpoint:
```json
"extra_config": {
"auth/validator": {
"alg": "RS256",
"audience": ["https://api.example.com"],
"jwk_url": "https://auth.example.com/.well-known/jwks.json"
}
}
References:
Severity: HIGH Category: exposure Location: $.extra_config["debug_endpoint"]
Issue: Debug endpoint is enabled, exposing internal application state and metrics to potential attackers.
Remediation: Remove or disable the debug endpoint in production:
"extra_config": {
"debug_endpoint": false
}
Or remove the entire "debug_endpoint" configuration block.
References:
Severity: MEDIUM Category: security-headers Location: $.extra_config (root level)
Issue: No CORS configuration found. This may cause browser requests to fail or allow all origins by default.
Remediation: Add CORS configuration with explicit allowed origins:
"extra_config": {
"security/cors": {
"allow_origins": ["https://yourdomain.com"],
"allow_methods": ["GET", "POST", "PUT"],
"allow_headers": ["Authorization", "Content-Type"],
"expose_headers": ["Content-Length"],
"max_age": "12h",
"allow_credentials": true
}
}
References:
✓ Circuit breakers configured for backends ✓ Timeouts configured ⚠️ Consider adding request/response logging for security monitoring ⚠️ Consider implementing API key authentication for service-to-service calls ⚠️ Review and minimize backend exposure (principle of least privilege)
## Best Practices
1. **Severity-first** - Always show critical/high severity issues first (these need immediate action)
2. **Be specific and actionable** - Don't just say "insecure", explain what's wrong and exactly how to fix it
3. **Include context** - Show exact location using JSON paths
4. **Provide examples** - Include working configuration snippets for remediation
5. **Link to docs** - Always include relevant KrakenD documentation URLs
6. **Consider edition** - Recommend CE-compatible solutions unless user has EE
7. **Show audit method** - Indicate which validation method was used (affects comprehensiveness)
8. **Balance security with usability** - Don't recommend overly restrictive configs without explanation
9. **Follow up** - Suggest re-running audit after fixes are applied
10. **Context matters** - Development vs. production requires different security levels
## Examples
### Example 1: User asks "Is my API secure?"
**Response:**
"I'll perform a comprehensive security audit of your KrakenD configuration."
[Use `audit_security`]
[Present structured report as shown above]
"I found 3 high severity issues that should be addressed immediately. Would you like me to help you fix these issues?"
### Example 2: Pre-production security check
**Response:**
"I'll audit your configuration for security issues before production deployment."
[Use `audit_security` with production config]
[Present findings]
"Your configuration has 2 critical issues that must be fixed before production:
1. No authentication on admin endpoints
2. Debug mode still enabled
Would you like me to fix these now?"
### Example 3: Post-fix re-audit
**Response:**
"I'll re-run the security audit to verify your authentication changes."
[Use `audit_security` again]
[Compare with previous results if available]
"Great progress! The authentication issue is now resolved. Remaining items:
- 1 high severity: Debug endpoint still enabled
- 2 medium severity: Missing CORS and rate limiting
Shall we address these next?"
### Example 4: Fallback to basic checks
**Response:**
"KrakenD binary and Docker are not available, so I'll perform basic security checks."
[Use `audit_security` which falls back to basic checks]
"I performed basic security checks and found:
- Missing CORS configuration
- No authentication on POST endpoints
- No rate limiting configured
- Debug endpoint enabled
Note: For a comprehensive audit, install KrakenD or Docker to run the full `krakend audit` command. These basic checks cover common issues but may miss advanced security problems."
## When to Run Security Audits
Proactively suggest security audits:
- ✅ Before initial deployment
- ✅ After any configuration changes
- ✅ After adding new endpoints
- ✅ Before major releases
- ✅ After security incidents
- ✅ Periodically (monthly/quarterly)
- ✅ After upgrading KrakenD versions
- ✅ When changing authentication mechanisms
## Integration & Error Handling
### Integration with other skills
- After `config-builder` creates new config → Suggest security audit
- If `config-validator` finds issues → Mention security-specific audit available
- Before production deployment → Strongly recommend security audit
- If user asks about specific security features → Offer to run full audit
### Error handling
- **Config file not found**: Ask user which file to audit
- **Config is invalid JSON**: Run syntax check first via `config-validator`, then report
- **Audit produces no output**: Explain that no issues were found (best case!)
- **KrakenD audit fails**: Tool automatically falls back to Docker, then basic checks
- **Too many issues (>15)**: Group by severity and offer to show details incrementally
- **Mix of CE/EE features**: Note in recommendations which features require EE
Master authentication and authorization patterns including JWT, OAuth2, session management, and RBAC to build secure, scalable access control systems. Use when implementing auth systems, securing APIs, or debugging security issues.