Finding Security Misconfigurations

Overview

Scan infrastructure-as-code templates, application configuration files, and system settings to detect security misconfigurations mapped to OWASP A05:2021 (Security Misconfiguration) and CIS Benchmarks. Cover cloud resources (AWS, GCP, Azure), container orchestration (Kubernetes, Docker), web servers (Nginx, Apache), and application frameworks.

Prerequisites

• Infrastructure-as-code files accessible in ${CLAUDE_SKILL_DIR}/ (Terraform .tf , CloudFormation .yaml/.json , Ansible playbooks, Kubernetes manifests)

• Application configuration files available (application.yml , config.json , .env.example , web.config )

• Container definitions (Dockerfile , docker-compose.yml , Helm charts)

• Web server configs (nginx.conf , httpd.conf , .htaccess ) if applicable

• Write permissions for findings output in ${CLAUDE_SKILL_DIR}/security-findings/

• Optional: tfsec , checkov , or trivy config installed for automated pre-scanning

Instructions

• Discover all configuration files by scanning ${CLAUDE_SKILL_DIR}/ for IaC templates (.tf , .yaml , .json , .template ), application configs, container definitions, and web server configs.

• Cloud storage: check for publicly accessible S3 buckets, unencrypted storage accounts, missing versioning, and overly permissive bucket policies (CIS AWS 2.1.1, 2.1.2).

• Network security: flag security groups allowing 0.0.0.0/0 ingress on sensitive ports (22, 3389, 3306, 5432, 27017), missing VPC flow logs, and absent network segmentation.

• IAM and access: detect wildcard (* ) permissions in IAM policies, service accounts with admin privileges, missing MFA enforcement, and hardcoded credentials in source (CWE-798).

• Compute resources: identify EC2/VM instances with unnecessary public IPs, unencrypted volumes, missing IMDSv2 enforcement, and outdated base images.

• Database security: flag publicly accessible RDS/Cloud SQL instances, missing encryption at rest, disabled automated backups, default ports exposed without IP restrictions.

• Application config: detect debug mode enabled in production, default credentials, CORS wildcard (* ), missing CSRF protection, disabled authentication endpoints, and API keys in config files.

• Container security: check for containers running as root, missing resource limits, privileged: true , writable root filesystems, and images without pinned digests.

• Classify each finding: Critical (immediate exploitation risk), High (significant security impact), Medium (configuration weakness), Low (best practice violation).

• Generate findings report at ${CLAUDE_SKILL_DIR}/security-findings/misconfig-YYYYMMDD.md with per-finding severity, CIS/CWE mapping, affected file and line, remediation code, and verification command.

See ${CLAUDE_SKILL_DIR}/references/implementation.md for the full six-section implementation guide covering IaC, application, and system checks.

Output

• Findings Report: ${CLAUDE_SKILL_DIR}/security-findings/misconfig-YYYYMMDD.md with all misconfigurations categorized by severity

• Remediation Plan: minimal-change fixes with before/after config snippets and verification commands

• Compliance Mapping: each finding linked to CIS Benchmark, OWASP, or CWE reference

• Summary Dashboard: finding counts by severity and category

Error Handling

Error Cause Solution

Syntax error in ${CLAUDE_SKILL_DIR}/terraform/main.tf

Malformed HCL, YAML, or JSON Validate file syntax first; skip malformed files and note parse errors in report

Cannot determine cloud provider from configuration Missing provider blocks or ambiguous file structure Look for provider blocks and file naming conventions; fall back to generic security checks

Cannot read encrypted configuration SOPS-encrypted or binary config files Request decrypted version or exported config; document inability to audit

Too many config files (500+) Large monorepo or multi-service project Prioritize by file type: IaC first, then app configs, then system configs

Flagged configuration is intentional (dev environment) False positive in non-production context Support environment-specific exception rules; allow .securityignore overrides

Examples

• "Scan Terraform files in ${CLAUDE_SKILL_DIR}/ for overly permissive security groups and IAM wildcard policies."

• "Review Kubernetes manifests for insecure defaults: privileged containers, missing resource limits, and root execution."

• "Audit the Nginx and application configs for debug mode, information disclosure, and missing security headers."

Resources

• CIS Benchmarks: https://www.cisecurity.org/cis-benchmarks/

• OWASP IaC Security Cheatsheet: https://cheatsheetseries.owasp.org/cheatsheets/Infrastructure_as_Code_Security_Cheatsheet.html

• OWASP A05:2021 Security Misconfiguration: https://owasp.org/Top10/A05_2021-Security_Misconfiguration/

• tfsec (Terraform scanner): https://github.com/aquasecurity/tfsec

• Checkov (multi-cloud IaC scanner): https://www.checkov.io/

• CWE-16 Configuration: https://cwe.mitre.org/data/definitions/16.html

• ${CLAUDE_SKILL_DIR}/references/errors.md -- full error handling reference

• ${CLAUDE_SKILL_DIR}/references/examples.md -- additional usage examples

• https://intentsolutions.io