config-scan

Security review of configuration files and infrastructure as code.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "config-scan" with this command: npx skills add jwynia/agent-skills/jwynia-agent-skills-config-scan

Config Scan

Security review of configuration files and infrastructure as code.

Quick Start

/config-scan # Scan all config files /config-scan --docker # Docker files only /config-scan --k8s # Kubernetes manifests /config-scan --terraform # Terraform files /config-scan --env # Environment files

What This Skill Detects

Environment Files

  • Secrets in .env files

  • Insecure default values

  • Missing required security variables

Docker Security

  • Running as root

  • Exposed sensitive ports

  • Insecure base images

  • Missing security options

Kubernetes Security

  • Privileged containers

  • Missing resource limits

  • Insecure service accounts

  • Network policy gaps

Infrastructure as Code

  • Overly permissive IAM policies

  • Public S3 buckets

  • Unencrypted storage

  • Missing security groups

Application Config

  • Debug mode enabled

  • Verbose error messages

  • Insecure defaults

Scan Categories

Environment Files

Files scanned: .env , .env.* , *.env

Issue Severity Description

Secrets in .env HIGH Credentials should use secrets manager

.env committed CRITICAL Should be in .gitignore

DEBUG=true HIGH Debug mode in production config

Weak secrets MEDIUM Short or simple values

Detection patterns:

Committed .env files

git ls-files | grep -E '.env$|.env.'

Secrets in env files

(PASSWORD|SECRET|KEY|TOKEN|CREDENTIAL)=.+

Debug flags

DEBUG=(true|1|yes) NODE_ENV=development

Docker Security

Files scanned: Dockerfile , docker-compose.yml

Issue Severity Description

USER root HIGH Container runs as root

COPY secrets CRITICAL Secrets copied into image

Latest tag MEDIUM Unpinned base image

Exposed ports LOW Wide port exposure

No healthcheck LOW Missing health monitoring

Detection patterns:

Running as root (no USER directive)

FROM.*\n(?!.*USER)

Copying secrets

COPY.*.(pem|key|crt|env) COPY.*secret COPY.*password

Unpinned images

FROM\s+\w+:latest FROM\s+\w+\s*$

Dangerous capabilities

--privileged --cap-add

docker-compose.yml issues:

Privileged mode

privileged: true

All capabilities

cap_add:

  • ALL

Host network

network_mode: host

Sensitive mounts

volumes:

  • /:/host
  • /var/run/docker.sock

Kubernetes Security

Files scanned: *.yaml , *.yml (k8s manifests)

Issue Severity Description

privileged: true CRITICAL Full host access

runAsRoot HIGH Container runs as root

No resource limits MEDIUM DoS risk

hostNetwork HIGH Pod uses host network

No securityContext MEDIUM Missing security settings

Detection patterns:

Privileged containers

securityContext: privileged: true

Running as root

securityContext: runAsUser: 0 runAsNonRoot: false

Host access

hostNetwork: true hostPID: true hostIPC: true

Dangerous volume mounts

volumes:

  • hostPath: path: /

Missing limits

(absence of resources.limits)

Wildcard RBAC

rules:

  • apiGroups: [""] resources: [""] verbs: ["*"]

Terraform/IaC

Files scanned: *.tf , *.tfvars

Issue Severity Description

Public S3 bucket CRITICAL Data exposure

  • in IAM policy HIGH Overly permissive

No encryption HIGH Data at rest unencrypted

0.0.0.0/0 ingress HIGH Open to internet

Hardcoded secrets CRITICAL Credentials in TF

Detection patterns:

Public S3

acl = "public-read" acl = "public-read-write"

Overly permissive IAM

"Action": "" "Resource": "" "Principal": "*"

Open security groups

cidr_blocks = ["0.0.0.0/0"] ingress { from_port = 0 to_port = 65535

Missing encryption

encrypted = false

(or absence of encryption settings)

Hardcoded secrets

password = "..." secret_key = "..."

Application Config

Files scanned: config/*.json , *.config.js , application.yml

Issue Severity Description

DEBUG=true HIGH Debug in production

Verbose errors MEDIUM Stack traces exposed

CORS * HIGH All origins allowed

No HTTPS MEDIUM Unencrypted transport

Detection patterns:

// Debug mode debug: true, DEBUG: true, NODE_ENV: 'development'

// Verbose errors showStackTrace: true detailedErrors: true

// CORS origin: '*' origin: true Access-Control-Allow-Origin: *

// Session security secure: false // cookies httpOnly: false sameSite: 'none'

Output Format

CONFIG SCAN RESULTS

Files scanned: 23 Issues found: 15

CRITICAL (2)

[!] Dockerfile:1 - Running as root No USER directive found Fix: Add "USER node" or similar non-root user

[!] terraform/s3.tf:12 - Public S3 bucket acl = "public-read" Fix: Remove public ACL, use bucket policies

HIGH (5)

[H] docker-compose.yml:15 - Privileged container privileged: true Fix: Remove privileged flag, use specific capabilities

[H] k8s/deployment.yaml:34 - Missing resource limits No CPU/memory limits defined Fix: Add resources.limits section

...

MEDIUM (8)

...

Configuration

Ignore Rules

Create .config-scan-ignore :

Ignore specific files

files:

  • "docker-compose.dev.yml"
  • "terraform/modules/test/**"

Ignore specific rules

rules:

  • id: "docker-root-user" files: ["Dockerfile.dev"] reason: "Development only"

  • id: "k8s-no-limits" reason: "Handled by LimitRange"

Scan Profiles

.config-scan.yaml

profile: production # or: development, strict

Custom thresholds

thresholds: fail_on: high warn_on: medium

Specific scanners

scanners: docker: true kubernetes: true terraform: true env_files: true app_config: true

Best Practices Checked

Docker

  • Non-root user specified

  • Base image pinned to digest

  • No secrets in build

  • Multi-stage build used

  • Health check defined

  • Read-only root filesystem

Kubernetes

  • Non-root security context

  • Resource limits defined

  • Network policies in place

  • No privileged containers

  • Service accounts scoped

  • Secrets encrypted at rest

Terraform

  • State file encrypted

  • No hardcoded secrets

  • Least privilege IAM

  • Encryption enabled

  • Logging enabled

  • No public access by default

Remediation Examples

Docker: Run as Non-Root

Before

FROM node:18

After

FROM node:18 RUN groupadd -r app && useradd -r -g app app USER app

Kubernetes: Security Context

Before

containers:

  • name: app image: myapp

After

containers:

  • name: app image: myapp securityContext: runAsNonRoot: true runAsUser: 1000 readOnlyRootFilesystem: true allowPrivilegeEscalation: false

Terraform: Private S3

Before

resource "aws_s3_bucket" "data" { acl = "public-read" }

After

resource "aws_s3_bucket" "data" {

No ACL (private by default)

}

resource "aws_s3_bucket_public_access_block" "data" { bucket = aws_s3_bucket.data.id block_public_acls = true block_public_policy = true ignore_public_acls = true restrict_public_buckets = true }

CI/CD Integration

GitHub Actions

  • name: Config Security Scan run: | /config-scan --fail-on high

  • name: Docker Scan run: | /config-scan --docker --fail-on critical

Related Skills

  • /security-scan

  • Full security analysis

  • /secrets-scan

  • Credential detection

  • /dependency-scan

  • Package vulnerabilities

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

security-scan

No summary provided by upstream source.

Repository SourceNeeds Review
65-jwynia
Automation

frontend-design

No summary provided by upstream source.

Repository SourceNeeds Review
1.5K-jwynia
Research

requirements-analysis

No summary provided by upstream source.

Repository SourceNeeds Review
773-jwynia
Automation

web-search-tavily

No summary provided by upstream source.

Repository SourceNeeds Review
603-jwynia