OpenSkillIndex← back to search
claude-codesecurity

Claude-skill-registry config-scan

Config Scan

install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/config-scan" ~/.claude/skills/majiayu000-claude-skill-registry-config-scan && rm -rf "$T"
manifest: skills/data/config-scan/SKILL.md
tags
#security#configuration#docker#iac#kubernetes#terraform
source content

Config Scan

Security review of configuration files and infrastructure as code.

description: Detect security misconfigurations in config files, Docker, and IaC version: 1.0.0 tags: [security, configuration, docker, iac, terraform, kubernetes]

Quick Start

/config-scan                      # Scan all config files
/config-scan --docker             # Docker files only
/config-scan --k8s                # Kubernetes manifests
/config-scan --terraform          # Terraform files
/config-scan --env                # Environment files

What This Skill Detects

Environment Files

  • Secrets in 
    .env
    files
  • Insecure default values
  • Missing required security variables

Docker Security

  • Running as root
  • Exposed sensitive ports
  • Insecure base images
  • Missing security options

Kubernetes Security

  • Privileged containers
  • Missing resource limits
  • Insecure service accounts
  • Network policy gaps

Infrastructure as Code

  • Overly permissive IAM policies
  • Public S3 buckets
  • Unencrypted storage
  • Missing security groups

Application Config

  • Debug mode enabled
  • Verbose error messages
  • Insecure defaults

Scan Categories

Environment Files

Files scanned: 

.env
, 
.env.*
, 
*.env

IssueSeverityDescription
Secrets in .envHIGHCredentials should use secrets manager
.env committedCRITICALShould be in .gitignore
DEBUG=trueHIGHDebug mode in production config
Weak secretsMEDIUMShort or simple values

Detection patterns:

# Committed .env files
git ls-files | grep -E '\.env$|\.env\.'

# Secrets in env files
(PASSWORD|SECRET|KEY|TOKEN|CREDENTIAL)=.+

# Debug flags
DEBUG=(true|1|yes)
NODE_ENV=development

Docker Security

Files scanned: 

Dockerfile
, 
docker-compose.yml

IssueSeverityDescription
USER rootHIGHContainer runs as root
COPY secretsCRITICALSecrets copied into image
Latest tagMEDIUMUnpinned base image
Exposed portsLOWWide port exposure
No healthcheckLOWMissing health monitoring

Detection patterns:

# Running as root (no USER directive)
FROM.*\n(?!.*USER)

# Copying secrets
COPY.*\.(pem|key|crt|env)
COPY.*secret
COPY.*password

# Unpinned images
FROM\s+\w+:latest
FROM\s+\w+\s*$

# Dangerous capabilities
--privileged
--cap-add

docker-compose.yml issues:

# Privileged mode
privileged: true

# All capabilities
cap_add:
  - ALL

# Host network
network_mode: host

# Sensitive mounts
volumes:
  - /:/host
  - /var/run/docker.sock

Kubernetes Security

Files scanned: 

*.yaml
, 
*.yml
(k8s manifests)

IssueSeverityDescription
privileged: trueCRITICALFull host access
runAsRootHIGHContainer runs as root
No resource limitsMEDIUMDoS risk
hostNetworkHIGHPod uses host network
No securityContextMEDIUMMissing security settings

Detection patterns:

# Privileged containers
securityContext:
  privileged: true

# Running as root
securityContext:
  runAsUser: 0
runAsNonRoot: false

# Host access
hostNetwork: true
hostPID: true
hostIPC: true

# Dangerous volume mounts
volumes:
  - hostPath:
      path: /

# Missing limits
# (absence of resources.limits)

# Wildcard RBAC
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]

Terraform/IaC

Files scanned: 

*.tf
, 
*.tfvars

IssueSeverityDescription
Public S3 bucketCRITICALData exposure
* in IAM policyHIGHOverly permissive
No encryptionHIGHData at rest unencrypted
0.0.0.0/0 ingressHIGHOpen to internet
Hardcoded secretsCRITICALCredentials in TF

Detection patterns:

# Public S3
acl = "public-read"
acl = "public-read-write"

# Overly permissive IAM
"Action": "*"
"Resource": "*"
"Principal": "*"

# Open security groups
cidr_blocks = ["0.0.0.0/0"]
ingress {
  from_port = 0
  to_port   = 65535

# Missing encryption
encrypted = false
# (or absence of encryption settings)

# Hardcoded secrets
password = "..."
secret_key = "..."

Application Config

Files scanned: 

config/*.json
, 
*.config.js
, 
application.yml

IssueSeverityDescription
DEBUG=trueHIGHDebug in production
Verbose errorsMEDIUMStack traces exposed
CORS *HIGHAll origins allowed
No HTTPSMEDIUMUnencrypted transport

Detection patterns:

// Debug mode
debug: true,
DEBUG: true,
NODE_ENV: 'development'

// Verbose errors
showStackTrace: true
detailedErrors: true

// CORS
origin: '*'
origin: true
Access-Control-Allow-Origin: *

// Session security
secure: false  // cookies
httpOnly: false
sameSite: 'none'

Output Format

CONFIG SCAN RESULTS
===================

Files scanned: 23
Issues found: 15

CRITICAL (2)
------------
[!] Dockerfile:1 - Running as root
    No USER directive found
    Fix: Add "USER node" or similar non-root user

[!] terraform/s3.tf:12 - Public S3 bucket
    acl = "public-read"
    Fix: Remove public ACL, use bucket policies

HIGH (5)
--------
[H] docker-compose.yml:15 - Privileged container
    privileged: true
    Fix: Remove privileged flag, use specific capabilities

[H] k8s/deployment.yaml:34 - Missing resource limits
    No CPU/memory limits defined
    Fix: Add resources.limits section

...

MEDIUM (8)
----------
...

Configuration

Ignore Rules

Create 

.config-scan-ignore
:

# Ignore specific files
files:
  - "docker-compose.dev.yml"
  - "terraform/modules/test/**"

# Ignore specific rules
rules:
  - id: "docker-root-user"
    files: ["Dockerfile.dev"]
    reason: "Development only"

  - id: "k8s-no-limits"
    reason: "Handled by LimitRange"

Scan Profiles

# .config-scan.yaml
profile: production  # or: development, strict

# Custom thresholds
thresholds:
  fail_on: high
  warn_on: medium

# Specific scanners
scanners:
  docker: true
  kubernetes: true
  terraform: true
  env_files: true
  app_config: true

Best Practices Checked

Docker

  • Non-root user specified
  • Base image pinned to digest
  • No secrets in build
  • Multi-stage build used
  • Health check defined
  • Read-only root filesystem

Kubernetes

  • Non-root security context
  • Resource limits defined
  • Network policies in place
  • No privileged containers
  • Service accounts scoped
  • Secrets encrypted at rest

Terraform

  • State file encrypted
  • No hardcoded secrets
  • Least privilege IAM
  • Encryption enabled
  • Logging enabled
  • No public access by default

Remediation Examples

Docker: Run as Non-Root

# Before
FROM node:18

# After
FROM node:18
RUN groupadd -r app && useradd -r -g app app
USER app

Kubernetes: Security Context

# Before
containers:
  - name: app
    image: myapp

# After
containers:
  - name: app
    image: myapp
    securityContext:
      runAsNonRoot: true
      runAsUser: 1000
      readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false

Terraform: Private S3

# Before
resource "aws_s3_bucket" "data" {
  acl = "public-read"
}

# After
resource "aws_s3_bucket" "data" {
  # No ACL (private by default)
}

resource "aws_s3_bucket_public_access_block" "data" {
  bucket = aws_s3_bucket.data.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

CI/CD Integration

# GitHub Actions
- name: Config Security Scan
  run: |
    /config-scan --fail-on high

- name: Docker Scan
  run: |
    /config-scan --docker --fail-on critical

Related Skills

  • /security-scan
    - Full security analysis
  • /secrets-scan
    - Credential detection
  • /dependency-scan
    - Package vulnerabilities