finding-security-misconfigurations
Installation
SKILL.md
Finding Security Misconfigurations
Overview
Scan infrastructure-as-code templates, application configuration files, and system settings to detect security misconfigurations mapped to OWASP A05:2021 (Security Misconfiguration) and CIS Benchmarks. Cover cloud resources (AWS, GCP, Azure), container orchestration (Kubernetes, Docker), web servers (Nginx, Apache), and application frameworks.
Prerequisites
- Infrastructure-as-code files accessible in
${CLAUDE_SKILL_DIR}/(Terraform.tf, CloudFormation.yaml/.json, Ansible playbooks, Kubernetes manifests) - Application configuration files available (
application.yml,config.json,.env.example,web.config) - Container definitions (
Dockerfile,docker-compose.yml, Helm charts) - Web server configs (
nginx.conf,httpd.conf,.htaccess) if applicable - Write permissions for findings output in
${CLAUDE_SKILL_DIR}/security-findings/ - Optional:
tfsec,checkov, ortrivy configinstalled for automated pre-scanning
Instructions
- Discover all configuration files by scanning
${CLAUDE_SKILL_DIR}/for IaC templates (.tf,.yaml,.json,.template), application configs, container definitions, and web server configs. - Cloud storage: check for publicly accessible S3 buckets, unencrypted storage accounts, missing versioning, and overly permissive bucket policies (CIS AWS 2.1.1, 2.1.2).
- Network security: flag security groups allowing
0.0.0.0/0ingress on sensitive ports (22, 3389, 3306, 5432, 27017), missing VPC flow logs, and absent network segmentation. - IAM and access: detect wildcard (
*) permissions in IAM policies, service accounts with admin privileges, missing MFA enforcement, and hardcoded credentials in source (CWE-798). - Compute resources: identify EC2/VM instances with unnecessary public IPs, unencrypted volumes, missing IMDSv2 enforcement, and outdated base images.
- Database security: flag publicly accessible RDS/Cloud SQL instances, missing encryption at rest, disabled automated backups, default ports exposed without IP restrictions.
- Application config: detect debug mode enabled in production, default credentials, CORS wildcard (
*), missing CSRF protection, disabled authentication endpoints, and API keys in config files. - Container security: check for containers running as root, missing resource limits,
privileged: true, writable root filesystems, and images without pinned digests. - Classify each finding: Critical (immediate exploitation risk), High (significant security impact), Medium (configuration weakness), Low (best practice violation).
- Generate findings report at
${CLAUDE_SKILL_DIR}/security-findings/misconfig-YYYYMMDD.mdwith per-finding severity, CIS/CWE mapping, affected file and line, remediation code, and verification command.
See ${CLAUDE_SKILL_DIR}/references/implementation.md for the full six-section implementation guide covering IaC, application, and system checks.
Output
- Findings Report:
${CLAUDE_SKILL_DIR}/security-findings/misconfig-YYYYMMDD.mdwith all misconfigurations categorized by severity - Remediation Plan: minimal-change fixes with before/after config snippets and verification commands
- Compliance Mapping: each finding linked to CIS Benchmark, OWASP, or CWE reference
- Summary Dashboard: finding counts by severity and category
Error Handling
| Error | Cause | Solution |
|---|---|---|
Syntax error in ${CLAUDE_SKILL_DIR}/terraform/main.tf |
Malformed HCL, YAML, or JSON | Validate file syntax first; skip malformed files and note parse errors in report |
| Cannot determine cloud provider from configuration | Missing provider blocks or ambiguous file structure | Look for provider blocks and file naming conventions; fall back to generic security checks |
| Cannot read encrypted configuration | SOPS-encrypted or binary config files | Request decrypted version or exported config; document inability to audit |
| Too many config files (500+) | Large monorepo or multi-service project | Prioritize by file type: IaC first, then app configs, then system configs |
| Flagged configuration is intentional (dev environment) | False positive in non-production context | Support environment-specific exception rules; allow .securityignore overrides |
Examples
- "Scan Terraform files in
${CLAUDE_SKILL_DIR}/for overly permissive security groups and IAM wildcard policies." - "Review Kubernetes manifests for insecure defaults: privileged containers, missing resource limits, and root execution."
- "Audit the Nginx and application configs for debug mode, information disclosure, and missing security headers."
Resources
- CIS Benchmarks: https://www.cisecurity.org/cis-benchmarks/
- OWASP IaC Security Cheatsheet: https://cheatsheetseries.owasp.org/cheatsheets/Infrastructure_as_Code_Security_Cheatsheet.html
- OWASP A05:2021 Security Misconfiguration: https://owasp.org/Top10/A05_2021-Security_Misconfiguration/
- tfsec (Terraform scanner): https://github.com/aquasecurity/tfsec
- Checkov (multi-cloud IaC scanner): https://www.checkov.io/
- CWE-16 Configuration: https://cwe.mitre.org/data/definitions/16.html
${CLAUDE_SKILL_DIR}/references/errors.md-- full error handling reference${CLAUDE_SKILL_DIR}/references/examples.md-- additional usage examples- https://intentsolutions.io
Weekly Installs
25
Repository
jeremylongshore…s-skillsGitHub Stars
2.1K
First Seen
Feb 1, 2026
Security Audits