Skills
skills/jwynia/agent-skills/config-scan

config-scan

SKILL.md

Config Scan

Security review of configuration files and infrastructure as code.

Quick Start

/config-scan                      # Scan all config files
/config-scan --docker             # Docker files only
/config-scan --k8s                # Kubernetes manifests
/config-scan --terraform          # Terraform files
/config-scan --env                # Environment files

What This Skill Detects

Environment Files

  • Secrets in .env files
  • Insecure default values
  • Missing required security variables

Docker Security

  • Running as root
  • Exposed sensitive ports
  • Insecure base images
  • Missing security options

Kubernetes Security

  • Privileged containers
  • Missing resource limits
  • Insecure service accounts
  • Network policy gaps

Infrastructure as Code

  • Overly permissive IAM policies
  • Public S3 buckets
  • Unencrypted storage
  • Missing security groups

Application Config

  • Debug mode enabled
  • Verbose error messages
  • Insecure defaults

Scan Categories

Environment Files

Files scanned: .env, .env.*, *.env

Issue Severity Description
Secrets in .env HIGH Credentials should use secrets manager
.env committed CRITICAL Should be in .gitignore
DEBUG=true HIGH Debug mode in production config
Weak secrets MEDIUM Short or simple values

Detection patterns:

# Committed .env files
git ls-files | grep -E '\.env$|\.env\.'

# Secrets in env files
(PASSWORD|SECRET|KEY|TOKEN|CREDENTIAL)=.+

# Debug flags
DEBUG=(true|1|yes)
NODE_ENV=development

Docker Security

Files scanned: Dockerfile, docker-compose.yml

Issue Severity Description
USER root HIGH Container runs as root
COPY secrets CRITICAL Secrets copied into image
Latest tag MEDIUM Unpinned base image
Exposed ports LOW Wide port exposure
No healthcheck LOW Missing health monitoring

Detection patterns:

# Running as root (no USER directive)
FROM.*\n(?!.*USER)

# Copying secrets
COPY.*\.(pem|key|crt|env)
COPY.*secret
COPY.*password

# Unpinned images
FROM\s+\w+:latest
FROM\s+\w+\s*$

# Dangerous capabilities
--privileged
--cap-add

docker-compose.yml issues:

# Privileged mode
privileged: true

# All capabilities
cap_add:
  - ALL

# Host network
network_mode: host

# Sensitive mounts
volumes:
  - /:/host
  - /var/run/docker.sock

Kubernetes Security

Files scanned: *.yaml, *.yml (k8s manifests)

Issue Severity Description
privileged: true CRITICAL Full host access
runAsRoot HIGH Container runs as root
No resource limits MEDIUM DoS risk
hostNetwork HIGH Pod uses host network
No securityContext MEDIUM Missing security settings

Detection patterns:

# Privileged containers
securityContext:
  privileged: true

# Running as root
securityContext:
  runAsUser: 0
runAsNonRoot: false

# Host access
hostNetwork: true
hostPID: true
hostIPC: true

# Dangerous volume mounts
volumes:
  - hostPath:
      path: /

# Missing limits
# (absence of resources.limits)

# Wildcard RBAC
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]

Terraform/IaC

Files scanned: *.tf, *.tfvars

Issue Severity Description
Public S3 bucket CRITICAL Data exposure
* in IAM policy HIGH Overly permissive
No encryption HIGH Data at rest unencrypted
0.0.0.0/0 ingress HIGH Open to internet
Hardcoded secrets CRITICAL Credentials in TF

Detection patterns:

# Public S3
acl = "public-read"
acl = "public-read-write"

# Overly permissive IAM
"Action": "*"
"Resource": "*"
"Principal": "*"

# Open security groups
cidr_blocks = ["0.0.0.0/0"]
ingress {
  from_port = 0
  to_port   = 65535

# Missing encryption
encrypted = false
# (or absence of encryption settings)

# Hardcoded secrets
password = "..."
secret_key = "..."

Application Config

Files scanned: config/*.json, *.config.js, application.yml

Issue Severity Description
DEBUG=true HIGH Debug in production
Verbose errors MEDIUM Stack traces exposed
CORS * HIGH All origins allowed
No HTTPS MEDIUM Unencrypted transport

Detection patterns:

// Debug mode
debug: true,
DEBUG: true,
NODE_ENV: 'development'

// Verbose errors
showStackTrace: true
detailedErrors: true

// CORS
origin: '*'
origin: true
Access-Control-Allow-Origin: *

// Session security
secure: false  // cookies
httpOnly: false
sameSite: 'none'

Output Format

CONFIG SCAN RESULTS
===================

Files scanned: 23
Issues found: 15

CRITICAL (2)
------------
[!] Dockerfile:1 - Running as root
    No USER directive found
    Fix: Add "USER node" or similar non-root user

[!] terraform/s3.tf:12 - Public S3 bucket
    acl = "public-read"
    Fix: Remove public ACL, use bucket policies

HIGH (5)
--------
[H] docker-compose.yml:15 - Privileged container
    privileged: true
    Fix: Remove privileged flag, use specific capabilities

[H] k8s/deployment.yaml:34 - Missing resource limits
    No CPU/memory limits defined
    Fix: Add resources.limits section

...

MEDIUM (8)
----------
...

Configuration

Ignore Rules

Create .config-scan-ignore:

# Ignore specific files
files:
  - "docker-compose.dev.yml"
  - "terraform/modules/test/**"

# Ignore specific rules
rules:
  - id: "docker-root-user"
    files: ["Dockerfile.dev"]
    reason: "Development only"

  - id: "k8s-no-limits"
    reason: "Handled by LimitRange"

Scan Profiles

# .config-scan.yaml
profile: production  # or: development, strict

# Custom thresholds
thresholds:
  fail_on: high
  warn_on: medium

# Specific scanners
scanners:
  docker: true
  kubernetes: true
  terraform: true
  env_files: true
  app_config: true

Best Practices Checked

Docker

  • Non-root user specified
  • Base image pinned to digest
  • No secrets in build
  • Multi-stage build used
  • Health check defined
  • Read-only root filesystem

Kubernetes

  • Non-root security context
  • Resource limits defined
  • Network policies in place
  • No privileged containers
  • Service accounts scoped
  • Secrets encrypted at rest

Terraform

  • State file encrypted
  • No hardcoded secrets
  • Least privilege IAM
  • Encryption enabled
  • Logging enabled
  • No public access by default

Remediation Examples

Docker: Run as Non-Root

# Before
FROM node:18

# After
FROM node:18
RUN groupadd -r app && useradd -r -g app app
USER app

Kubernetes: Security Context

# Before
containers:
  - name: app
    image: myapp

# After
containers:
  - name: app
    image: myapp
    securityContext:
      runAsNonRoot: true
      runAsUser: 1000
      readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false

Terraform: Private S3

# Before
resource "aws_s3_bucket" "data" {
  acl = "public-read"
}

# After
resource "aws_s3_bucket" "data" {
  # No ACL (private by default)
}

resource "aws_s3_bucket_public_access_block" "data" {
  bucket = aws_s3_bucket.data.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

CI/CD Integration

# GitHub Actions
- name: Config Security Scan
  run: |
    /config-scan --fail-on high

- name: Docker Scan
  run: |
    /config-scan --docker --fail-on critical

Related Skills

  • /security-scan - Full security analysis
  • /secrets-scan - Credential detection
  • /dependency-scan - Package vulnerabilities
Weekly Installs
49
Repository
jwynia/agent-skills
GitHub Stars
35
First Seen
Feb 15, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
Installed on
codex44
github-copilot43
gemini-cli42
opencode41
kimi-cli40
amp40