finding-security-misconfigurations
Configure identify security misconfigurations in infrastructure-as-code, application settings, and system configurations. Use when you need to audit Terraform/CloudFormation templates, check application config files, validate system security settings, or ensure compliance with security best practices. Trigger with phrases like "find security misconfigurations", "audit infrastructure security", "check config security", or "scan for misconfigured settings".
What this skill does
# Finding Security Misconfigurations
## Overview
Scan infrastructure-as-code templates, application configuration files, and system settings to detect security misconfigurations mapped to OWASP A05:2021 (Security Misconfiguration) and CIS Benchmarks. Cover cloud resources (AWS, GCP, Azure), container orchestration (Kubernetes, Docker), web servers (Nginx, Apache), and application frameworks.
## Prerequisites
- Infrastructure-as-code files accessible in `${CLAUDE_SKILL_DIR}/` (Terraform `.tf`, CloudFormation `.yaml/.json`, Ansible playbooks, Kubernetes manifests)
- Application configuration files available (`application.yml`, `config.json`, `.env.example`, `web.config`)
- Container definitions (`Dockerfile`, `docker-compose.yml`, Helm charts)
- Web server configs (`nginx.conf`, `httpd.conf`, `.htaccess`) if applicable
- Write permissions for findings output in `${CLAUDE_SKILL_DIR}/security-findings/`
- Optional: `tfsec`, `checkov`, or `trivy config` installed for automated pre-scanning
## Instructions
1. Discover all configuration files by scanning `${CLAUDE_SKILL_DIR}/` for IaC templates (`.tf`, `.yaml`, `.json`, `.template`), application configs, container definitions, and web server configs.
2. **Cloud storage**: check for publicly accessible S3 buckets, unencrypted storage accounts, missing versioning, and overly permissive bucket policies (CIS AWS 2.1.1, 2.1.2).
3. **Network security**: flag security groups allowing `0.0.0.0/0` ingress on sensitive ports (22, 3389, 3306, 5432, 27017), missing VPC flow logs, and absent network segmentation.
4. **IAM and access**: detect wildcard (`*`) permissions in IAM policies, service accounts with admin privileges, missing MFA enforcement, and hardcoded credentials in source (CWE-798).
5. **Compute resources**: identify EC2/VM instances with unnecessary public IPs, unencrypted volumes, missing IMDSv2 enforcement, and outdated base images.
6. **Database security**: flag publicly accessible RDS/Cloud SQL instances, missing encryption at rest, disabled automated backups, default ports exposed without IP restrictions.
7. **Application config**: detect debug mode enabled in production, default credentials, CORS wildcard (`*`), missing CSRF protection, disabled authentication endpoints, and API keys in config files.
8. **Container security**: check for containers running as root, missing resource limits, `privileged: true`, writable root filesystems, and images without pinned digests.
9. Classify each finding: **Critical** (immediate exploitation risk), **High** (significant security impact), **Medium** (configuration weakness), **Low** (best practice violation).
10. Generate findings report at `${CLAUDE_SKILL_DIR}/security-findings/misconfig-YYYYMMDD.md` with per-finding severity, CIS/CWE mapping, affected file and line, remediation code, and verification command.
See `${CLAUDE_SKILL_DIR}/references/implementation.md` for the full six-section implementation guide covering IaC, application, and system checks.
## Output
- **Findings Report**: `${CLAUDE_SKILL_DIR}/security-findings/misconfig-YYYYMMDD.md` with all misconfigurations categorized by severity
- **Remediation Plan**: minimal-change fixes with before/after config snippets and verification commands
- **Compliance Mapping**: each finding linked to CIS Benchmark, OWASP, or CWE reference
- **Summary Dashboard**: finding counts by severity and category
## Error Handling
| Error | Cause | Solution |
|-------|-------|----------|
| Syntax error in `${CLAUDE_SKILL_DIR}/terraform/main.tf` | Malformed HCL, YAML, or JSON | Validate file syntax first; skip malformed files and note parse errors in report |
| Cannot determine cloud provider from configuration | Missing provider blocks or ambiguous file structure | Look for provider blocks and file naming conventions; fall back to generic security checks |
| Cannot read encrypted configuration | SOPS-encrypted or binary config files | Request decrypted version or exported config; document inability to audit |
| Too many config files (500+) | Large monorepo or multi-service project | Prioritize by file type: IaC first, then app configs, then system configs |
| Flagged configuration is intentional (dev environment) | False positive in non-production context | Support environment-specific exception rules; allow `.securityignore` overrides |
## Examples
- "Scan Terraform files in `${CLAUDE_SKILL_DIR}/` for overly permissive security groups and IAM wildcard policies."
- "Review Kubernetes manifests for insecure defaults: privileged containers, missing resource limits, and root execution."
- "Audit the Nginx and application configs for debug mode, information disclosure, and missing security headers."
## Resources
- CIS Benchmarks: https://www.cisecurity.org/cis-benchmarks/
- OWASP IaC Security Cheatsheet:
- OWASP A05:2021 Security Misconfiguration: https://owasp.org/Top10/A05_2021-Security_Misconfiguration/
- tfsec (Terraform scanner): https://github.com/aquasecurity/tfsec
- Checkov (multi-cloud IaC scanner): https://www.checkov.io/
- CWE-16 Configuration: https://cwe.mitre.org/data/definitions/16.html
- `${CLAUDE_SKILL_DIR}/references/errors.md` -- full error handling reference
- `${CLAUDE_SKILL_DIR}/references/examples.md` -- additional usage examples
- https://intentsolutions.io
Related in Cloud & DevOps
appbuilder-action-scaffolder
IncludedCreate, implement, deploy, and debug Adobe Runtime actions with consistent layout, validation, and error handling. Use this skill whenever the user needs to add actions to an App Builder project, understand action structure (params, response format, web/raw actions), configure actions in the manifest, use App Builder SDKs (State, Files, Events, database), deploy and invoke actions via CLI, debug action issues, or implement patterns such as webhook receivers, custom event providers, journaling consumers, large payload redirects, action sequence pipelines, and Asset Compute workers. Also trigger when users mention serverless functions in Adobe context, action logging, IMS authentication for actions, or cron-style scheduled actions.
orchestrating-datacloud
IncludedSalesforce Data Cloud product orchestrator for connect→prepare→harmonize→segment→act workflows. Use this skill when the user needs a multi-step Data Cloud pipeline, cross-phase troubleshooting, or data space and data kit management. TRIGGER when: user needs a multi-step Data Cloud pipeline, asks to set up or troubleshoot Data Cloud across phases, manages data spaces or data kits, or wants a cross-phase sf data360 workflow. DO NOT TRIGGER when: work is isolated to a single phase (use the matching phase-specific skill), the task is STDM/session tracing/parquet telemetry (use observing-agentforce), standard CRM SOQL (use querying-soql), or Apex implementation (use generating-apex).
github-project-automation
IncludedAutomate GitHub repository setup with CI/CD workflows, issue templates, Dependabot, and CodeQL security scanning. Includes 12 production-tested workflows and prevents 18 errors: YAML syntax, action pinning, and configuration. Use when: setting up GitHub Actions CI/CD, creating issue/PR templates, enabling Dependabot or CodeQL scanning, deploying to Cloudflare Workers, implementing matrix testing, or troubleshooting YAML indentation, action version pinning, secrets syntax, runner versions, or CodeQL configuration. Keywords: github actions, github workflow, ci/cd, issue templates, pull request templates, dependabot, codeql, security scanning, yaml syntax, github automation, repository setup, workflow templates, github actions matrix, secrets management, branch protection, codeowners, github projects, continuous integration, continuous deployment, workflow syntax error, action version pinning, runner version, github context, yaml indentation error
sf-datacloud
IncludedSalesforce Data Cloud product orchestrator for connect→prepare→harmonize→segment→act workflows. TRIGGER when: user needs a multi-step Data Cloud pipeline, asks to set up or troubleshoot Data Cloud across phases, manages data spaces or data kits, or wants a cross-phase `sf data360` workflow. DO NOT TRIGGER when: work is isolated to a single phase (use the matching sf-datacloud-* skill), the task is STDM/session tracing/parquet telemetry (use sf-ai-agentforce-observability), standard CRM SOQL (use sf-soql), or Apex implementation (use sf-apex).
fabric-cli
IncludedUse this skill for Fabric.so CLI workflows with the `fabric` terminal command: diagnose/install/login, search or browse a Fabric library, save notes/links/files, create folders, ask the Fabric AI assistant, manage tasks/workspaces, generate shell completion, check subscription usage, produce JSON output, and use Fabric as persistent agent memory. Do not use for Microsoft Fabric/Azure/Power BI `fab`, Daniel Miessler's Fabric framework, Python Fabric SSH, Fabric.js, or textile/fashion fabric.
lark
IncludedLark/Feishu CLI skills: lark-cli operations for docs, markdown, sheets, base, calendar, im, mail, task, okr, drive, wiki, slides, whiteboard, apps, approval, attendance, contact, vc, minutes, event. Use when the user needs to operate Lark/Feishu resources via lark-cli, send messages, manage documents, spreadsheets, calendars, tasks, OKRs, deploy web pages, or any Feishu/Lark workspace operations.