Config Scan Skill | Agent Skills

Config Scan

Security review of configuration files and infrastructure as code.

Quick Start

/config-scan                      # Scan all config files
/config-scan --docker             # Docker files only
/config-scan --k8s                # Kubernetes manifests
/config-scan --terraform          # Terraform files
/config-scan --env                # Environment files

What This Skill Detects

Environment Files

Secrets in .env files
Insecure default values
Missing required security variables

Docker Security

Running as root
Exposed sensitive ports
Insecure base images
Missing security options

Kubernetes Security

Privileged containers
Missing resource limits
Insecure service accounts
Network policy gaps

Infrastructure as Code

Overly permissive IAM policies
Public S3 buckets
Unencrypted storage
Missing security groups

Application Config

Debug mode enabled
Verbose error messages
Insecure defaults

Scan Categories

Environment Files

Files scanned: .env, .env.*, *.env

| Issue | Severity | Description | |-------|----------|-------------| | Secrets in .env | HIGH | Credentials should use secrets manager | | .env committed | CRITICAL | Should be in .gitignore | | DEBUG=true | HIGH | Debug mode in production config | | Weak secrets | MEDIUM | Short or simple values |

Detection patterns:

# Committed .env files
git ls-files | grep -E '\.env$|\.env\.'

# Secrets in env files
(PASSWORD|SECRET|KEY|TOKEN|CREDENTIAL)=.+

# Debug flags
DEBUG=(true|1|yes)
NODE_ENV=development

Docker Security

Files scanned: Dockerfile, docker-compose.yml

| Issue | Severity | Description | |-------|----------|-------------| | USER root | HIGH | Container runs as root | | COPY secrets | CRITICAL | Secrets copied into image | | Latest tag | MEDIUM | Unpinned base image | | Exposed ports | LOW | Wide port exposure | | No healthcheck | LOW | Missing health monitoring |

Detection patterns:

# Running as root (no USER directive)
FROM.*\n(?!.*USER)

# Copying secrets
COPY.*\.(pem|key|crt|env)
COPY.*secret
COPY.*password

# Unpinned images
FROM\s+\w+:latest
FROM\s+\w+\s*$

# Dangerous capabilities
--privileged
--cap-add

docker-compose.yml issues:

# Privileged mode
privileged: true

# All capabilities
cap_add:
  - ALL

# Host network
network_mode: host

# Sensitive mounts
volumes:
  - /:/host
  - /var/run/docker.sock

Kubernetes Security

Files scanned: *.yaml, *.yml (k8s manifests)

| Issue | Severity | Description | |-------|----------|-------------| | privileged: true | CRITICAL | Full host access | | runAsRoot | HIGH | Container runs as root | | No resource limits | MEDIUM | DoS risk | | hostNetwork | HIGH | Pod uses host network | | No securityContext | MEDIUM | Missing security settings |

Detection patterns:

# Privileged containers
securityContext:
  privileged: true

# Running as root
securityContext:
  runAsUser: 0
runAsNonRoot: false

# Host access
hostNetwork: true
hostPID: true
hostIPC: true

# Dangerous volume mounts
volumes:
  - hostPath:
      path: /

# Missing limits
# (absence of resources.limits)

# Wildcard RBAC
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]

Terraform/IaC

Files scanned: *.tf, *.tfvars

| Issue | Severity | Description | |-------|----------|-------------| | Public S3 bucket | CRITICAL | Data exposure | | * in IAM policy | HIGH | Overly permissive | | No encryption | HIGH | Data at rest unencrypted | | 0.0.0.0/0 ingress | HIGH | Open to internet | | Hardcoded secrets | CRITICAL | Credentials in TF |

Detection patterns:

# Public S3
acl = "public-read"
acl = "public-read-write"

# Overly permissive IAM
"Action": "*"
"Resource": "*"
"Principal": "*"

# Open security groups
cidr_blocks = ["0.0.0.0/0"]
ingress {
  from_port = 0
  to_port   = 65535

# Missing encryption
encrypted = false
# (or absence of encryption settings)

# Hardcoded secrets
password = "..."
secret_key = "..."

Application Config

Files scanned: config/*.json, *.config.js, application.yml

| Issue | Severity | Description | |-------|----------|-------------| | DEBUG=true | HIGH | Debug in production | | Verbose errors | MEDIUM | Stack traces exposed | | CORS * | HIGH | All origins allowed | | No HTTPS | MEDIUM | Unencrypted transport |

Detection patterns:

// Debug mode
debug: true,
DEBUG: true,
NODE_ENV: 'development'

// Verbose errors
showStackTrace: true
detailedErrors: true

// CORS
origin: '*'
origin: true
Access-Control-Allow-Origin: *

// Session security
secure: false  // cookies
httpOnly: false
sameSite: 'none'

Output Format

CONFIG SCAN RESULTS
===================

Files scanned: 23
Issues found: 15

CRITICAL (2)
------------
[!] Dockerfile:1 - Running as root
    No USER directive found
    Fix: Add "USER node" or similar non-root user

[!] terraform/s3.tf:12 - Public S3 bucket
    acl = "public-read"
    Fix: Remove public ACL, use bucket policies

HIGH (5)
--------
[H] docker-compose.yml:15 - Privileged container
    privileged: true
    Fix: Remove privileged flag, use specific capabilities

[H] k8s/deployment.yaml:34 - Missing resource limits
    No CPU/memory limits defined
    Fix: Add resources.limits section

...

MEDIUM (8)
----------
...

Configuration

Ignore Rules

Create .config-scan-ignore:

# Ignore specific files
files:
  - "docker-compose.dev.yml"
  - "terraform/modules/test/**"

# Ignore specific rules
rules:
  - id: "docker-root-user"
    files: ["Dockerfile.dev"]
    reason: "Development only"

  - id: "k8s-no-limits"
    reason: "Handled by LimitRange"

Scan Profiles

# .config-scan.yaml
profile: production  # or: development, strict

# Custom thresholds
thresholds:
  fail_on: high
  warn_on: medium

# Specific scanners
scanners:
  docker: true
  kubernetes: true
  terraform: true
  env_files: true
  app_config: true

Best Practices Checked

Docker

[ ] Non-root user specified
[ ] Base image pinned to digest
[ ] No secrets in build
[ ] Multi-stage build used
[ ] Health check defined
[ ] Read-only root filesystem

Kubernetes

[ ] Non-root security context
[ ] Resource limits defined
[ ] Network policies in place
[ ] No privileged containers
[ ] Service accounts scoped
[ ] Secrets encrypted at rest

Terraform

[ ] State file encrypted
[ ] No hardcoded secrets
[ ] Least privilege IAM
[ ] Encryption enabled
[ ] Logging enabled
[ ] No public access by default

Remediation Examples

Docker: Run as Non-Root

# Before
FROM node:18

# After
FROM node:18
RUN groupadd -r app && useradd -r -g app app
USER app

Kubernetes: Security Context

# Before
containers:
  - name: app
    image: myapp

# After
containers:
  - name: app
    image: myapp
    securityContext:
      runAsNonRoot: true
      runAsUser: 1000
      readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false

Terraform: Private S3

# Before
resource "aws_s3_bucket" "data" {
  acl = "public-read"
}

# After
resource "aws_s3_bucket" "data" {
  # No ACL (private by default)
}

resource "aws_s3_bucket_public_access_block" "data" {
  bucket = aws_s3_bucket.data.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

CI/CD Integration

# GitHub Actions
- name: Config Security Scan
  run: |
    /config-scan --fail-on high

- name: Docker Scan
  run: |
    /config-scan --docker --fail-on critical

Related Skills

/security-scan - Full security analysis
/secrets-scan - Credential detection
/dependency-scan - Package vulnerabilities

Agent Skills: Config Scan

Install this agent skill to your local

Skill Files

Config Scan

Quick Start

What This Skill Detects

Environment Files

Docker Security

Kubernetes Security

Infrastructure as Code

Application Config

Scan Categories

Environment Files

Docker Security

Kubernetes Security

Terraform/IaC

Application Config

Output Format

Configuration

Ignore Rules

Scan Profiles

Best Practices Checked

Docker

Kubernetes

Terraform

Remediation Examples

Docker: Run as Non-Root

Kubernetes: Security Context

Terraform: Private S3

CI/CD Integration

Related Skills