Back to Details

misconfig

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Security Misconfiguration Analysis

安全配置错误分析

Analyze application and infrastructure configuration for security misconfigurations that could expose the system to attack. Covers missing security headers, debug modes left enabled, overly permissive CORS, default credentials, verbose error handling, unnecessary features, and directory listing.
分析应用程序和基础设施配置中可能导致系统易受攻击的安全配置错误,涵盖缺失的安全头、未关闭的调试模式、过于宽松的CORS、默认凭据、详细错误处理、不必要的功能以及目录列表等问题。

Supported Flags

支持的标志

Read 
../../shared/schemas/flags.md
 for full flag documentation. This skill supports all cross-cutting flags.
Key flags for this skill:
FlagEffect
--scope <value>
Target scope (default: 
changed
). Config-heavy scopes like 
path:
and 
full
are common.
--depth <value>
Analysis depth (default: 
standard
). 
deep
traces config inheritance chains.
--severity <value>
Minimum severity to report (default: all).
--format <value>
Output format: 
text
, 
json
, 
sarif
, 
md
.
--fix
Generate remediation patches for each finding.
--explain
Add OWASP context and learning material to each finding.
完整的标志说明请阅读
../../shared/schemas/flags.md
。本Skill支持所有跨领域标志。
本Skill的关键标志:
标志作用
--scope <value>
目标范围(默认值:
changed
)。常用的重配置范围如
path:
full
--depth <value>
分析深度(默认值:
standard
)。
deep
模式会追踪配置继承链。
--severity <value>
报告的最低严重级别(默认值:所有级别)。
--format <value>
输出格式:
text
json
sarif
md
--fix
为每个检测结果生成修复补丁。
--explain
为每个检测结果添加OWASP相关背景和学习资料。

Framework Context

框架背景

OWASP Top 10 2021 -- A05: Security Misconfiguration
Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive CORS, and verbose error messages containing sensitive information.
CWE Mappings:
  • CWE-16: Configuration
  • CWE-2: Environment
  • CWE-388: Error Handling
  • CWE-497: Exposure of System Data to an Unauthorized Control Sphere
  • CWE-611: Improper Restriction of XML External Entity Reference
  • CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
  • CWE-756: Missing Custom Error Page
  • CWE-942: Permissive Cross-domain Policy with Untrusted Domains
STRIDE Mapping: All categories -- misconfigurations can enable spoofing, tampering, information disclosure, denial of service, and elevation of privilege.
OWASP Top 10 2021 -- A05: 安全配置错误
安全配置错误是最常见的问题之一,通常由不安全的默认配置、不完整或临时配置、开放的云存储、错误配置的HTTP头、不必要的HTTP方法、宽松的CORS以及包含敏感信息的详细错误消息导致。
CWE映射:
  • CWE-16: 配置问题
  • CWE-2: 环境问题
  • CWE-388: 错误处理
  • CWE-497: 系统数据向未授权控制范围暴露
  • CWE-611: XML外部实体引用限制不当
  • CWE-614: HTTPS会话中敏感Cookie缺失'Secure'属性
  • CWE-756: 缺少自定义错误页面
  • CWE-942: 与不可信域的宽松跨域策略
STRIDE映射: 所有类别——配置错误可能导致欺骗、篡改、信息泄露、拒绝服务和权限提升。

Detection Patterns

检测模式

Read 
references/detection-patterns.md
 before running analysis. It contains Grep regex patterns, language-specific examples, scanner coverage, and false positive guidance for each detection category.
运行分析前请阅读
references/detection-patterns.md
,其中包含Grep正则表达式模式、特定语言示例、扫描器覆盖范围以及每个检测类别的误报指导。

Workflow

工作流程

Step 1 -- Determine Scope

步骤1 -- 确定范围

  1. Parse 
    --scope
    flag (default: 
    changed
    ).
  2. Resolve to a concrete file list.
  3. Filter to configuration-relevant files:
    • Application config: 
      *.yaml
      , 
      *.yml
      , 
      *.toml
      , 
      *.ini
      , 
      *.cfg
      , 
      *.conf
      , 
      *.json
      , 
      *.properties
      , 
      *.env
      , 
      *.env.*
    • Server config: 
      nginx.conf
      , 
      httpd.conf
      , 
      apache2.conf
      , 
      Caddyfile
      , 
      traefik.yml
    • Framework config: 
      settings.py
      , 
      config/*.rb
      , 
      application.properties
      , 
      next.config.*
      , 
      nuxt.config.*
    • IaC: 
      *.tf
      , 
      *.hcl
      , 
      Dockerfile
      , 
      docker-compose*.yml
      , 
      *.k8s.yml
      , 
      k8s/*.yaml
    • CI/CD: 
      .github/workflows/*.yml
      , 
      .gitlab-ci.yml
      , 
      Jenkinsfile
      , 
      .circleci/config.yml
    • Source files that set headers or configure middleware
  4. Also include source files that import/configure security middleware or set HTTP headers.
  1. 解析
    --scope
    标志(默认值:
    changed
    )。
  2. 解析为具体的文件列表。
  3. 筛选与配置相关的文件:
    • 应用配置:
      *.yaml
      *.yml
      *.toml
      *.ini
      *.cfg
      *.conf
      *.json
      *.properties
      *.env
      *.env.*
    • 服务器配置:
      nginx.conf
      httpd.conf
      apache2.conf
      Caddyfile
      traefik.yml
    • 框架配置:
      settings.py
      config/*.rb
      application.properties
      next.config.*
      nuxt.config.*
    • 基础设施即代码(IaC):
      *.tf
      *.hcl
      Dockerfile
      docker-compose*.yml
      *.k8s.yml
      k8s/*.yaml
    • CI/CD配置:
      .github/workflows/*.yml
      .gitlab-ci.yml
      Jenkinsfile
      .circleci/config.yml
    • 设置头信息或配置中间件的源文件
  4. 同时包含导入/配置安全中间件或设置HTTP头的源文件。

Step 2 -- Check for Scanners

步骤2 -- 检查可用扫描器

Detect available scanners in priority order:
ScannerDetectBest For
checkov
which checkov
IaC misconfigurations (Terraform, K8s, Docker)
tfsec
which tfsec
Terraform-specific security
kics
which kics
Multi-IaC scanning
trivy
which trivy
Filesystem misconfigs, Dockerfiles, K8s
semgrep
which semgrep
Code-level misconfiguration patterns
If no scanners are found, proceed with Claude analysis only and note this in output.
按优先级顺序检测可用的扫描器:
扫描器检测命令最佳适用场景
checkov
which checkov
IaC配置错误(Terraform、K8s、Docker)
tfsec
which tfsec
Terraform特定安全问题
kics
which kics
多IaC扫描
trivy
which trivy
文件系统配置错误、Dockerfile、K8s
semgrep
which semgrep
代码级配置错误模式
如果未找到任何扫描器,则仅使用Claude进行分析,并在输出中注明此情况。

Step 3 -- Run Available Scanners

步骤3 -- 运行可用扫描器

For each detected scanner, run against the scoped files:
  • checkov: 
    checkov -d <target> -o json --quiet
  • tfsec: 
    tfsec <target> --format json
  • kics: 
    kics scan -p <target> --type json
  • trivy: 
    trivy fs --format json --scanners misconfig <target>
  • semgrep: 
    semgrep scan --config auto --json --quiet <target>
Normalize scanner output to the findings schema per 
../../shared/schemas/scanners.md
.
对每个检测到的扫描器,针对范围内的文件运行:
  • checkov: 
    checkov -d <target> -o json --quiet
  • tfsec: 
    tfsec <target> --format json
  • kics: 
    kics scan -p <target> --type json
  • trivy: 
    trivy fs --format json --scanners misconfig <target>
  • semgrep: 
    semgrep scan --config auto --json --quiet <target>
根据
../../shared/schemas/scanners.md
将扫描器输出标准化为检测结果模式。

Step 4 -- Claude Analysis

步骤4 -- Claude分析

Using Grep and Read, search for patterns from 
references/detection-patterns.md
. For each match:
  1. Read surrounding context (10-20 lines) to determine if the pattern is a true finding.
  2. Check for compensating controls (e.g., a reverse proxy may set headers upstream).
  3. Determine if the configuration is for production or development.
  4. Assign severity based on the criteria in detection-patterns.md.
  5. Avoid duplicating scanner findings -- deduplicate by file and line.
使用Grep和Read工具,搜索
references/detection-patterns.md
中的模式。对于每个匹配项:
  1. 读取周围上下文(10-20行)以确定该模式是否为真实检测结果。
  2. 检查是否有补偿控制(例如,反向代理可能在 upstream 设置头信息)。
  3. 确定配置是用于生产环境还是开发环境。
  4. 根据detection-patterns.md中的标准分配严重级别。
  5. 避免重复扫描器的检测结果——按文件和行去重。

Step 5 -- Report Findings

步骤5 -- 报告检测结果

Output findings using the schema from 
../../shared/schemas/findings.md
.
Use the MSCFG prefix for finding IDs (e.g., 
MSCFG-001
, 
MSCFG-002
).
使用
../../shared/schemas/findings.md
中的模式输出检测结果。
检测结果ID使用MSCFG前缀(例如:
MSCFG-001
MSCFG-002
)。

What to Look For

检查要点

  1. Debug mode enabled in production -- 
    DEBUG=True
    , 
    NODE_ENV=development
    , 
    FLASK_DEBUG=1
    , 
    RAILS_ENV=development
    in production-bound configs.
  2. Missing security headers -- No Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, X-Content-Type-Options, Permissions-Policy, or Referrer-Policy in HTTP responses.
  3. CORS wildcard or overly permissive origins -- 
    Access-Control-Allow-Origin: *
    or reflecting arbitrary Origin headers without validation.
  4. Default credentials -- Unchanged admin/admin, root/root, or well-known default passwords in configuration files.
  5. Verbose error handling -- Stack traces, internal paths, database details, or framework version numbers exposed to end users in error responses.
  6. Unnecessary features enabled -- Directory listing, HTTP TRACE/TRACK methods, admin panels exposed without authentication, phpinfo() pages.
  7. Insecure cookie attributes -- Missing Secure, HttpOnly, or SameSite flags on session or authentication cookies.
  8. Permissive file permissions -- World-readable secrets, 777 permissions on sensitive directories, overly broad IAM policies.
  9. TLS/SSL misconfiguration -- Weak cipher suites, outdated TLS versions (< 1.2), self-signed certificates in production, missing HSTS.
  10. Missing rate limiting -- No rate limiting on authentication endpoints, API routes, or form submissions.
  1. 生产环境中启用调试模式——生产相关配置中存在
    DEBUG=True
    NODE_ENV=development
    FLASK_DEBUG=1
    RAILS_ENV=development
  2. 缺失安全头——HTTP响应中缺少Content-Security-Policy、X-Frame-Options、Strict-Transport-Security、X-Content-Type-Options、Permissions-Policy或Referrer-Policy。
  3. CORS通配符或过于宽松的源——
    Access-Control-Allow-Origin: *
    或未经验证就反射任意Origin头。
  4. 默认凭据——配置文件中存在未修改的admin/admin、root/root或众所周知的默认密码。
  5. 详细错误处理——错误响应中向终端用户暴露堆栈跟踪、内部路径、数据库细节或框架版本号。
  6. 启用不必要的功能——目录列表、HTTP TRACE/TRACK方法、未认证就暴露的管理面板、phpinfo()页面。
  7. 不安全的Cookie属性——会话或认证Cookie缺失Secure、HttpOnly或SameSite标志。
  8. 宽松的文件权限——全局可读的密钥、敏感目录设置777权限、过于宽泛的IAM策略。
  9. TLS/SSL配置错误——弱密码套件、过时的TLS版本(<1.2)、生产环境中使用自签名证书、缺失HSTS。
  10. 缺失速率限制——认证端点、API路由或表单提交未设置速率限制。

Scanner Integration

扫描器集成

See 
../../shared/schemas/scanners.md
 for full scanner invocation details. This skill primarily uses:
ScannerWhat It Catches
checkovIaC misconfigurations: open security groups, missing encryption, public S3 buckets
tfsecTerraform-specific: missing tags, public subnets, insecure defaults
kicsMulti-IaC: Docker, K8s, Terraform, CloudFormation misconfigurations
trivyDockerfile and K8s manifest misconfigurations, misconfigured filesystem
semgrepCode patterns: missing headers, debug flags, insecure cookie settings
When scanners are unavailable, Claude falls back to Grep-based detection using the patterns in 
references/detection-patterns.md
and reports findings with 
confidence: medium
.
有关扫描器调用的详细信息,请参阅
../../shared/schemas/scanners.md
。本Skill主要使用以下扫描器:
扫描器检测内容
checkovIaC配置错误:开放的安全组、缺失加密、公共S3存储桶
tfsecTerraform特定问题:缺失标签、公共子网、不安全的默认设置
kics多IaC:Docker、K8s、Terraform、CloudFormation配置错误
trivyDockerfile和K8s清单配置错误、错误配置的文件系统
semgrep代码模式:缺失头信息、调试标志、不安全的Cookie设置
当扫描器不可用时,Claude会回退到使用
references/detection-patterns.md
中的模式进行基于Grep的检测,并以
confidence: medium
报告检测结果。

Output Format

输出格式

All findings use the schema defined in 
../../shared/schemas/findings.md
.
ID Prefix: 
MSCFG
(e.g., 
MSCFG-001
)
References for each finding:
  • references.owasp
    : 
    A05:2021
  • references.cwe
    : Appropriate CWE from the list above
  • references.stride
    : Relevant STRIDE category
  • metadata.tool
    : 
    misconfig
  • metadata.framework
    : 
    owasp
  • metadata.category
    : 
    A05
Summary table after all findings:
| Severity | Count |
|----------|-------|
| CRITICAL | N     |
| HIGH     | N     |
| MEDIUM   | N     |
| LOW      | N     |
Followed by top 3 priorities and an overall assessment paragraph.
所有检测结果使用
../../shared/schemas/findings.md
中定义的模式。
ID前缀: 
MSCFG
(例如:
MSCFG-001
每个检测结果的参考信息:
  • references.owasp
    : 
    A05:2021
  • references.cwe
    : 上述列表中对应的CWE编号
  • references.stride
    : 相关的STRIDE类别
  • metadata.tool
    : 
    misconfig
  • metadata.framework
    : 
    owasp
  • metadata.category
    : 
    A05
所有检测结果后的汇总表:
| 严重级别 | 数量 |
|----------|-------|
| CRITICAL | N     |
| HIGH     | N     |
| MEDIUM   | N     |
| LOW      | N     |
随后列出前3个优先级问题以及总体评估段落。