Loading...
Loading...
Detect security misconfigurations in config files, Docker, and IaC. Use when reviewing configuration security for containers, Kubernetes, Terraform, or application settings.
npx skill4agent add jwynia/agent-skills config-scan/config-scan # Scan all config files
/config-scan --docker # Docker files only
/config-scan --k8s # Kubernetes manifests
/config-scan --terraform # Terraform files
/config-scan --env # Environment files.env.env.env.**.env| Issue | Severity | Description |
|---|---|---|
| Secrets in .env | HIGH | Credentials should use secrets manager |
| .env committed | CRITICAL | Should be in .gitignore |
| DEBUG=true | HIGH | Debug mode in production config |
| Weak secrets | MEDIUM | Short or simple values |
# Committed .env files
git ls-files | grep -E '\.env$|\.env\.'
# Secrets in env files
(PASSWORD|SECRET|KEY|TOKEN|CREDENTIAL)=.+
# Debug flags
DEBUG=(true|1|yes)
NODE_ENV=developmentDockerfiledocker-compose.yml| Issue | Severity | Description |
|---|---|---|
| USER root | HIGH | Container runs as root |
| COPY secrets | CRITICAL | Secrets copied into image |
| Latest tag | MEDIUM | Unpinned base image |
| Exposed ports | LOW | Wide port exposure |
| No healthcheck | LOW | Missing health monitoring |
# Running as root (no USER directive)
FROM.*\n(?!.*USER)
# Copying secrets
COPY.*\.(pem|key|crt|env)
COPY.*secret
COPY.*password
# Unpinned images
FROM\s+\w+:latest
FROM\s+\w+\s*$
# Dangerous capabilities
--privileged
--cap-add# Privileged mode
privileged: true
# All capabilities
cap_add:
- ALL
# Host network
network_mode: host
# Sensitive mounts
volumes:
- /:/host
- /var/run/docker.sock*.yaml*.yml| Issue | Severity | Description |
|---|---|---|
| privileged: true | CRITICAL | Full host access |
| runAsRoot | HIGH | Container runs as root |
| No resource limits | MEDIUM | DoS risk |
| hostNetwork | HIGH | Pod uses host network |
| No securityContext | MEDIUM | Missing security settings |
# Privileged containers
securityContext:
privileged: true
# Running as root
securityContext:
runAsUser: 0
runAsNonRoot: false
# Host access
hostNetwork: true
hostPID: true
hostIPC: true
# Dangerous volume mounts
volumes:
- hostPath:
path: /
# Missing limits
# (absence of resources.limits)
# Wildcard RBAC
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]*.tf*.tfvars| Issue | Severity | Description |
|---|---|---|
| Public S3 bucket | CRITICAL | Data exposure |
| * in IAM policy | HIGH | Overly permissive |
| No encryption | HIGH | Data at rest unencrypted |
| 0.0.0.0/0 ingress | HIGH | Open to internet |
| Hardcoded secrets | CRITICAL | Credentials in TF |
# Public S3
acl = "public-read"
acl = "public-read-write"
# Overly permissive IAM
"Action": "*"
"Resource": "*"
"Principal": "*"
# Open security groups
cidr_blocks = ["0.0.0.0/0"]
ingress {
from_port = 0
to_port = 65535
# Missing encryption
encrypted = false
# (or absence of encryption settings)
# Hardcoded secrets
password = "..."
secret_key = "..."config/*.json*.config.jsapplication.yml| Issue | Severity | Description |
|---|---|---|
| DEBUG=true | HIGH | Debug in production |
| Verbose errors | MEDIUM | Stack traces exposed |
| CORS * | HIGH | All origins allowed |
| No HTTPS | MEDIUM | Unencrypted transport |
// Debug mode
debug: true,
DEBUG: true,
NODE_ENV: 'development'
// Verbose errors
showStackTrace: true
detailedErrors: true
// CORS
origin: '*'
origin: true
Access-Control-Allow-Origin: *
// Session security
secure: false // cookies
httpOnly: false
sameSite: 'none'CONFIG SCAN RESULTS
===================
Files scanned: 23
Issues found: 15
CRITICAL (2)
------------
[!] Dockerfile:1 - Running as root
No USER directive found
Fix: Add "USER node" or similar non-root user
[!] terraform/s3.tf:12 - Public S3 bucket
acl = "public-read"
Fix: Remove public ACL, use bucket policies
HIGH (5)
--------
[H] docker-compose.yml:15 - Privileged container
privileged: true
Fix: Remove privileged flag, use specific capabilities
[H] k8s/deployment.yaml:34 - Missing resource limits
No CPU/memory limits defined
Fix: Add resources.limits section
...
MEDIUM (8)
----------
....config-scan-ignore# Ignore specific files
files:
- "docker-compose.dev.yml"
- "terraform/modules/test/**"
# Ignore specific rules
rules:
- id: "docker-root-user"
files: ["Dockerfile.dev"]
reason: "Development only"
- id: "k8s-no-limits"
reason: "Handled by LimitRange"# .config-scan.yaml
profile: production # or: development, strict
# Custom thresholds
thresholds:
fail_on: high
warn_on: medium
# Specific scanners
scanners:
docker: true
kubernetes: true
terraform: true
env_files: true
app_config: true# Before
FROM node:18
# After
FROM node:18
RUN groupadd -r app && useradd -r -g app app
USER app# Before
containers:
- name: app
image: myapp
# After
containers:
- name: app
image: myapp
securityContext:
runAsNonRoot: true
runAsUser: 1000
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false# Before
resource "aws_s3_bucket" "data" {
acl = "public-read"
}
# After
resource "aws_s3_bucket" "data" {
# No ACL (private by default)
}
resource "aws_s3_bucket_public_access_block" "data" {
bucket = aws_s3_bucket.data.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}# GitHub Actions
- name: Config Security Scan
run: |
/config-scan --fail-on high
- name: Docker Scan
run: |
/config-scan --docker --fail-on critical/security-scan/secrets-scan/dependency-scan