Kafka Security Posture Audit
Audits Kafka security configuration across the codebase and infrastructure. Kafka clusters often start as PLAINTEXT in dev and never get properly secured for production.
Workflow
Copy this checklist and track your progress:
Security Audit Progress:
- [ ] Step 1: Check environment health and tier
- [ ] Step 2: Scan codebase for security configuration
- [ ] Step 3: Audit authentication
- [ ] Step 4: Audit encryption
- [ ] Step 5: Audit secrets management
- [ ] Step 6: Generate report
- Check environment health and tier via Lenses MCP
- Scan codebase for security-related configuration (see
references/security-properties.md
- Audit authentication (SASL mechanism)
- Audit encryption (SSL/TLS)
- Audit secrets management (hardcoded credentials)
- Report findings with severity calibrated to environment tier
Step 1: Environment Context
Use Lenses MCP tools to understand the environment:
- - verify environment is healthy and agent is connected
- - get environment tier (development, staging, production) to calibrate severity levels. A PLAINTEXT connection in dev is a suggestion; in production it's critical.
Expected output: Environment tier (development/staging/production) and health status.
Validation: If the environment tier cannot be determined, default to production-level severity - it is safer to over-report.
Step 2: Codebase Inspection
Search the codebase for Kafka security configuration. Consult
references/security-properties.md
for the full list of authentication properties, encryption properties and files to scan.
Step 3: Audit Authentication
Apply the authentication audit rules from
references/security-properties.md
. Key checks:
- PLAINTEXT protocol in production (critical)
- PLAIN SASL without TLS (critical)
- No authentication configured in production (critical)
- Weak SASL mechanisms (warning)
Step 4: Audit Encryption
Apply the encryption audit rules from
references/security-properties.md
. Key checks:
- No SSL/TLS in production (critical)
- Disabled hostname verification (warning)
- Plaintext keystore passwords (warning)
Step 5: Audit Secrets Management
Apply the secrets audit rules from
references/security-properties.md
. Key checks:
- Hardcoded credentials in source files (critical)
- Credentials tracked by git (critical)
- Missing entries (warning)
Step 6: Environment Tier Mismatch
Cross-reference findings with the environment tier from Lenses:
- Production/Staging: All findings at full severity
- Development: Downgrade encryption/auth findings to suggestions (acceptable for local dev)
- Flag any development environment configs that might accidentally be used in production
Success Criteria
Quantitative
- Triggers on 90% of security-related queries (test with 10-20 varied phrasings)
- Completes audit in under 12 tool calls (MCP + codebase search)
- 0 failed MCP calls per run
Qualitative
- Severity is correctly calibrated to environment tier (dev vs production)
- Secrets findings have zero false negatives (never misses a hardcoded credential)
- Every finding includes a risk description and remediation step
Examples
Example 1: Pre-production security review
User says: "Audit Kafka security for the production environment"
Actions:
- Get environment tier (production) from Lenses MCP
- Scan codebase for all security properties
- Apply full-severity rules for production
Result: Complete security audit report with all findings at production severity
Example 2: Development environment check
User says: "Is my dev Kafka cluster secure enough?"
Actions:
- Get environment tier (development) from Lenses MCP
- Scan codebase for security properties
- Downgrade auth/encryption findings to suggestions for dev
- Keep secrets findings at full severity (credentials should never be hardcoded)
Result: Report calibrated to development environment
Example 3: Secrets-focused audit
User says: "Check if there are any hardcoded Kafka credentials in the codebase"
Actions:
- Search for secret patterns (passwords, tokens, API keys)
- Check files tracked by git
- Verify includes credential files
Result: Focused report on secrets management only
Troubleshooting
Environment tier is unknown
Cause: Lenses
returns no tier or a custom tier value.
Solution: Default to production-level severity. It is safer to over-report than under-report security issues.
Cannot determine if .env files are tracked by git
Cause: Not running inside a git repository.
Solution: Check for
files and report their presence. Note that git tracking could not be verified.
False positives in secrets scan
Cause: Words like "password" appear in documentation or comments rather than actual credentials.
Solution: Report all findings but note the confidence level. Flag inline values as high confidence and reference-only mentions as low confidence.
Output Format
## Security Audit Report
### Environment: {name} (tier: {development|staging|production})
### Critical (must fix)
- [file:line] Description of the security issue
Risk: {what could go wrong}
Remediation: {how to fix}
### Warning (should fix)
- [file:line] Description of the issue
Risk: {what could go wrong}
Remediation: {how to fix}
### Suggestion (consider improving)
- [file:line] Description of the issue
Recommendation: {how to improve}
### Summary
- X critical issues found
- Y warnings found
- Z suggestions found
- Environment tier: {tier}
- Authentication: {configured|missing}
- Encryption: {configured|missing}
- Secrets exposed: {yes|no}