Back to Details

kafka-security-audit

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Kafka Security Posture Audit

Kafka安全态势审计

Audits Kafka security configuration across the codebase and infrastructure. Kafka clusters often start as PLAINTEXT in dev and never get properly secured for production.
审计整个代码库和基础设施中的Kafka安全配置。Kafka集群通常在开发环境中以PLAINTEXT模式启动,却从未针对生产环境进行妥善的安全配置。

Workflow

工作流程

Copy this checklist and track your progress:
Security Audit Progress:
- [ ] Step 1: Check environment health and tier
- [ ] Step 2: Scan codebase for security configuration
- [ ] Step 3: Audit authentication
- [ ] Step 4: Audit encryption
- [ ] Step 5: Audit secrets management
- [ ] Step 6: Generate report
  1. Check environment health and tier via Lenses MCP
  2. Scan codebase for security-related configuration (see 
    references/security-properties.md
    )
  3. Audit authentication (SASL mechanism)
  4. Audit encryption (SSL/TLS)
  5. Audit secrets management (hardcoded credentials)
  6. Report findings with severity calibrated to environment tier
复制此检查清单并跟踪进度:
Security Audit Progress:
- [ ] Step 1: Check environment health and tier
- [ ] Step 2: Scan codebase for security configuration
- [ ] Step 3: Audit authentication
- [ ] Step 4: Audit encryption
- [ ] Step 5: Audit secrets management
- [ ] Step 6: Generate report
  1. 通过Lenses MCP 检查环境健康状况和层级
  2. 扫描代码库以查找安全相关配置(参见
    references/security-properties.md
  3. 审计认证机制(SASL机制)
  4. 审计加密配置(SSL/TLS)
  5. 审计密钥管理(硬编码凭证)
  6. 生成审计报告,根据环境层级调整问题严重程度

Step 1: Environment Context

步骤1:环境上下文

Use Lenses MCP tools to understand the environment:
  • check_environment_health
    - verify environment is healthy and agent is connected
  • get_environment
    - get environment tier (development, staging, production) to calibrate severity levels. A PLAINTEXT connection in dev is a suggestion; in production it's critical.
Expected output: Environment tier (development/staging/production) and health status.
Validation: If the environment tier cannot be determined, default to production-level severity - it is safer to over-report.
使用Lenses MCP工具了解环境信息:
  • check_environment_health
    - 验证环境是否健康且Agent已连接
  • get_environment
    - 获取环境层级(开发、预发布、生产)以校准严重程度。开发环境中的PLAINTEXT连接只是建议优化项;但在生产环境中则属于严重问题。
预期输出:环境层级(开发/预发布/生产)和健康状态。
验证规则:如果无法确定环境层级,默认采用生产级别的严重程度——过度报告安全问题比漏报更安全。

Step 2: Codebase Inspection

步骤2:代码库检查

Search the codebase for Kafka security configuration. Consult 
references/security-properties.md
for the full list of authentication properties, encryption properties and files to scan.
在代码库中搜索Kafka安全配置。查阅
references/security-properties.md
获取完整的认证属性、加密属性及需扫描的文件列表。

Step 3: Audit Authentication

步骤3:认证审计

Apply the authentication audit rules from 
references/security-properties.md
. Key checks:
  • PLAINTEXT protocol in production (critical)
  • PLAIN SASL without TLS (critical)
  • No authentication configured in production (critical)
  • Weak SASL mechanisms (warning)
应用
references/security-properties.md
中的认证审计规则。关键检查项:
  • 生产环境使用PLAINTEXT协议(严重)
  • 使用PLAIN SASL但未启用TLS(严重)
  • 生产环境未配置任何认证机制(严重)
  • 使用弱SASL机制(警告)

Step 4: Audit Encryption

步骤4:加密审计

Apply the encryption audit rules from 
references/security-properties.md
. Key checks:
  • No SSL/TLS in production (critical)
  • Disabled hostname verification (warning)
  • Plaintext keystore passwords (warning)
应用
references/security-properties.md
中的加密审计规则。关键检查项:
  • 生产环境未启用SSL/TLS(严重)
  • 禁用主机名验证(警告)
  • 明文存储密钥库密码(警告)

Step 5: Audit Secrets Management

步骤5:密钥管理审计

Apply the secrets audit rules from 
references/security-properties.md
. Key checks:
  • Hardcoded credentials in source files (critical)
  • Credentials tracked by git (critical)
  • Missing 
    .gitignore
    entries (warning)
应用
references/security-properties.md
中的密钥审计规则。关键检查项:
  • 源文件中存在硬编码凭证(严重)
  • 凭证被git追踪(严重)
  • 缺少
    .gitignore
    条目(警告)

Step 6: Environment Tier Mismatch

步骤6:环境层级不匹配检查

Cross-reference findings with the environment tier from Lenses:
  • Production/Staging: All findings at full severity
  • Development: Downgrade encryption/auth findings to suggestions (acceptable for local dev)
  • Flag any development environment configs that might accidentally be used in production
将审计结果与Lenses获取的环境层级进行交叉验证:
  • 生产/预发布环境:所有结果采用完整严重程度
  • 开发环境:将加密/认证相关结果降级为建议项(本地开发环境可接受)
  • 标记任何可能被意外用于生产环境的开发环境配置

Success Criteria

成功标准

Quantitative

量化指标

  • Triggers on 90% of security-related queries (test with 10-20 varied phrasings)
  • Completes audit in under 12 tool calls (MCP + codebase search)
  • 0 failed MCP calls per run
  • 能响应90%的安全相关查询(用10-20种不同表述测试)
  • 在12次工具调用内完成审计(MCP + 代码库搜索)
  • 每次运行中MCP调用无失败

Qualitative

定性指标

  • Severity is correctly calibrated to environment tier (dev vs production)
  • Secrets findings have zero false negatives (never misses a hardcoded credential)
  • Every finding includes a risk description and remediation step
  • 严重程度根据环境层级(开发vs生产)正确校准
  • 密钥相关结果无漏报(绝不遗漏硬编码凭证)
  • 每个结果均包含风险描述和修复步骤

Examples

示例

Example 1: Pre-production security review

示例1:预生产环境安全审查

User says: "Audit Kafka security for the production environment"
Actions:
  1. Get environment tier (production) from Lenses MCP
  2. Scan codebase for all security properties
  3. Apply full-severity rules for production Result: Complete security audit report with all findings at production severity
用户提问:“审计生产环境的Kafka安全”
操作步骤:
  1. 从Lenses MCP获取环境层级(生产)
  2. 扫描代码库中的所有安全属性
  3. 应用生产环境的完整严重程度规则 结果:生成完整的安全审计报告,所有结果均为生产级严重程度

Example 2: Development environment check

示例2:开发环境检查

User says: "Is my dev Kafka cluster secure enough?"
Actions:
  1. Get environment tier (development) from Lenses MCP
  2. Scan codebase for security properties
  3. Downgrade auth/encryption findings to suggestions for dev
  4. Keep secrets findings at full severity (credentials should never be hardcoded) Result: Report calibrated to development environment
用户提问:“我的开发Kafka集群足够安全吗?”
操作步骤:
  1. 从Lenses MCP获取环境层级(开发)
  2. 扫描代码库中的安全属性
  3. 将认证/加密相关结果降级为开发环境的建议项
  4. 密钥相关结果保持完整严重程度(凭证绝不能硬编码) 结果:生成适配开发环境的审计报告

Example 3: Secrets-focused audit

示例3:聚焦密钥的审计

User says: "Check if there are any hardcoded Kafka credentials in the codebase"
Actions:
  1. Search for secret patterns (passwords, tokens, API keys)
  2. Check 
    .env
    files tracked by git
  3. Verify 
    .gitignore
    includes credential files Result: Focused report on secrets management only
用户提问:“检查代码库中是否存在硬编码的Kafka凭证”
操作步骤:
  1. 搜索密钥模式(密码、令牌、API密钥)
  2. 检查被git追踪的
    .env
    文件
  3. 验证
    .gitignore
    是否包含凭证文件 结果:生成仅聚焦密钥管理的审计报告

Troubleshooting

故障排除

Environment tier is unknown

环境层级未知

Cause: Lenses 
get_environment
returns no tier or a custom tier value. Solution: Default to production-level severity. It is safer to over-report than under-report security issues.
原因:Lenses的
get_environment
未返回层级或返回自定义层级值。 解决方案:默认采用生产级严重程度。过度报告安全问题比漏报更安全。

Cannot determine if .env files are tracked by git

无法确定.env文件是否被git追踪

Cause: Not running inside a git repository. Solution: Check for 
.env
files and report their presence. Note that git tracking could not be verified.
原因:未在git仓库内运行。 解决方案:检查是否存在
.env
文件并报告其存在情况,同时注明无法验证git追踪状态。

False positives in secrets scan

密钥扫描出现误报

Cause: Words like "password" appear in documentation or comments rather than actual credentials. Solution: Report all findings but note the confidence level. Flag inline values as high confidence and reference-only mentions as low confidence.
原因:“password”等词汇出现在文档或注释中,而非实际凭证。 解决方案:报告所有结果但标注置信度。将内联值标记为高置信度,仅提及的内容标记为低置信度。

Output Format

输出格式

undefined
undefined

Security Audit Report

Security Audit Report

Environment: {name} (tier: {development|staging|production})

Environment: {name} (tier: {development|staging|production})

Critical (must fix)

Critical (must fix)

  • [file:line] Description of the security issue Risk: {what could go wrong} Remediation: {how to fix}
  • [file:line] Description of the security issue Risk: {what could go wrong} Remediation: {how to fix}

Warning (should fix)

Warning (should fix)

  • [file:line] Description of the issue Risk: {what could go wrong} Remediation: {how to fix}
  • [file:line] Description of the issue Risk: {what could go wrong} Remediation: {how to fix}

Suggestion (consider improving)

Suggestion (consider improving)

  • [file:line] Description of the issue Recommendation: {how to improve}
  • [file:line] Description of the issue Recommendation: {how to improve}

Summary

Summary

  • X critical issues found
  • Y warnings found
  • Z suggestions found
  • Environment tier: {tier}
  • Authentication: {configured|missing}
  • Encryption: {configured|missing}
  • Secrets exposed: {yes|no}
undefined
  • X critical issues found
  • Y warnings found
  • Z suggestions found
  • Environment tier: {tier}
  • Authentication: {configured|missing}
  • Encryption: {configured|missing}
  • Secrets exposed: {yes|no}
undefined