Config Scan Security review of configuration files and infrastructure as code. Quick Start /config-scan # Scan all config files /config-scan --docker # Docker files only /config-scan --k8s # Kubernetes manifests /config-scan --terraform # Terraform files /config-scan --env # Environment files What This Skill Detects Environment Files Secrets in .env files Insecure default values Missing required security variables Docker Security Running as root Exposed sensitive ports Insecure base images Missing security options Kubernetes Security Privileged containers Missing resource limits Insecure service accounts Network policy gaps Infrastructure as Code Overly permissive IAM policies Public S3 buckets Unencrypted storage Missing security groups Application Config Debug mode enabled Verbose error messages Insecure defaults Scan Categories Environment Files Files scanned : .env , .env. , .env Issue Severity Description Secrets in .env HIGH Credentials should use secrets manager .env committed CRITICAL Should be in .gitignore DEBUG=true HIGH Debug mode in production config Weak secrets MEDIUM Short or simple values Detection patterns :

Committed .env files

git ls-files | grep -E '.env$|.env.'

Secrets in env files

(PASSWORD|SECRET|KEY|TOKEN|CREDENTIAL)=.+

Debug flags

DEBUG=(true|1|yes) NODE_ENV=development Docker Security Files scanned : Dockerfile , docker-compose.yml Issue Severity Description USER root HIGH Container runs as root COPY secrets CRITICAL Secrets copied into image Latest tag MEDIUM Unpinned base image Exposed ports LOW Wide port exposure No healthcheck LOW Missing health monitoring Detection patterns :

Running as root (no USER directive)

FROM.\n(?!.USER)

Copying secrets

COPY..(pem|key|crt|env) COPY.secret COPY.*password

Unpinned images

FROM\s+\w+:latest FROM\s+\w+\s*$

Dangerous capabilities

--privileged --cap-add docker-compose.yml issues :

Privileged mode

privileged : true

All capabilities

cap_add : - ALL

Host network

network_mode : host

Sensitive mounts

volumes : - / : /host - /var/run/docker.sock Kubernetes Security Files scanned : .yaml , .yml (k8s manifests) Issue Severity Description privileged: true CRITICAL Full host access runAsRoot HIGH Container runs as root No resource limits MEDIUM DoS risk hostNetwork HIGH Pod uses host network No securityContext MEDIUM Missing security settings Detection patterns :

Privileged containers

securityContext : privileged : true

Running as root

securityContext : runAsUser : 0 runAsNonRoot : false

Host access

hostNetwork : true hostPID : true hostIPC : true

Dangerous volume mounts

volumes : - hostPath : path : /

Missing limits

(absence of resources.limits)

Wildcard RBAC

rules : - apiGroups : [ "" ] resources : [ "" ] verbs : [ "" ] Terraform/IaC Files scanned : .tf , *.tfvars Issue Severity Description Public S3 bucket CRITICAL Data exposure * in IAM policy HIGH Overly permissive No encryption HIGH Data at rest unencrypted 0.0.0.0/0 ingress HIGH Open to internet Hardcoded secrets CRITICAL Credentials in TF Detection patterns :

Public S3

acl

"public-read" acl = "public-read-write"

Overly permissive IAM

"Action" : "" "Resource" : "" "Principal" : "*"

Open security groups

cidr_blocks

[ "0.0.0.0/0" ] ingress { from_port = 0 to_port = 65535

Missing encryption

encrypted

false

(or absence of encryption settings)

Hardcoded secrets

password

"..." secret_key = "..." Application Config Files scanned : config/.json , .config.js , application.yml Issue Severity Description DEBUG=true HIGH Debug in production Verbose errors MEDIUM Stack traces exposed CORS * HIGH All origins allowed No HTTPS MEDIUM Unencrypted transport Detection patterns : // Debug mode debug : true , DEBUG : true , NODE_ENV : 'development' // Verbose errors showStackTrace : true detailedErrors : true // CORS origin : '*' origin : true Access - Control - Allow - Origin : * // Session security secure : false // cookies httpOnly : false sameSite : 'none' Output Format CONFIG SCAN RESULTS =================== Files scanned: 23 Issues found: 15 CRITICAL (2)

[!] Dockerfile:1 - Running as root No USER directive found Fix: Add "USER node" or similar non-root user [!] terraform/s3.tf:12 - Public S3 bucket acl = "public-read" Fix: Remove public ACL, use bucket policies HIGH (5)

[H] docker-compose.yml:15 - Privileged container privileged: true Fix: Remove privileged flag, use specific capabilities [H] k8s/deployment.yaml:34 - Missing resource limits No CPU/memory limits defined Fix: Add resources.limits section ... MEDIUM (8)

... Configuration Ignore Rules Create .config-scan-ignore :

Ignore specific files

files : - "docker-compose.dev.yml" - "terraform/modules/test/**"

Ignore specific rules

rules : - id : "docker-root-user" files : [ "Dockerfile.dev" ] reason : "Development only" - id : "k8s-no-limits" reason : "Handled by LimitRange" Scan Profiles

.config-scan.yaml

profile : production

or: development, strict

Custom thresholds

thresholds : fail_on : high warn_on : medium

Specific scanners

scanners : docker : true kubernetes : true terraform : true env_files : true app_config : true Best Practices Checked Docker Non-root user specified Base image pinned to digest No secrets in build Multi-stage build used Health check defined Read-only root filesystem Kubernetes Non-root security context Resource limits defined Network policies in place No privileged containers Service accounts scoped Secrets encrypted at rest Terraform State file encrypted No hardcoded secrets Least privilege IAM Encryption enabled Logging enabled No public access by default Remediation Examples Docker: Run as Non-Root

Before

FROM node:18

After

FROM node:18 RUN groupadd -r app && useradd -r -g app app USER app Kubernetes: Security Context

Before

containers : - name : app image : myapp

After

containers : - name : app image : myapp securityContext : runAsNonRoot : true runAsUser : 1000 readOnlyRootFilesystem : true allowPrivilegeEscalation : false Terraform: Private S3

Before

resource "aws_s3_bucket" "data" { acl = "public-read" }

After

resource "aws_s3_bucket" "data" {

No ACL (private by default)

} resource "aws_s3_bucket_public_access_block" "data" { bucket = aws_s3_bucket.data.id block_public_acls = true block_public_policy = true ignore_public_acls = true restrict_public_buckets = true } CI/CD Integration

GitHub Actions

- name : Config Security Scan run : | /config-scan --fail-on high - name : Docker Scan run : | /config-scan --docker --fail-on critical