Configure identify security misconfigurations in infrastructure-as-code, application settings, and system configurations.
Use when you need to audit Terraform/CloudFormation templates, check application config files, validate system security settings, or ensure compliance with security best practices.
Trigger with phrases like "find security misconfigurations", "audit infrastructure security", "check config security", or "scan for misconfigured settings".
Application configuration files available (application.yml, config.json, .env.example, web.config)
Container definitions (Dockerfile, , Helm charts)
docker-compose.yml
Web server configs (nginx.conf, httpd.conf, .htaccess) if applicable
Write permissions for findings output in ${CLAUDE_SKILL_DIR}/security-findings/
Optional: tfsec, checkov, or trivy config installed for automated pre-scanning
Instructions
Discover all configuration files by scanning ${CLAUDE_SKILL_DIR}/ for IaC templates (.tf, .yaml, .json, .template), application configs, container definitions, and web server configs.
Network security: flag security groups allowing 0.0.0.0/0 ingress on sensitive ports (22, 3389, 3306, 5432, 27017), missing VPC flow logs, and absent network segmentation.
IAM and access: detect wildcard (*) permissions in IAM policies, service accounts with admin privileges, missing MFA enforcement, and hardcoded credentials in source (CWE-798).
Compute resources: identify EC2/VM instances with unnecessary public IPs, unencrypted volumes, missing IMDSv2 enforcement, and outdated base images.
Database security: flag publicly accessible RDS/Cloud SQL instances, missing encryption at rest, disabled automated backups, default ports exposed without IP restrictions.
Application config: detect debug mode enabled in production, default credentials, CORS wildcard (*), missing CSRF protection, disabled authentication endpoints, and API keys in config files.
Container security: check for containers running as root, missing resource limits, privileged: true, writable root filesystems, and images without pinned digests.
Classify each finding: Critical (immediate exploitation risk), High (significant security impact), Medium (configuration weakness), Low (best practice violation).
Generate findings report at ${CLAUDE_SKILL_DIR}/security-findings/misconfig-YYYYMMDD.md with per-finding severity, CIS/CWE mapping, affected file and line, remediation code, and verification command.
See ${CLAUDE_SKILL_DIR}/references/implementation.md for the full six-section implementation guide covering IaC, application, and system checks.
Output
Findings Report: ${CLAUDE_SKILL_DIR}/security-findings/misconfig-YYYYMMDD.md with all misconfigurations categorized by severity
Remediation Plan: minimal-change fixes with before/after config snippets and verification commands
Compliance Mapping: each finding linked to CIS Benchmark, OWASP, or CWE reference
Summary Dashboard: finding counts by severity and category
Error Handling
Error
Cause
Solution
Syntax error in ${CLAUDE_SKILL_DIR}/terraform/main.tf
Malformed HCL, YAML, or JSON
Validate file syntax first; skip malformed files and note parse errors in report
Cannot determine cloud provider from configuration
Missing provider blocks or ambiguous file structure
Look for provider blocks and file naming conventions; fall back to generic security checks
Cannot read encrypted configuration
SOPS-encrypted or binary config files
Request decrypted version or exported config; document inability to audit
Too many config files (500+)
Large monorepo or multi-service project
Prioritize by file type: IaC first, then app configs, then system configs
Flagged configuration is intentional (dev environment)
False positive in non-production context
Support environment-specific exception rules; allow .securityignore overrides
Examples
"Scan Terraform files in ${CLAUDE_SKILL_DIR}/ for overly permissive security groups and IAM wildcard policies."
"Review Kubernetes manifests for insecure defaults: privileged containers, missing resource limits, and root execution."
"Audit the Nginx and application configs for debug mode, information disclosure, and missing security headers."