What types of configuration files does this skill analyze?

It scans a wide range of files including YAML, JSON, TOML, Nginx/Apache configs, Dockerfiles, Terraform templates, and framework-specific files like settings.py or application.properties.

Can it automatically fix the security issues it finds?

Yes, by using the --fix flag, the skill can generate remediation patches to address identified misconfigurations and harden your settings immediately.

How does it map findings to security standards?

Every finding is mapped to OWASP Top 10 (A05:2021), specific CWE IDs, and STRIDE threat categories to provide professional-grade security context.

Can I use this to check for leaked debug modes?

Yes, the skill specifically looks for enabled debug flags (like DEBUG=True or NODE_ENV=development) and verbose error handling that could expose system data.

Does it require external security tools to work?

While it integrates with scanners like Checkov or Trivy for enhanced detection, it can perform standalone analysis using Claude's reasoning and built-in grep patterns if those tools are unavailable.

Security Misconfiguration Auditor

Name: Security Misconfiguration Auditor
Author: florianbuetow

byflorianbuetow

•

보안 및 테스팅

Audits application and infrastructure configurations to identify and remediate security vulnerabilities based on OWASP standards.

The Misconfig skill provides a comprehensive security analysis for your codebase and infrastructure, specifically targeting OWASP Top 10 A05: Security Misconfiguration. It automatically scans configuration files, server setups, and Infrastructure as Code (IaC) templates to detect risky patterns such as enabled debug modes, missing security headers, permissive CORS policies, and insecure cookie attributes. By integrating with industry-standard scanners like Checkov, Trivy, and Semgrep while utilizing Claude's contextual reasoning, it helps developers harden their systems, map findings to CWE/STRIDE frameworks, and generate automated remediation patches.

주요 기능

01Automated remediation patch generation with detailed OWASP and CWE context.

02Broad support for Nginx, Apache, Docker, and popular web frameworks like Django and Rails.

036 GitHub stars

04Automated scanning of application, server, and IaC configuration files including Terraform and Kubernetes.

05Detection of OWASP A05 vulnerabilities such as missing security headers and verbose error handling.

06Seamless integration with external security scanners like Checkov, Tfsec, KICS, and Trivy.

사용 사례

01Performing a pre-deployment security audit on Infrastructure as Code (IaC) and cloud configurations.

02Auditing CI/CD pipelines to ensure production environments do not leak sensitive debug data or error traces.

03Hardening web application security by identifying missing HTTP headers and insecure cookie settings.

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add florianbuetow/claude-code misconfig

For use in Claude.ai and ChatGPT

Download Skill