Back to Details

config-scan

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Config Scan

配置扫描

Security review of configuration files and infrastructure as code.
对配置文件和基础设施即代码(IaC)进行安全审核。

Quick Start

快速开始

/config-scan                      # Scan all config files
/config-scan --docker             # Docker files only
/config-scan --k8s                # Kubernetes manifests
/config-scan --terraform          # Terraform files
/config-scan --env                # Environment files
/config-scan                      # 扫描所有配置文件
/config-scan --docker             # 仅扫描Docker文件
/config-scan --k8s                # 扫描Kubernetes清单
/config-scan --terraform          # 扫描Terraform文件
/config-scan --env                # 扫描环境文件

What This Skill Detects

本Skill可检测的内容

Environment Files

环境文件

  • Secrets in 
    .env
    files
  • Insecure default values
  • Missing required security variables
  • .env文件中的敏感凭据
  • 不安全的默认值
  • 缺失必要的安全变量

Docker Security

Docker安全

  • Running as root
  • Exposed sensitive ports
  • Insecure base images
  • Missing security options
  • 以root用户运行
  • 暴露敏感端口
  • 不安全的基础镜像
  • 缺失安全选项

Kubernetes Security

Kubernetes安全

  • Privileged containers
  • Missing resource limits
  • Insecure service accounts
  • Network policy gaps
  • 特权容器
  • 缺失资源限制
  • 不安全的服务账户
  • 网络策略缺口

Infrastructure as Code

基础设施即代码(IaC)

  • Overly permissive IAM policies
  • Public S3 buckets
  • Unencrypted storage
  • Missing security groups
  • 权限过度宽松的IAM策略
  • 公开的S3存储桶
  • 未加密的存储
  • 缺失安全组

Application Config

应用程序配置

  • Debug mode enabled
  • Verbose error messages
  • Insecure defaults
  • 启用调试模式
  • 详细错误信息暴露
  • 不安全的默认设置

Scan Categories

扫描分类

Environment Files

环境文件

Files scanned: 
.env
, 
.env.*
, 
*.env
IssueSeverityDescription
Secrets in .envHIGHCredentials should use secrets manager
.env committedCRITICALShould be in .gitignore
DEBUG=trueHIGHDebug mode in production config
Weak secretsMEDIUMShort or simple values
Detection patterns:
undefined
扫描文件: 
.env
, 
.env.*
, 
*.env
问题严重程度描述
.env文件中的敏感凭据凭据应使用密钥管理器存储
.env文件已提交到版本库关键应将其添加到.gitignore
DEBUG=true生产配置中启用调试模式
弱凭据凭据值过短或过于简单
检测规则:
undefined

Committed .env files

已提交的.env文件

git ls-files | grep -E '.env$|.env.'
git ls-files | grep -E '.env$|.env.'

Secrets in env files

环境文件中的敏感凭据

(PASSWORD|SECRET|KEY|TOKEN|CREDENTIAL)=.+
(PASSWORD|SECRET|KEY|TOKEN|CREDENTIAL)=.+

Debug flags

调试标志

DEBUG=(true|1|yes) NODE_ENV=development
undefined
DEBUG=(true|1|yes) NODE_ENV=development
undefined

Docker Security

Docker安全

Files scanned: 
Dockerfile
, 
docker-compose.yml
IssueSeverityDescription
USER rootHIGHContainer runs as root
COPY secretsCRITICALSecrets copied into image
Latest tagMEDIUMUnpinned base image
Exposed portsLOWWide port exposure
No healthcheckLOWMissing health monitoring
Detection patterns:
dockerfile
undefined
扫描文件: 
Dockerfile
, 
docker-compose.yml
问题严重程度描述
USER root容器以root用户运行
复制敏感凭据到镜像关键敏感凭据被复制到镜像中
使用latest标签基础镜像未固定版本
暴露端口范围过宽端口暴露范围过大
缺失健康检查未配置健康监控
检测规则:
dockerfile
undefined

Running as root (no USER directive)

以root用户运行(无USER指令)

FROM.*\n(?!.*USER)
FROM.*\n(?!.*USER)

Copying secrets

复制敏感凭据

COPY.*.(pem|key|crt|env) COPY.*secret COPY.*password
COPY.*.(pem|key|crt|env) COPY.*secret COPY.*password

Unpinned images

未固定版本的镜像

FROM\s+\w+:latest FROM\s+\w+\s*$
FROM\s+\w+:latest FROM\s+\w+\s*$

Dangerous capabilities

危险的权限配置

--privileged --cap-add

**docker-compose.yml issues**:

```yaml
--privileged --cap-add

**docker-compose.yml中的问题**:

```yaml

Privileged mode

特权模式

privileged: true
privileged: true

All capabilities

所有权限

cap_add:
  • ALL
cap_add:
  • ALL

Host network

主机网络

network_mode: host
network_mode: host

Sensitive mounts

敏感挂载

volumes:
  • /:/host
  • /var/run/docker.sock
undefined
volumes:
  • /:/host
  • /var/run/docker.sock
undefined

Kubernetes Security

Kubernetes安全

Files scanned: 
*.yaml
, 
*.yml
(k8s manifests)
IssueSeverityDescription
privileged: trueCRITICALFull host access
runAsRootHIGHContainer runs as root
No resource limitsMEDIUMDoS risk
hostNetworkHIGHPod uses host network
No securityContextMEDIUMMissing security settings
Detection patterns:
yaml
undefined
扫描文件: 
*.yaml
, 
*.yml
(Kubernetes清单)
问题严重程度描述
privileged: true关键获得完整主机访问权限
runAsRoot容器以root用户运行
缺失资源限制存在拒绝服务(DoS)风险
hostNetworkPod使用主机网络
缺失securityContext未配置安全设置
检测规则:
yaml
undefined

Privileged containers

特权容器

securityContext: privileged: true
securityContext: privileged: true

Running as root

以root用户运行

securityContext: runAsUser: 0 runAsNonRoot: false
securityContext: runAsUser: 0 runAsNonRoot: false

Host access

主机访问权限

hostNetwork: true hostPID: true hostIPC: true
hostNetwork: true hostPID: true hostIPC: true

Dangerous volume mounts

危险的卷挂载

volumes:
  • hostPath: path: /
volumes:
  • hostPath: path: /

Missing limits

缺失资源限制

(absence of resources.limits)

(未定义resources.limits)

Wildcard RBAC

通配符RBAC规则

rules:
  • apiGroups: [""] resources: [""] verbs: ["*"]
undefined
rules:
  • apiGroups: [""] resources: [""] verbs: ["*"]
undefined

Terraform/IaC

Terraform/IaC

Files scanned: 
*.tf
, 
*.tfvars
IssueSeverityDescription
Public S3 bucketCRITICALData exposure
* in IAM policyHIGHOverly permissive
No encryptionHIGHData at rest unencrypted
0.0.0.0/0 ingressHIGHOpen to internet
Hardcoded secretsCRITICALCredentials in TF
Detection patterns:
hcl
undefined
扫描文件: 
*.tf
, 
*.tfvars
问题严重程度描述
公开的S3存储桶关键数据存在泄露风险
IAM策略中的*通配符权限过度宽松
未启用加密静态数据未加密
0.0.0.0/0的入站规则对互联网完全开放
硬编码敏感凭据关键凭据直接写在Terraform文件中
检测规则:
hcl
undefined

Public S3

公开的S3存储桶

acl = "public-read" acl = "public-read-write"
acl = "public-read" acl = "public-read-write"

Overly permissive IAM

权限过度宽松的IAM策略

"Action": "" "Resource": "" "Principal": "*"
"Action": "" "Resource": "" "Principal": "*"

Open security groups

开放的安全组

cidr_blocks = ["0.0.0.0/0"] ingress { from_port = 0 to_port = 65535
cidr_blocks = ["0.0.0.0/0"] ingress { from_port = 0 to_port = 65535

Missing encryption

未启用加密

encrypted = false
encrypted = false

(or absence of encryption settings)

(或未配置加密设置)

Hardcoded secrets

硬编码的敏感凭据

password = "..." secret_key = "..."
undefined
password = "..." secret_key = "..."
undefined

Application Config

应用程序配置

Files scanned: 
config/*.json
, 
*.config.js
, 
application.yml
IssueSeverityDescription
DEBUG=trueHIGHDebug in production
Verbose errorsMEDIUMStack traces exposed
CORS *HIGHAll origins allowed
No HTTPSMEDIUMUnencrypted transport
Detection patterns:
javascript
// Debug mode
debug: true,
DEBUG: true,
NODE_ENV: 'development'

// Verbose errors
showStackTrace: true
detailedErrors: true

// CORS
origin: '*'
origin: true
Access-Control-Allow-Origin: *

// Session security
secure: false  // cookies
httpOnly: false
sameSite: 'none'
扫描文件: 
config/*.json
, 
*.config.js
, 
application.yml
问题严重程度描述
DEBUG=true生产环境中启用调试模式
详细错误信息暴露暴露堆栈跟踪信息
CORS设置为*允许所有源访问
未使用HTTPS传输数据未加密
检测规则:
javascript
// 调试模式
debug: true,
DEBUG: true,
NODE_ENV: 'development'

// 详细错误信息
showStackTrace: true
detailedErrors: true

// CORS配置
origin: '*'
origin: true
Access-Control-Allow-Origin: *

// Session安全
secure: false  // Cookie设置
httpOnly: false
sameSite: 'none'

Output Format

输出格式

CONFIG SCAN RESULTS
===================

Files scanned: 23
Issues found: 15

CRITICAL (2)
------------
[!] Dockerfile:1 - Running as root
    No USER directive found
    Fix: Add "USER node" or similar non-root user

[!] terraform/s3.tf:12 - Public S3 bucket
    acl = "public-read"
    Fix: Remove public ACL, use bucket policies

HIGH (5)
--------
[H] docker-compose.yml:15 - Privileged container
    privileged: true
    Fix: Remove privileged flag, use specific capabilities

[H] k8s/deployment.yaml:34 - Missing resource limits
    No CPU/memory limits defined
    Fix: Add resources.limits section

...

MEDIUM (8)
----------
...
CONFIG SCAN RESULTS
===================

Files scanned: 23
Issues found: 15

CRITICAL (2)
------------
[!] Dockerfile:1 - Running as root
    No USER directive found
    Fix: Add "USER node" or similar non-root user

[!] terraform/s3.tf:12 - Public S3 bucket
    acl = "public-read"
    Fix: Remove public ACL, use bucket policies

HIGH (5)
--------
[H] docker-compose.yml:15 - Privileged container
    privileged: true
    Fix: Remove privileged flag, use specific capabilities

[H] k8s/deployment.yaml:34 - Missing resource limits
    No CPU/memory limits defined
    Fix: Add resources.limits section

...

MEDIUM (8)
----------
...

Configuration

配置

Ignore Rules

忽略规则

Create 
.config-scan-ignore
:
yaml
undefined
创建
.config-scan-ignore
文件:
yaml
undefined

Ignore specific files

忽略特定文件

files:
  • "docker-compose.dev.yml"
  • "terraform/modules/test/**"
files:
  • "docker-compose.dev.yml"
  • "terraform/modules/test/**"

Ignore specific rules

忽略特定规则

rules:
  • id: "docker-root-user" files: ["Dockerfile.dev"] reason: "Development only"
  • id: "k8s-no-limits" reason: "Handled by LimitRange"
undefined
rules:
  • id: "docker-root-user" files: ["Dockerfile.dev"] reason: "仅用于开发环境"
  • id: "k8s-no-limits" reason: "已通过LimitRange处理"
undefined

Scan Profiles

扫描配置文件

yaml
undefined
yaml
undefined

.config-scan.yaml

.config-scan.yaml

profile: production # or: development, strict
profile: production # 可选值: development, strict

Custom thresholds

自定义阈值

thresholds: fail_on: high warn_on: medium
thresholds: fail_on: high warn_on: medium

Specific scanners

启用的扫描器

scanners: docker: true kubernetes: true terraform: true env_files: true app_config: true
undefined
scanners: docker: true kubernetes: true terraform: true env_files: true app_config: true
undefined

Best Practices Checked

已检查的最佳实践

Docker

Docker

  • Non-root user specified
  • Base image pinned to digest
  • No secrets in build
  • Multi-stage build used
  • Health check defined
  • Read-only root filesystem
  • 指定非root用户
  • 基础镜像固定到摘要版本
  • 构建过程中不包含敏感凭据
  • 使用多阶段构建
  • 定义健康检查
  • 根文件系统设为只读

Kubernetes

Kubernetes

  • Non-root security context
  • Resource limits defined
  • Network policies in place
  • No privileged containers
  • Service accounts scoped
  • Secrets encrypted at rest
  • 配置非root用户的securityContext
  • 定义资源限制
  • 配置网络策略
  • 禁用特权容器
  • 限制服务账户权限
  • 静态敏感凭据已加密

Terraform

Terraform

  • State file encrypted
  • No hardcoded secrets
  • Least privilege IAM
  • Encryption enabled
  • Logging enabled
  • No public access by default
  • 状态文件已加密
  • 无硬编码敏感凭据
  • 遵循最小权限原则配置IAM
  • 启用加密
  • 启用日志记录
  • 默认不允许公共访问

Remediation Examples

修复示例

Docker: Run as Non-Root

Docker: 以非root用户运行

dockerfile
undefined
dockerfile
undefined

Before

修复前

FROM node:18
FROM node:18

After

修复后

FROM node:18 RUN groupadd -r app && useradd -r -g app app USER app
undefined
FROM node:18 RUN groupadd -r app && useradd -r -g app app USER app
undefined

Kubernetes: Security Context

Kubernetes: 配置安全上下文

yaml
undefined
yaml
undefined

Before

修复前

containers:
  • name: app image: myapp
containers:
  • name: app image: myapp

After

修复后

containers:
  • name: app image: myapp securityContext: runAsNonRoot: true runAsUser: 1000 readOnlyRootFilesystem: true allowPrivilegeEscalation: false
undefined
containers:
  • name: app image: myapp securityContext: runAsNonRoot: true runAsUser: 1000 readOnlyRootFilesystem: true allowPrivilegeEscalation: false
undefined

Terraform: Private S3

Terraform: 配置私有S3存储桶

hcl
undefined
hcl
undefined

Before

修复前

resource "aws_s3_bucket" "data" { acl = "public-read" }
resource "aws_s3_bucket" "data" { acl = "public-read" }

After

修复后

resource "aws_s3_bucket" "data" {

No ACL (private by default)

}
resource "aws_s3_bucket_public_access_block" "data" { bucket = aws_s3_bucket.data.id block_public_acls = true block_public_policy = true ignore_public_acls = true restrict_public_buckets = true }
undefined
resource "aws_s3_bucket" "data" {

不设置ACL(默认私有)

}
resource "aws_s3_bucket_public_access_block" "data" { bucket = aws_s3_bucket.data.id block_public_acls = true block_public_policy = true ignore_public_acls = true restrict_public_buckets = true }
undefined

CI/CD Integration

CI/CD集成

yaml
undefined
yaml
undefined

GitHub Actions

GitHub Actions

  • name: Config Security Scan run: | /config-scan --fail-on high
  • name: Docker Scan run: | /config-scan --docker --fail-on critical
undefined
  • name: 配置安全扫描 run: | /config-scan --fail-on high
  • name: Docker安全扫描 run: | /config-scan --docker --fail-on critical
undefined

Related Skills

相关Skill

  • /security-scan
    - Full security analysis
  • /secrets-scan
    - Credential detection
  • /dependency-scan
    - Package vulnerabilities
  • /security-scan
    - 全面安全分析
  • /secrets-scan
    - 凭据检测
  • /dependency-scan
    - 依赖包漏洞检测