Installation

Open Claude Code and run this command:

/plugin install security-misconfiguration-finder@claude-code-plugins-plus

Use --global to install for all projects, or --project for current project only.

Skills (1)

finding-security-misconfigurations SKILL.md View full skill →

Configure identify security misconfigurations in infrastructure-as-code, application settings, and system configurations.

ReadWriteEditGrepGlobBash(config-scan:*)Bash(iac-check:*)

Finding Security Misconfigurations

Overview

Scan infrastructure-as-code templates, application configuration files, and system settings to detect security misconfigurations mapped to OWASP A05:2021 (Security Misconfiguration) and CIS Benchmarks. Cover cloud resources (AWS, GCP, Azure), container orchestration (Kubernetes, Docker), web servers (Nginx, Apache), and application frameworks.

Prerequisites

Infrastructure-as-code files accessible in ${CLAUDESKILLDIR}/ (Terraform .tf, CloudFormation .yaml/.json, Ansible playbooks, Kubernetes manifests)
Application configuration files available (application.yml, config.json, .env.example, web.config)
Container definitions (Dockerfile, docker-compose.yml, Helm charts)
Web server configs (nginx.conf, httpd.conf, .htaccess) if applicable
Write permissions for findings output in ${CLAUDESKILLDIR}/security-findings/
Optional: tfsec, checkov, or trivy config installed for automated pre-scanning

Instructions

Discover all configuration files by scanning ${CLAUDESKILLDIR}/ for IaC templates (.tf, .yaml, .json, .template), application configs, container definitions, and web server configs.
Cloud storage: check for publicly accessible S3 buckets, unencrypted storage accounts, missing versioning, and overly permissive bucket policies (CIS AWS 2.1.1, 2.1.2).
Network security: flag security groups allowing 0.0.0.0/0 ingress on sensitive ports (22, 3389, 3306, 5432, 27017), missing VPC flow logs, and absent network segmentation.
IAM and access: detect wildcard (*) permissions in IAM policies, service accounts with admin privileges, missing MFA enforcement, and hardcoded credentials in source (CWE-798).
Compute resources: identify EC2/VM instances with unnecessary public IPs, unencrypted volumes, missing IMDSv2 enforcement, and outdated base images.
Database security: flag publicly accessible RDS/Cloud SQL instances, missing encryption at rest, disabled automated backups, default ports exposed without IP restrictions.
Application config: detect debug mode enabled in production, default credentials, CORS wildcard (*), missing CSRF protection, disabled authentication endpoints, and API keys in config files.
Container security: check for containers running as root, missing resource limits, privileged: true, writable root filesystems, and images without pinned digests.
Classify

security-misconfiguration-finder

Installation

Skills (1)

Finding Security Misconfigurations

Overview

Prerequisites

Instructions

Ready to use security-misconfiguration-finder?

Related Plugins

security-misconfiguration-finder

Installation

Skills (1)

Finding Security Misconfigurations

Overview

Prerequisites

Instructions

Ready to use security-misconfiguration-finder?

Related Plugins

access-control-auditor

authentication-validator

compliance-report-generator

cors-policy-validator

csrf-protection-validator

data-privacy-scanner