Run any Skill in Manus with one click

$pwd:

oraclecloud-prod-checklist

Name: Oraclecloud Prod Checklist
Author: jeremylongshore

// Pre-production readiness checklist for OCI — backup policies, security audit, key rotation, encryption, and Cloud Guard. Use when preparing an OCI environment for production workloads or auditing an existing deployment. Trigger with "oraclecloud prod checklist", "oci production ready", "oci security audit", "oci well-architected".

Run Skill in Manus

$ git log --oneline --stat

stars:2,267

forks:315

updated:May 23, 2026 at 05:41

File Explorer

2 files

SKILL.md

readonly

related-skills.json

same repository

detecting-command-injection-patterns.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Scan a source tree for command-injection vulnerable patterns: shell=True calls in Python subprocess, os.system / os.popen with interpolated strings, Node child_process.exec with template literals, Ruby backticks / Kernel#system / Kernel#exec with interpolation, Go exec.Command with shell wrapping, PHP system / passthru / shell_exec / backticks with $-interpolation, Java Runtime.exec with concatenated args. Use when: pre-commit gate on code that calls out to shell utilities, audit of file-processing / archive-handling / image-conversion code, post-bug-report investigation for "we shell out to a tool." Threshold: any shell-invocation API called with a string that contains a variable interpolation, OR shell=True with anything other than a fixed literal. Trigger with: "scan command injection", "shell=True audit", "find exec calls", "check os.system".

2026-05-312.3k

detecting-eval-exec-usage.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Scan a source tree for dynamic-code-execution APIs that an attacker can hijack: Python eval / exec / compile, JavaScript eval / Function() / setTimeout(string), Ruby eval / instance_eval / class_eval, Java ScriptEngine, PHP eval / assert($str), .NET Activator.CreateInstance / Reflection.Emit with dynamic input. Use when: pre-commit gate on any application that parses user-uploaded code (rule engines, formula evaluators, plugin systems), or post-bug-report when "we run user-supplied expressions." Threshold: any call to eval / exec / Function / similar where the argument is not a string literal. Trigger with: "scan eval", "find dynamic exec", "audit eval calls", "code injection patterns".

2026-05-312.3k

detecting-insecure-deserialization.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Scan a source tree for unsafe-by-default deserialization APIs: Python pickle.loads / cPickle / shelve / dill, Ruby Marshal.load / YAML.load (pre-3.1 default), Java ObjectInputStream.readObject, PHP unserialize, .NET BinaryFormatter / NetDataContractSerializer, Node.js node-serialize, JavaScript JSON.parse with reviver containing eval. Use when: pre-commit gate on services that accept binary blobs, audit of legacy job-queue code (workers deserializing tasks), post-bug-report when "we accept user-uploaded archives." Threshold: any call to a known-unsafe deserialization API on data that originates from user input, network, file upload, or untrusted storage. Trigger with: "scan deserialization", "pickle audit", "java readObject scan", "yaml.load check".

2026-05-312.3k

detecting-sql-injection-patterns.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Scan a source tree for SQL-injection vulnerable patterns: string concatenation into queries, f-string interpolation in SQL, string-format substitution into raw queries, deprecated cursor methods (cursor.execute with % formatting), Knex / Sequelize raw() with template interpolation, sequelize.query with replacements. Use when: pre-commit code review, post-feature SQL-touching release, inheriting a legacy codebase that predates ORMs, or post-bug-report investigation. Threshold: any source line where SQL keywords (SELECT / INSERT / UPDATE / DELETE / FROM / WHERE) appear in a string that's being built via concatenation, f-string, %-format, or .format() with variable input. Trigger with: "scan for sqli", "sql injection patterns", "check raw queries", "audit cursor.execute".

2026-05-312.3k

detecting-weak-cryptography.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Scan a source tree for weak cryptographic primitives: MD5 / SHA-1 used for security purposes, DES / 3DES / RC4 ciphers, ECB block mode, custom-built crypto (XOR loops, hand-rolled HMAC), hardcoded IVs, predictable random (Math.random / java.util.Random for crypto seeds), missing certificate verification (verify=False, rejectUnauthorized: false). Use when: pre-merge gate on crypto-touching code, audit before SOC2 / PCI assessment, post-incident review when "we found a weakness in our token signing." Threshold: any call to a known-weak algorithm with non-test context, OR cert verification explicitly disabled, OR a custom crypto loop pattern. Trigger with: "scan weak crypto", "find MD5 usage", "check ECB mode", "audit ssl verify", "weak random".

2026-05-312.3k

scanning-for-hardcoded-secrets.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Scan a source-code tree for hardcoded credentials embedded in source files: AWS access keys, GitHub tokens, Stripe keys, Slack tokens, Anthropic API keys, OpenAI keys, JWT signing secrets, generic base64-encoded passwords, RSA / SSH private keys, and high-entropy string literals that pattern-match common credential shapes. Use when: pre-commit gate before pushing a feature branch, audit before SOC2, post-incident scan after a leak, or inheriting a codebase you didn't write. Threshold: any source file contains a string that matches a canonical credential regex (AWS AKIA prefix, GitHub ghp_ prefix, etc.) OR a string with Shannon entropy above 4.5 in a field context (key=, token:, secret=). Trigger with: "scan secrets", "credential scan", "find hardcoded keys", "leak check".

2026-05-312.3k

package.json

"author": "jeremylongshore"

"repository": "jeremylongshore/claude-code-plugins-plus-skills"

View GitHub Repository View Creator Repositories

$ install --global

$ download --local

Run Skill in Manus

$ useful --forSOC

Network and Computer Systems AdministratorsComputer and Mathematical Occupations15-1244L4

name	oraclecloud-prod-checklist
description	Pre-production readiness checklist for OCI — backup policies, security audit, key rotation, encryption, and Cloud Guard. Use when preparing an OCI environment for production workloads or auditing an existing deployment. Trigger with "oraclecloud prod checklist", "oci production ready", "oci security audit", "oci well-architected".
allowed-tools	Read, Write, Edit, Bash(oci:), Bash(python3:), Grep
version	1.0.0
license	MIT
author	Jeremy Longshore <jeremy@intentsolutions.io>
tags	["saas","oraclecloud","oci"]
compatibility	Designed for Claude Code

Oracle Cloud Production Checklist

Overview

OCI has no "Well-Architected Review" equivalent to AWS. This is the pre-production gate: a comprehensive checklist covering backup policies, security list audit, API key rotation, compartment isolation, boot volume encryption, OS Management agent, Cloud Guard, and Vulnerability Scanning. Every item is verifiable via CLI or Python SDK — no subjective assessments, only pass/fail checks.

Purpose: Validate that an OCI environment meets production-grade security, resilience, and operational standards before going live.

Prerequisites

OCI CLI installed and configured — ~/.oci/config validated (see oraclecloud-install-auth)
Python 3.8+ with the OCI SDK — pip install oci
Administrator-level IAM policies — the checks require inspect and read across most service families
Target compartment OCID — the compartment being audited
Cloud Guard must be enabled at the tenancy level (Administration > Cloud Guard)

Instructions

Step 1: Compartment Isolation Audit

Production workloads must be in a dedicated compartment, not the root:

# List compartments — production should NOT be the root compartment
oci iam compartment list \
  --compartment-id "$TENANCY_OCID" \
  --query 'data[].{name:name, id:id, state:"lifecycle-state"}' \
  --output table

# Verify prod compartment has policies restricting access
oci iam policy list \
  --compartment-id "$PROD_COMPARTMENT_OCID" \
  --query 'data[].{name:name, statements:statements}' \
  --output json

Pass criteria: Production compartment is NOT the root tenancy. Policies follow least-privilege (no manage all-resources in tenancy).

Step 2: Backup Policy Verification

import oci

config = oci.config.from_file("~/.oci/config")
blockstorage = oci.core.BlockstorageClient(config)

# List all boot volumes in prod compartment
boot_volumes = blockstorage.list_boot_volumes(
    compartment_id="PROD_COMPARTMENT_OCID",
    availability_domain="AD-1",
).data

for vol in boot_volumes:
    # Check backup policy assignment
    try:
        assignments = blockstorage.get_volume_backup_policy_asset_assignment(
            asset_id=vol.id
        ).data
        if assignments:
            print(f"PASS: {vol.display_name} — backup policy assigned")
        else:
            print(f"FAIL: {vol.display_name} — no backup policy")
    except oci.exceptions.ServiceError:
        print(f"FAIL: {vol.display_name} — cannot check backup policy")

Pass criteria: Every boot volume and block volume has an assigned backup policy (Bronze minimum: weekly backups, 5-week retention).

Step 3: Security List and NSG Audit

# List all security lists in the VCN
oci network security-list list \
  --compartment-id "$PROD_COMPARTMENT_OCID" \
  --vcn-id "$VCN_OCID" \
  --query 'data[].{name:"display-name", ingress:"ingress-security-rules[?source==\`0.0.0.0/0\`]"}' \
  --output json

# FAIL if any rule allows 0.0.0.0/0 ingress on ports other than 80/443
oci network nsg rules list \
  --network-security-group-id "$NSG_OCID" \
  --query 'data[?source==`0.0.0.0/0` && "tcp-options"."destination-port-range".min!=`443`]' \
  --output table

Pass criteria: No security list allows unrestricted ingress (0.0.0.0/0) except ports 80 and 443. Prefer NSGs over security lists for production workloads.

Step 4: API Key Rotation Check

import oci
from datetime import datetime, timezone, timedelta

config = oci.config.from_file("~/.oci/config")
identity = oci.identity.IdentityClient(config)

# List API keys for all users in the tenancy
users = identity.list_users(compartment_id=config["tenancy"]).data
max_age = timedelta(days=90)
now = datetime.now(timezone.utc)

for user in users:
    keys = identity.list_api_keys(user_id=user.id).data
    for key in keys:
        age = now - key.time_created
        status = "PASS" if age < max_age else "FAIL"
        print(f"  {status}: {user.name} — key {key.fingerprint} — {age.days} days old")

Pass criteria: No API key older than 90 days. Automated rotation via OCI Vault recommended.

Step 5: Boot Volume Encryption

# Check that all boot volumes use customer-managed keys (not Oracle-managed)
oci bv boot-volume list \
  --compartment-id "$PROD_COMPARTMENT_OCID" \
  --query 'data[].{name:"display-name", kms:"kms-key-id"}' \
  --output table

# FAIL if kms-key-id is null (Oracle-managed default encryption)

Pass criteria: All boot volumes encrypted with customer-managed keys from OCI Vault. Oracle-managed encryption is the default but does not meet most compliance frameworks (SOC 2, PCI-DSS).

Step 6: OS Management Agent Verification

# Check if instance agent plugins are enabled
oci instance-agent plugin list \
  --instanceagent-id "$INSTANCE_OCID" \
  --compartment-id "$PROD_COMPARTMENT_OCID" \
  --query 'data[].{name:name, status:status}' \
  --output table

# Required plugins: Vulnerability Scanning, OS Management Service Agent, Compute Instance Run Command

Pass criteria: OS Management Service Agent, Vulnerability Scanning, and Run Command plugins are all RUNNING.

Step 7: Cloud Guard Status

# Verify Cloud Guard is enabled and detector recipes are active
oci cloud-guard target list \
  --compartment-id "$PROD_COMPARTMENT_OCID" \
  --query 'data.items[].{name:"display-name", state:"lifecycle-state"}' \
  --output table

# Check for open problems
oci cloud-guard problem list \
  --compartment-id "$PROD_COMPARTMENT_OCID" \
  --lifecycle-state "ACTIVE" \
  --query 'data.items[].{label:"resource-name", risk:"risk-level", detail:"additional-details"}' \
  --output table

Pass criteria: Cloud Guard target is ACTIVE with Oracle-managed detector recipes. Zero CRITICAL or HIGH risk problems.

Step 8: Vulnerability Scanning

# List scan recipes and recent results
oci vulnerability-scanning host scan recipe list \
  --compartment-id "$PROD_COMPARTMENT_OCID" \
  --output table

oci vulnerability-scanning host vulnerability list \
  --compartment-id "$PROD_COMPARTMENT_OCID" \
  --query 'data.items[?severity==`CRITICAL`].{name:name, severity:severity, cve:"cve-reference"}' \
  --output table

Pass criteria: Scan recipes assigned to all compute instances. Zero CRITICAL vulnerabilities.

Output

Successful completion produces:

An 8-point pass/fail checklist covering compartment isolation, backups, security rules, key rotation, encryption, OS agents, Cloud Guard, and vulnerability scanning
Specific FAIL findings with remediation commands for each item
A clear go/no-go decision for production deployment

Error Handling

Error	Code	Cause	Solution
NotAuthorizedOrNotFound	404	Insufficient IAM policies for audit	Add `allow group auditors to inspect all-resources in compartment prod`
NotAuthenticated	401	API key expired or misconfigured	Rotate key per Step 4 and update `~/.oci/config`
Cloud Guard not enabled	—	Cloud Guard never activated at tenancy level	Enable via Console: Administration > Cloud Guard > Enable
TooManyRequests	429	Rate limited when scanning all compartments	Add 1-second delay between API calls — no Retry-After header from OCI
InternalError	500	OCI service issue	Retry after 60 seconds; check https://ocistatus.oraclecloud.com
Vulnerability Scanning not available	—	Not enabled for the region/compartment	Enable: Console > Security > Vulnerability Scanning > Create Recipe

Examples

Quick pre-flight check (CLI one-liners):

# Check compartment isolation
oci iam compartment get --compartment-id "$PROD_COMPARTMENT_OCID" \
  --query 'data.name' --raw-output

# Count boot volumes without backup policies
oci bv boot-volume list --compartment-id "$PROD_COMPARTMENT_OCID" \
  --query 'length(data[?!"backup-policy-id"])' --raw-output

# Count open Cloud Guard problems
oci cloud-guard problem list --compartment-id "$PROD_COMPARTMENT_OCID" \
  --lifecycle-state ACTIVE --query 'length(data.items)' --raw-output

Automated audit script:

import oci

config = oci.config.from_file("~/.oci/config")
results = {"pass": 0, "fail": 0}

# Check 1: Compartment exists and is not root
identity = oci.identity.IdentityClient(config)
compartments = identity.list_compartments(compartment_id=config["tenancy"]).data
results["pass" if len(compartments) > 0 else "fail"] += 1
print(f"Compartment isolation: {'PASS' if len(compartments) > 0 else 'FAIL'}")

print(f"\nResults: {results['pass']} passed, {results['fail']} failed")

Resources

OCI Security Best Practices — comprehensive security guidance
OCI Cloud Guard — threat detection and automated response
OCI Vulnerability Scanning — host and container scanning
OCI Vault (KMS) — customer-managed encryption keys
OCI CLI Reference — full command-line documentation
OCI Pricing — Cloud Guard and Vault pricing

Next Steps

After the checklist passes, review oraclecloud-observability to set up monitoring and alerting, or oraclecloud-incident-runbook to prepare your incident response process before going live.

oraclecloud-prod-checklist

More from this repository

More from this repository

Oracle Cloud Production Checklist

Overview

Prerequisites

Instructions

Step 1: Compartment Isolation Audit

Step 2: Backup Policy Verification

Step 3: Security List and NSG Audit

Step 4: API Key Rotation Check

Step 5: Boot Volume Encryption

Step 6: OS Management Agent Verification

Step 7: Cloud Guard Status

Step 8: Vulnerability Scanning

Output

Error Handling

Examples

Resources

Next Steps

Oracle Cloud Production Checklist

Overview

Prerequisites

Instructions

Step 1: Compartment Isolation Audit

Step 2: Backup Policy Verification

Step 3: Security List and NSG Audit

Step 4: API Key Rotation Check

Step 5: Boot Volume Encryption

Step 6: OS Management Agent Verification

Step 7: Cloud Guard Status

Step 8: Vulnerability Scanning

Output

Error Handling

Examples

Resources

Next Steps