Security Reviewer
Wire infrastructure and CI security scanning—Semgrep, Gitleaks, Trivy, Checkov, and cloud hardening—before you ship or operate cloud workloads.
Overview
Security Reviewer is an agent skill most often used in Ship (also Operate) that applies CI/CD, IaC, and cloud hardening patterns for infrastructure security review.
Install
npx skills add https://github.com/jeffallan/claude-skills --skill security-reviewerWhat is this skill?
- GitHub Actions security pipeline with Semgrep, Gitleaks, and Trivy filesystem scans at CRITICAL,HIGH
- IaC scanners: Checkov, tfsec, Terrascan, and Kubesec for manifests
- AWS hardening recipes: GuardDuty, Security Hub, CloudTrail, S3 ACL checks, IAM password policy
- Azure Security Center auto-provisioning and VM disk encryption commands
- Infrastructure-as-code and Kubernetes manifest scanning in one reviewer flow
- CI template chains 3 GitHub Actions security steps: Semgrep, Gitleaks, Trivy filesystem
- 4 IaC/manifest scanner families documented: Checkov, tfsec, Terrascan, Kubesec
- Trivy filesystem scan severity filter: CRITICAL,HIGH
Adoption & trust: 3.3k installs on skills.sh; 9.7k GitHub stars; 1/3 security scanners passed (skills.sh audits).
What problem does it solve?
You are about to ship or run cloud infra but lack a consolidated agent playbook for pipeline scanners, Terraform checks, and baseline AWS or Azure controls.
Who is it for?
Indie full-stack or platform builders self-hosting on AWS/Azure with Terraform or Kubernetes who need DevSecOps starters without hiring AppSec.
Skip if: Pure frontend-only apps with no IaC, or orgs that already mandate a centralized SOC2 tool stack that this skill would duplicate without integration.
When should I use this skill?
User needs infrastructure security review, DevSecOps CI pipelines, IaC scanning, or AWS/Azure hardening commands before or after deploy.
What do I get? / Deliverables
You leave with runnable pipeline snippets and scanner commands slotted into review or deploy gates so critical and high findings get addressed before merge or prod.
- CI/CD security pipeline YAML snippets
- Documented scanner command invocations for IaC and K8s
- Cloud hardening command checklist for AWS or Azure
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Ship is the canonical shelf because the skill centers on pre-release pipelines, IaC scanning, and cloud control baselines that block unsafe deploys. Security subphase fits DevSecOps YAML, secret leaks, container/filesystem severity gates, and Terraform/Kubernetes manifest review.
Where it fits
Drop the GitHub Actions security job template into a new monorepo before the first production deploy.
Run Checkov and tfsec on a terraform/ folder during PR review for a Fly or AWS migration.
Re-run S3 ACL and IAM password policy checks after a suspected bucket misconfiguration.
Enable GuardDuty and Security Hub detectors as part of post-incident hardening.
How it compares
Use this procedural security-reviewer skill for infra and pipeline baselines—not as a replacement for dedicated SAST vendors or runtime WAF products.
Common Questions / FAQ
Who is security-reviewer for?
Solo builders and small teams owning repos, Terraform, and cloud accounts who need agent-guided security scanning and hardening commands before release.
When should I use security-reviewer?
Use it in Ship when adding CI security jobs, scanning IaC pre-merge, and validating cloud baselines; and in Operate when re-auditing infra after incidents or policy changes.
Is security-reviewer safe to install?
The skill suggests powerful cloud and CI commands—review the Security Audits panel on this page and dry-run changes in non-prod with least-privilege credentials.
SKILL.md
READMESKILL.md - Security Reviewer
# Infrastructure Security ## DevSecOps Integration ### CI/CD Security Pipeline ```yaml # GitHub Actions - Security scanning name: Security Pipeline on: [push, pull_request] jobs: security: runs-on: ubuntu-latest steps: - uses: returntocorp/semgrep-action@v1 - uses: gitleaks/gitleaks-action@v2 - uses: aquasecurity/trivy-action@master with: scan-type: 'fs' severity: 'CRITICAL,HIGH' ``` ### Infrastructure as Code Security ```bash # Terraform/CloudFormation scanning checkov -d terraform/ --framework terraform tfsec terraform/ terrascan scan -d terraform/ # Kubernetes manifest scanning kubesec scan deployment.yaml ``` ## Cloud Security Controls ### AWS Security Hardening ```bash # Enable security services aws guardduty create-detector --enable aws securityhub enable-security-hub aws cloudtrail create-trail --name security-trail --s3-bucket-name logs # Check S3 bucket security aws s3api list-buckets --query "Buckets[].Name" | \ xargs -I {} aws s3api get-bucket-acl --bucket {} # IAM password policy aws iam update-account-password-policy \ --minimum-password-length 14 \ --require-symbols --require-numbers \ --require-uppercase-characters --require-lowercase-characters ``` ### Azure Security ```bash # Enable Security Center az security auto-provisioning-setting update --name default --auto-provision on # Enable disk encryption az vm encryption enable --resource-group myRG --name myVM --disk-encryption-keyvault myKV ``` ### GCP Security ```bash # Enable Security Command Center gcloud services enable securitycenter.googleapis.com # Enable VPC Flow Logs gcloud compute networks subnets update SUBNET --enable-flow-logs ``` ## Container Security ### Secure Dockerfile ```dockerfile FROM node:18-alpine RUN addgroup -g 1001 -S nodejs && adduser -S nodejs -u 1001 WORKDIR /app COPY --chown=nodejs:nodejs package*.json ./ RUN npm ci --only=production USER nodejs EXPOSE 3000 HEALTHCHECK --interval=30s CMD node healthcheck.js CMD ["node", "server.js"] ``` ### Kubernetes Security ```yaml # Pod Security Standards apiVersion: v1 kind: Pod metadata: name: secure-pod spec: securityContext: runAsNonRoot: true runAsUser: 1000 fsGroup: 2000 seccompProfile: type: RuntimeDefault containers: - name: app image: myapp:1.0 securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: [ALL] resources: limits: memory: "128Mi" cpu: "500m" --- # Network Policy - Default deny apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-all spec: podSelector: {} policyTypes: - Ingress - Egress ``` ## Compliance Automation ### CIS Benchmark Scanning ```bash # Docker CIS benchmark docker run --net host --pid host --cap-add audit_control \ -v /var/lib:/var/lib -v /var/run/docker.sock:/var/run/docker.sock \ docker/docker-bench-security # Kubernetes CIS benchmark kube-bench run --targets master,node # Linux system hardening lynis audit system --quick ``` ### Compliance as Code (InSpec) ```ruby # controls/baseline.rb control 'ssh-hardening' do impact 1.0 title 'SSH Security Configuration' describe sshd_config do its('Protocol') { should eq '2' } its('PermitRootLogin') { should eq 'no' } its('PasswordAuthentication') { should eq 'no' } end end control 'encryption-at-rest' do impact 1.0 title 'S3 Encryption Enabled' describe aws_s3_bucket('my-bucket') do it { should have_default_encryption_enabled } end end ``` ## Secrets Management ### HashiCorp Vault ```bash # Initialize and configure vault operator init vault secrets enable -path=secret kv-v2 # Store secrets vault kv put secret/app/config api_key="secret123" # Dynamic database credentials vault secrets enable database vault write database/config/postgresql \ plugin_name=postgresql-database-plugin \ allowed_roles="app" \ connection