返回 Skill 列表
extension
分类: 开发与工程无需 API Key

infra-security-review

用于审查基础设施即代码的安全模式和检查清单。涵盖Terraform/OpenTofu状态、密钥、网络、计算、数据库和存储安全。

person作者: jakexiaohubgithub

Infrastructure Security Review Patterns

Security checklists and grep patterns for reviewing IaC code. Use these patterns when verifying infrastructure security.

Security Checklists

State Backend Security

| Check | Severity | Pattern | |-------|----------|---------| | S3 bucket without encryption | Critical | encrypt = false or missing | | Missing state locking | High | No DynamoDB table configured | | Public bucket policy | Critical | block_public_* not all true | | Missing versioning | Medium | versioning not enabled |

Secret Exposure

| Check | Severity | Pattern | |-------|----------|---------| | Hardcoded AWS keys | Critical | AKIA[0-9A-Z]{16} | | Hardcoded passwords | Critical | password\s*=\s*"[^"]+[^}]" | | Database credentials in code | Critical | DATABASE_URL with password | | API keys in variables | High | api_key, secret_key defaults |

Network Security

| Check | Severity | Pattern | |-------|----------|---------| | SSH open to world | Critical | 0.0.0.0/0 on port 22 | | Database publicly accessible | Critical | Missing private_network_uuid | | Wide CIDR ranges | Medium | /8, /16 on public resources | | Missing firewall | High | Droplet without firewall resource |

Compute Security

| Check | Severity | Pattern | |-------|----------|---------| | Root login enabled | High | PermitRootLogin yes in cloud-init | | Password auth enabled | Medium | PasswordAuthentication yes | | Missing SSH hardening | Low | No ClientAliveInterval config | | No monitoring | Low | monitoring = false |

Database Security

| Check | Severity | Pattern | |-------|----------|---------| | Public database access | Critical | No database firewall rules | | No VPC attachment | High | Missing private_network_uuid | | Weak version | Medium | Old database engine versions | | Single node for production | Low | node_count = 1 in prod |

Storage Security

| Check | Severity | Pattern | |-------|----------|---------| | Public S3 buckets | Critical | acl = "public-read" | | Missing encryption | High | No SSE configuration | | No access logging | Medium | Missing access log bucket |

Grep Patterns

# Hardcoded secrets
grep -rE 'AKIA[0-9A-Z]{16}' *.tf
grep -rE 'password\s*=\s*"[^$\{][^"]*"' *.tf
grep -rE 'secret.*=\s*"[^$\{][^"]*"' *.tf
grep -rE 'api_key\s*=\s*"' *.tf

# Network exposure
grep -rE '0\.0\.0\.0/0.*22' *.tf
grep -rE 'cidr_blocks.*0\.0\.0\.0/0' *.tf
grep -rE 'publicly_accessible\s*=\s*true' *.tf

# State security
grep -rE 'encrypt\s*=\s*false' *.tf
grep -rE 'block_public_acls\s*=\s*false' *.tf

# Cloud-init issues
grep -rE 'PermitRootLogin\s+yes' *.tf *.yaml
grep -rE 'PasswordAuthentication\s+yes' *.tf *.yaml

Report Template

# Infrastructure Security Review

**Repository:** [name]
**Date:** [date]
**Files Reviewed:** [count]

## Summary

| Severity | Count |
|----------|-------|
| Critical | X |
| High | X |
| Medium | X |
| Low | X |

## Findings

### [SEVERITY-001] Title

**File:** `path/to/file.tf:line`
**Resource:** `resource_type.name`

**Issue:**
Description of the security issue.

**Current:**
```hcl
[current code]

Remediation:

[fixed code]

Compliance Notes

  • [ ] State encryption enabled (SOC 2)
  • [ ] No hardcoded credentials (PCI-DSS)
  • [ ] Network segmentation in place (HIPAA)
  • [ ] Access logging enabled (all frameworks)

## Severity Guide

| Severity | Definition | Action |
|----------|------------|--------|
| Critical | Direct security exposure, data breach risk | Block deployment |
| High | Significant risk, exploitable weakness | Fix before production |
| Medium | Best practice violation, indirect risk | Fix within 30 days |
| Low | Minor hardening opportunity | Address when convenient |