markus41/k8s-image-audit
.claude/skills/k8s-image-audit/SKILL.md
Audit K8s deployments for stale images, wrong pull policies, and volume issues. Use when debugging Helm deploy or image caching problems.
$ install --global
skillsauthnpx skillsauth add markus41/claude k8s-image-auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 7, 2026, 2:11 AM22.3s1 file scanned
SKILL.md
- name:
- k8s-image-audit
- description:
- Audit K8s deployments for stale images, wrong pull policies, and volume issues. Use when debugging Helm deploy or image caching problems.
- disable-model-invocation:
- true
K8s Image & Deployment Audit
Audit the K8s cluster for image and deployment issues: $ARGUMENTS
Checks to Perform
1. Image Freshness
# List all running images with their pull policies
kubectl get pods -n <namespace> -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{range .spec.containers[*]}{.image}{"\t"}{.imagePullPolicy}{"\n"}{end}{end}'
# Check image creation dates
for pod in $(kubectl get pods -n <namespace> -o name); do
IMAGE=$(kubectl get $pod -n <namespace> -o jsonpath='{.spec.containers[0].image}')
echo "$pod -> $IMAGE"
done
2. Caching Risk Detection
# Find pods using :latest with IfNotPresent (BAD)
kubectl get pods -n <namespace> -o json | jq -r '.items[] | .spec.containers[] | select(.imagePullPolicy == "IfNotPresent" and (.image | endswith(":latest"))) | "\(.name): \(.image) - CACHING RISK"'
# Find pods without explicit imagePullPolicy
kubectl get pods -n <namespace> -o json | jq -r '.items[] | .spec.containers[] | select(.imagePullPolicy == null) | "\(.name): \(.image) - NO PULL POLICY SET"'
3. Helm Release Verification
# List releases with their chart versions and app versions
helm list -n <namespace> -o json | jq -r '.[] | "\(.name)\t\(.chart)\t\(.app_version)\t\(.status)\t\(.updated)"'
# Get the actual image from a helm release
helm get values <release> -n <namespace> -o json | jq '.image'
4. Volume Health
# Check PV/PVC status
kubectl get pv,pvc -n <namespace>
# Find orphaned PVCs
kubectl get pvc -n <namespace> -o json | jq -r '.items[] | select(.status.phase != "Bound") | .metadata.name'
5. Build vs Deploy Cross-Reference
- Check
.claude/logs/docker-builds.jsonlfor the last build timestamp - Compare with the running image's creation timestamp
- Flag if the deploy is older than the latest build
Output
- List of all running images with their tags and pull policies
- Flagged caching risks
- Stale image detections
- Volume health status
- Specific remediation steps for each issue found
Related Skills
markus41/writing-plans-enhanced
development
VerifiedTrustedCommunity
Enhanced plan-authoring skill with Pre-Writing context gathering, task metadata, non-TDD templates, Red Flags, telemetry, and an automated plan linter. Use when you have a spec or requirements for a multi-step task, before touching code.
13SKILL.mdUpdated Apr 25, 2026
markus41/plugins/scrapin-aint-easy
tools
VerifiedTrustedCommunity
Documentation intelligence engine with graph-based API docs, algorithm library, and drift detection
13SKILL.mdUpdated Apr 17, 2026
markus41/ultraplan
tools
VerifiedTrustedCommunity
Ultraplan cloud planning — kick off a plan in the cloud from your terminal, review and revise in the browser, then execute remotely or send back to CLI
13SKILL.mdUpdated Apr 17, 2026
markus41/plugins/claude-code-expert/skills/mcp
tools
VerifiedTrustedCommunity
--- name: mcp description: Configure MCP servers for Claude Code — stdio vs HTTP, authentication, Tools/Resources/Prompts distinction, channels (CI webhook, mobile relay, Discord bridge, fakechat), and cost of always-loaded tools. Use this skill whenever adding an MCP server, debugging connection issues, choosing between MCP Tools vs Prompts vs Resources, installing channel servers, or managing .mcp.json. Triggers on: "MCP server", "mcp config", "add Obsidian MCP", "install context7", "channels"
13SKILL.mdUpdated Apr 17, 2026