timequity/security-hardening
skills/infra/security-hardening/SKILL.md
Infrastructure security, CIS benchmarks, and vulnerability scanning.
testing
Updated Apr 17, 2026
$ install --global
skillsauthnpx skillsauth add timequity/vibe-coder security-hardeningInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 17, 2026, 8:22 AM4.4s1 file scanned
SKILL.md
- name:
- security-hardening
- description:
- Infrastructure security, CIS benchmarks, and vulnerability scanning.
Security Hardening
CIS Benchmarks
AWS
- Enable CloudTrail in all regions
- Enable VPC Flow Logs
- Disable root account access keys
- Enable MFA for root and IAM users
- Encrypt EBS volumes
Kubernetes
- Enable RBAC
- Use Network Policies
- Run as non-root
- Read-only root filesystem
- Resource limits
Pod Security
apiVersion: v1
kind: Pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
containers:
- name: app
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
Network Security
# Network Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-policy
spec:
podSelector:
matchLabels:
app: api
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- port: 8080
Secrets Management
# External Secrets Operator
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: app-secrets
spec:
refreshInterval: 1h
secretStoreRef:
name: aws-secrets-manager
kind: ClusterSecretStore
target:
name: app-secrets
data:
- secretKey: database-url
remoteRef:
key: prod/database
property: url
Scanning
# Container scanning
trivy image myapp:latest
# IaC scanning
tfsec .
checkov -d .
# Kubernetes scanning
kubesec scan pod.yaml
Related Skills
timequity/verification-gate
development
VerifiedTrustedCommunity
Hidden quality gate that runs before showing "Done!" to user - ensures all tests pass, build succeeds, and requirements met before claiming completion
SKILL.mdUpdated Apr 17, 2026
timequity/verification-before-completion
data-ai
VerifiedTrustedCommunity
Use when about to claim work is complete or fixed - requires running verification commands and confirming output before making any success claims
SKILL.mdUpdated Apr 17, 2026
timequity/ui-generator
tools
VerifiedTrustedCommunity
Generate UI components from natural language descriptions. Use when: user asks for a page, component, or UI element. Triggers: "create page", "add component", "show form", "make button", "страница", "компонент", "форма".
SKILL.mdUpdated Apr 17, 2026
timequity/theme-factory
content-media
VerifiedTrustedCommunity
10 ready-to-use themes with colors and fonts for consistent styling. Use when: applying visual themes to pages, components, or design systems. Triggers: "theme", "color palette", "color scheme", "fonts", "branding", "visual identity", "design system colors".
SKILL.mdUpdated Apr 17, 2026