timequity/security-hardening
craft-coder/infra/security-hardening/SKILL.md
Infrastructure security, CIS benchmarks, and vulnerability scanning.
$ install --global
skillsauthnpx skillsauth add timequity/plugins security-hardeningInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 17, 2026, 8:22 AM4.4s1 file scanned
SKILL.md
- name:
- security-hardening
- description:
- Infrastructure security, CIS benchmarks, and vulnerability scanning.
Security Hardening
CIS Benchmarks
AWS
- Enable CloudTrail in all regions
- Enable VPC Flow Logs
- Disable root account access keys
- Enable MFA for root and IAM users
- Encrypt EBS volumes
Kubernetes
- Enable RBAC
- Use Network Policies
- Run as non-root
- Read-only root filesystem
- Resource limits
Pod Security
apiVersion: v1
kind: Pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
containers:
- name: app
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
Network Security
# Network Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-policy
spec:
podSelector:
matchLabels:
app: api
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- port: 8080
Secrets Management
# External Secrets Operator
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: app-secrets
spec:
refreshInterval: 1h
secretStoreRef:
name: aws-secrets-manager
kind: ClusterSecretStore
target:
name: app-secrets
data:
- secretKey: database-url
remoteRef:
key: prod/database
property: url
Scanning
# Container scanning
trivy image myapp:latest
# IaC scanning
tfsec .
checkov -d .
# Kubernetes scanning
kubesec scan pod.yaml
Related Skills
timequity/disaster-recovery
tools
VerifiedTrustedCommunity
Backup strategies, disaster recovery planning, and business continuity.
6SKILL.mdUpdated Apr 21, 2026
timequity/cost-optimization
devops
VerifiedTrustedCommunity
Cloud cost management, rightsizing, and FinOps practices.
6SKILL.mdUpdated Apr 21, 2026
timequity/ci-cd-pipelines
testing
VerifiedTrustedCommunity
CI/CD pipeline design with GitHub Actions, GitLab CI, and best practices.
6SKILL.mdUpdated Apr 21, 2026
timequity/idea-validation
development
VerifiedTrustedCommunity
Validate idea and create detailed PRD. Saves docs/PRD.md to project. Use when: user describes an app idea, wants to create something new. Triggers: "I want to build", "create app", "make website", "build MVP", "хочу создать", "сделать приложение".
6SKILL.mdUpdated Apr 21, 2026