ConfigSafe — Infrastructure Configuration Auditor
ConfigSafe scans infrastructure configuration files for security misconfigurations across Dockerfiles, docker-compose, Kubernetes manifests, Terraform, CI/CD pipelines, and web server configs. It uses regex-based pattern matching against 80+ misconfiguration patterns, lefthook for git hook integration, and produces markdown security reports with CIS benchmark mapping.
Commands
Free Tier (No license required)
configsafe scan [file|directory]
One-shot configuration security scan of files or directories.
How to execute:
bash "<SKILL_DIR>/scripts/configsafe.sh" scan [target]
What it does:
- Accepts a file path or directory (defaults to current directory)
- Auto-detects configuration types (Dockerfile, docker-compose, Kubernetes, Terraform, CI/CD, Nginx/Apache)
- Finds all config files matching known patterns
- Runs 80+ misconfiguration patterns against each file
- Calculates a security score (0-100) per file and overall
- Outputs findings with: file, line number, check ID, severity, description, recommendation
- Exit code 0 if secure (score >= 70), exit code 1 if issues found
- Free tier limited to 5 config files per scan
Example usage scenarios:
- "Scan my infrastructure configs for security issues" -> runs
configsafe scan . - "Check this Dockerfile for misconfigurations" -> runs
configsafe scan Dockerfile - "Audit my Kubernetes manifests" -> runs
configsafe scan k8s/ - "Is my Terraform config secure?" -> runs
configsafe scan terraform/
Pro Tier ($19/user/month -- requires CONFIGSAFE_LICENSE_KEY)
configsafe hooks install
Install git pre-commit hooks that scan staged config files before every commit.
How to execute:
bash "<SKILL_DIR>/scripts/configsafe.sh" hooks install
What it does:
- Validates Pro+ license
- Copies lefthook config to project root
- Installs lefthook pre-commit hook
- On every commit: scans all staged config files for misconfigurations, blocks commit if critical/high findings, shows remediation advice
configsafe hooks uninstall
Remove ConfigSafe git hooks.
bash "<SKILL_DIR>/scripts/configsafe.sh" hooks uninstall
configsafe report [directory]
Generate a markdown security report with findings, severity breakdown, and remediation steps.
bash "<SKILL_DIR>/scripts/configsafe.sh" report [directory]
What it does:
- Validates Pro+ license
- Runs full scan of the directory
- Generates a formatted markdown report from template
- Includes per-file breakdowns, security scores, CIS benchmark references
- Output suitable for security reviews and compliance audits
configsafe benchmark [directory]
Run CIS benchmark checks against infrastructure configurations.
bash "<SKILL_DIR>/scripts/configsafe.sh" benchmark [directory]
What it does:
- Validates Pro+ license
- Maps findings to CIS Docker Benchmark, CIS Kubernetes Benchmark, and CIS AWS Foundations
- Reports pass/fail status for each benchmark check
- Outputs overall compliance percentage
Team Tier ($39/user/month -- requires CONFIGSAFE_LICENSE_KEY with team tier)
configsafe policy [directory]
Enforce organization-specific security policies on infrastructure configurations.
bash "<SKILL_DIR>/scripts/configsafe.sh" policy [directory]
What it does:
- Validates Team+ license
- Loads custom policies from ~/.openclaw/openclaw.json (configsafe.config.customPolicies)
- Enforces organization-specific rules (e.g., required labels, forbidden images, mandatory resource limits)
- Combines custom policies with built-in patterns for comprehensive scanning
- Outputs SARIF-compatible results
configsafe compliance [directory]
Generate a full compliance report covering CIS and NIST frameworks.
bash "<SKILL_DIR>/scripts/configsafe.sh" compliance [directory]
What it does:
- Validates Team+ license
- Runs full scan with all patterns
- Maps findings to CIS Docker Benchmark, CIS Kubernetes Benchmark, CIS AWS Foundations, and NIST 800-190
- Generates comprehensive compliance report with pass/fail per control
- Includes executive summary, detailed findings, and remediation roadmap
configsafe status
Show license and configuration information.
bash "<SKILL_DIR>/scripts/configsafe.sh" status
Detected Misconfigurations
ConfigSafe detects 80+ misconfiguration patterns across 6 config types:
| Category | Examples | Severity |
|---|---|---|
| Dockerfile | Running as root, latest tag, ADD vs COPY, exposed sensitive ports, missing health checks, secrets in ENV, curl pipe bash, chmod 777, missing multi-stage builds | Critical/High |
| docker-compose | privileged: true, host network, Docker socket mount, missing resource limits, plaintext secrets, unbound ports, missing restart policy | Critical/High |
| Kubernetes | Running as root, privileged containers, missing security context, missing resource limits, hostPath volumes, default namespace, missing probes, allowPrivilegeEscalation | Critical/High |
| Terraform | Hardcoded credentials, missing encryption, public S3 buckets, open security groups (0.0.0.0/0), missing logging, overly permissive IAM, default VPC | Critical/High |
| CI/CD Pipelines | Plaintext secrets, PR trigger with write perms, unpinned actions, missing timeout, unrestricted self-hosted runners, artifact upload without expiry | High/Medium |
| Nginx/Apache | Missing security headers, server tokens enabled, SSL/TLS misconfig, open proxy, missing rate limiting, directory listing enabled | Medium/High |
Configuration
Users can configure ConfigSafe in ~/.openclaw/openclaw.json:
{
"skills": {
"entries": {
"configsafe": {
"enabled": true,
"apiKey": "YOUR_LICENSE_KEY_HERE",
"config": {
"severityThreshold": "high",
"customPolicies": [],
"excludePatterns": ["**/test/**", "**/examples/**"],
"reportFormat": "markdown"
}
}
}
}
}
Important Notes
- Free tier works immediately with no configuration
- All scanning happens locally -- no code or configs are sent to external servers
- License validation is offline -- no phone-home or network calls
- Pattern matching only -- no AST parsing, no external dependencies
- Supports scanning multiple config types in a single pass
- Git hooks use lefthook which must be installed (see install metadata above)
- Exit codes: 0 = secure (score >= 70), 1 = issues found (for CI/CD integration)
Error Handling
- If lefthook is not installed and user tries
hooks install, prompt to install it - If license key is invalid or expired, show clear message with link to https://configsafe.pages.dev/renew
- If a file is binary, skip it automatically with no warning
- If no config files found in target, report clean scan with info message
- If config type cannot be determined, skip the file gracefully
When to Use ConfigSafe
The user might say things like:
- "Scan my Dockerfile for security issues"
- "Check my Kubernetes manifests for misconfigurations"
- "Audit my Terraform configs"
- "Is my docker-compose file secure?"
- "Check my CI/CD pipeline for security problems"
- "Generate a security report for my infrastructure"
- "Run CIS benchmark checks"
- "Set up pre-commit hooks for config scanning"
- "Check if my containers are running as root"
- "Scan for open security groups in Terraform"
- "Are there any hardcoded secrets in my configs?"
- "Check my nginx config for security headers"