mesh-security

Analyze Istio, Consul, and Linkerd service mesh configurations for security vulnerabilities with NIST 800-53 control mappings. Use when users need to audit mesh security, identify misconfigurations, check mTLS settings, review ACL policies, or prepare for FedRAMP assessments. Triggers on keywords like "mesh config", "istio security", "consul ACL", "linkerd policy", "service mesh audit", or "NIST compliance".

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "mesh-security" with this command: npx skills add ethanolivertroy/security-agent-skills/ethanolivertroy-security-agent-skills-mesh-security

Service Mesh Security Analyzer

Comprehensive security analysis for Istio, Consul, and Linkerd service mesh configurations with NIST 800-53 Rev 5 control mappings.

Quick Start

Analyze a Configuration File

# Run the analyzer wrapper directly
node ~/.claude/skills/mesh-security/lib/analyzer-wrapper.js <config-file>

# Examples
node ~/.claude/skills/mesh-security/lib/analyzer-wrapper.js ./istio-meshconfig.yaml
node ~/.claude/skills/mesh-security/lib/analyzer-wrapper.js ./consul-config.json
node ~/.claude/skills/mesh-security/lib/analyzer-wrapper.js ./linkerd-config.yaml --json

Sample Configurations

Test configs are available in the samples/ directory:

  • Istio: samples/sample-meshconfig.yaml
  • Consul: samples/sample-consul-config.json
  • Linkerd: samples/sample-linkerd-config.yaml

Supported Mesh Types

Istio

Auto-detection: Files with kind: MeshConfig and apiVersion containing istio.io

Security Checks:

CategoryWhat It Checks
mTLSEnabled status, STRICT mode enforcement
CertificatesCA provider, validity duration (optimal 90 days)
Peer AuthenticationDefault peer auth, STRICT mode
Proxy ConfigPrivileged mode, image versioning, holdApplicationUntilProxyStarts
Secret DiscoverySDS enabled for certificate management
Trust DomainExplicitly configured, not using default
AuthorizationDefault deny policies
TelemetryEnabled collection, access logging
RBACRole-based access control enforcement
Traffic PolicyOutbound traffic restricted to REGISTRY_ONLY

Consul

Auto-detection: Files with mesh_type: "consul" or containing connect, tls, and acl fields

Security Checks:

CategoryWhat It Checks
Service MeshConnect enabled
Proxy SecurityNo privileged mode
TLS Securityverify_incoming, verify_outgoing, hostname verification
Access ControlACL enabled, default deny policy, agent tokens
TelemetryService metrics enabled
Auto-EncryptionTLS auto-encrypt feature
Gossip EncryptionKey configured, proper length, verification
FedRAMP ComplianceTLS 1.2+, FIPS ciphers, strong encryption

Linkerd

Auto-detection: Files with mesh_type: "linkerd" or containing identity, proxy, and policy fields

Security Checks:

CategoryWhat It Checks
TLS SecurityEnabled, enforced, cipher suites, min version 1.2
Service IdentityEnabled, certificate issuer, validity period
Proxy ConfigNon-privileged, versioning, timeouts, resource limits
AuthorizationPolicy enforcement, default deny, specific rules
AuthenticationStrict mode enforcement
ObservabilityTracing enabled, sampling, collector config
MetricsEnabled, Prometheus integration, retention
Traffic RulesTLS in destination rules, system namespace protection

Severity Levels

LevelMeaningExample Issues
CriticalImmediate security riskRBAC/ACL disabled, mTLS not enforced, gossip encryption missing
HighSignificant vulnerabilityPermissive auth modes, privileged containers, missing hostname verification
MediumSecurity weaknessDefault trust domains, long certificate validity, missing telemetry
LowBest practice violationNon-pinned images, missing timeouts, default CA providers

NIST 800-53 Control Mappings

Findings are mapped to these NIST 800-53 Rev 5 controls:

ControlTitleRelevant Checks
AC-3Access EnforcementRBAC, ACL, Authorization policies
AC-4Information Flow EnforcementOutbound traffic policy, Policy enforcement
AC-17Remote AccessmTLS, TLS configuration
AU-2Audit EventsTelemetry, Access logging
AU-3Content of Audit RecordsLogging configuration
AU-12Audit GenerationMetrics, Tracing
CA-3System InterconnectionsTrust domain, Peer authentication
CM-2Baseline ConfigurationProxy config, Default settings
CM-6Configuration SettingsSecurity hardening
CM-7Least FunctionalityPrivileged mode, Outbound restrictions
IA-2Identification and AuthenticationService identity, Authentication
IA-5Authenticator ManagementCertificate management, SDS
SC-7Boundary ProtectionTraffic policy, Network segmentation
SC-8Transmission ConfidentialitymTLS, TLS settings
SC-12Cryptographic Key ManagementCertificate validity, CA settings
SC-13Cryptographic ProtectionCipher suites, TLS versions
SC-23Session AuthenticityPeer authentication, Trust chain
SI-4System MonitoringTelemetry, Metrics, Tracing

Workflow: Analyze a Mesh Configuration

  1. Read the configuration file to understand its structure
  2. Run the analyzer using the wrapper script
  3. Review findings by severity (Critical first)
  4. Check NIST mappings for compliance requirements
  5. Generate remediation recommendations if needed

Example Analysis Session

User: Analyze my Istio mesh configuration at ./istio-config.yaml

Steps:
1. Read the file to understand the mesh configuration
2. Run: node ~/.claude/skills/mesh-security/lib/analyzer-wrapper.js ./istio-config.yaml
3. Present findings grouped by severity
4. Highlight critical/high severity issues first
5. Include NIST control mappings for compliance context
6. Offer to generate fixes or compliance report

Output Format

Markdown (Default)

## Security Analysis Results

**Mesh Type:** Istio
**File:** ./istio-config.yaml
**Total Findings:** 5

| Severity | Count |
|----------|-------|
| Critical | 1     |
| High     | 2     |
| Medium   | 2     |
| Low      | 0     |

### Critical Findings

#### 1. mTLS Configuration
**Issue:** mTLS is not set to STRICT mode
**Location:** `spec.mtls.mode`
**Recommendation:** Set mTLS mode to STRICT to enforce mutual TLS
**NIST Controls:** SC-8, SC-13

JSON (--json flag)

{
  "success": true,
  "meshType": "istio",
  "findings": [...],
  "summary": { "critical": 1, "high": 2, "medium": 2, "low": 0, "total": 5 }
}

Related Skills

  • mesh-remediation - Generate and apply security fixes
  • mesh-compliance-reporter - Generate FedRAMP/NIST compliance reports

Programmatic Usage

const { analyzeConfig, formatFindings } = require('~/.claude/skills/mesh-security/lib/analyzer-wrapper.js');

// Analyze a config file
const results = analyzeConfig('./istio-config.yaml');
console.log(formatFindings(results));

// Or specify mesh type explicitly
const consulResults = analyzeConfig('./config.json', 'consul');

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

Sentinel — Agent Security Layer

Runtime security layer for OpenClaw agents. Intercepts and scans all external input (emails, API responses, web content, chat messages, calendar events) for...

Registry SourceRecently Updated
520Profile unavailable
Security

Ring Security

Monitor and manage Ring doorbells and security cameras. Query device status, review motion events, manage modes, and export event history. Use when you need...

Registry SourceRecently Updated
1780Profile unavailable
Security

Watadot Aws Iam

IAM security patterns by Watadot Studio. Manage users, roles, and policy verification.

Registry SourceRecently Updated
120Profile unavailable
Security

Moses Audit

MO§ES™ Audit Trail — SHA-256 chained append-only governance ledger. Every agent appends before final response. Provides moses_log_action and moses_verify_cha...

Registry SourceRecently Updated
870Profile unavailable