Domain 09 / 12

Infrastructure & Cloud security audit

Harden containers, Kubernetes, cloud accounts and networks against escape, escalation and exposure.

  • 92 checks
  • Docker · K8s · Linux · Windows · AD · AWS · Azure · GCP · Network · IoT

Run the audit See example checks

What securmyapp checks

Inside the Infrastructure & Cloud domain

This is the Infrastructure & Cloud domain of securmyapp — the free, open-source, 100% defensive security auditor for Claude Code that runs 598 checks across 12 domains. The Infrastructure & Cloud domain is the largest in securmyapp, with 92 checks aligned to CIS Benchmarks and NIST. It hardens Docker (non-root, dropped capabilities, no privileged containers, no docker.sock mounts), Kubernetes (RBAC, Pod Security Standards, API-server and etcd security), and cloud accounts on AWS, Azure and GCP — plus Linux/Windows hosts, Active Directory, networking and IoT.

Coverage areas

92 atomic checks span these sub-domains.

  • Docker

    Non-root, minimal images, dropped capabilities, no privileged or socket mounts.

  • Kubernetes

    Least-privilege RBAC, Pod Security Standards, API-server & etcd hardening.

  • Cloud (AWS/Azure/GCP)

    IAM least privilege, storage exposure, logging and encryption.

  • Hosts

    Linux and Windows configuration hardening.

  • Active Directory

    AD tiering and privilege-path hardening.

  • Network & IoT

    Segmentation, VPN, Wi-Fi and IoT device security.

Example checks

A sample of the real checks run in this domain — each mapped to a standard and a fix.

Example Infrastructure & Cloud security checks with severity, what they detect, and their standard reference.
CheckSeverityDetectsReference
Securing the K8s API serverCriticalExposed API server, insecure ports and anonymous auth.CIS K8s 1.2 · NIST AC-17
Non-root containersHighContainers running as root, enabling host escalation.CIS Docker · NIST CM-6
Container capabilities and privilegesHigh--privileged containers and undropped capabilities.CIS Docker · NIST CM-7
Sensitive mounts prohibitedHighdocker.sock or host / mounted into a container (host takeover).CIS Docker · CWE-284
Kubernetes RBAC (least privilege)HighPermissive roles and broad cluster-admin bindings.CIS K8s 5.1 · NIST AC-6
Image vulnerability scanningHighVulnerable images shipped without scanning.CIS Docker · A06:2021

Vulnerabilities we catch

  • Root, privileged and capability-rich containers
  • docker.sock and host filesystem mounts enabling host takeover
  • Permissive Kubernetes RBAC and exposed API servers
  • Unencrypted etcd secrets and privileged pods
  • Over-privileged cloud IAM and publicly exposed storage
  • Flat networks and unhardened Linux/Windows/AD configurations

How remediation works and standards

Detect → explain → fix → verify

How remediation works here

Every finding in this domain is explained in plain language with its reference, fixed with a concrete change to the exact file and line, committed as a reversible Git commit, then re-checked in a real browser against a healthy baseline — so a security fix never breaks your app.

Standards behind this domain

Mapped to recognized references

  • OWASP WSTG
  • OWASP ASVS 5.0
  • OWASP API Top 10
  • OWASP MASVS 2.1
  • CIS Benchmarks
  • MITRE ATT&CK
  • CWE

FAQ

Infrastructure & Cloud — questions & answers

Why is this the biggest domain?

It spans containers, orchestration, three cloud providers, hosts, Active Directory, networking and IoT — 92 checks in total, mapped to CIS Benchmarks and NIST controls.

How does it scan Infrastructure as Code?

Checkov scans Dockerfiles, Kubernetes manifests and Terraform, while Trivy scans images for CVEs and misconfigurations. Both are optional and degrade gracefully if absent.

Does it cover AWS, Azure and GCP?

Yes — cloud checks address IAM least privilege, storage exposure, logging and encryption across AWS, Azure and GCP.

Get started

Audit your app in the next five minutes

Clone the skill into ~/.claude/skills/, then ask Claude to audit your app (or type /securmyapp). The full audit starts on its own.

Install — one command
git clone https://github.com/mafady/securmyapp ~/.claude/skills/securmyapp

View on GitHub Browse the domains

New to Claude Code? Follow the step-by-step getting started guide.

Requires Node.js 18+, Claude Code, and a paid Claude subscription. Semgrep & Playwright recommended.