Domain 09 / 12
Infrastructure & Cloud security audit
Harden containers, Kubernetes, cloud accounts and networks against escape, escalation and exposure.
- 92 checks
- Docker · K8s · Linux · Windows · AD · AWS · Azure · GCP · Network · IoT
What securmyapp checks
Inside the Infrastructure & Cloud domain
This is the Infrastructure & Cloud domain of securmyapp — the free, open-source, 100% defensive security auditor for Claude Code that runs 598 checks across 12 domains. The Infrastructure & Cloud domain is the largest in securmyapp, with 92 checks aligned to CIS Benchmarks and NIST. It hardens Docker (non-root, dropped capabilities, no privileged containers, no docker.sock mounts), Kubernetes (RBAC, Pod Security Standards, API-server and etcd security), and cloud accounts on AWS, Azure and GCP — plus Linux/Windows hosts, Active Directory, networking and IoT.
Coverage areas
92 atomic checks span these sub-domains.
Docker
Non-root, minimal images, dropped capabilities, no privileged or socket mounts.
Kubernetes
Least-privilege RBAC, Pod Security Standards, API-server & etcd hardening.
Cloud (AWS/Azure/GCP)
IAM least privilege, storage exposure, logging and encryption.
Hosts
Linux and Windows configuration hardening.
Active Directory
AD tiering and privilege-path hardening.
Network & IoT
Segmentation, VPN, Wi-Fi and IoT device security.
Example checks
A sample of the real checks run in this domain — each mapped to a standard and a fix.
| Check | Severity | Detects | Reference |
|---|---|---|---|
| Securing the K8s API server | Critical | Exposed API server, insecure ports and anonymous auth. | CIS K8s 1.2 · NIST AC-17 |
| Non-root containers | High | Containers running as root, enabling host escalation. | CIS Docker · NIST CM-6 |
| Container capabilities and privileges | High | --privileged containers and undropped capabilities. | CIS Docker · NIST CM-7 |
| Sensitive mounts prohibited | High | docker.sock or host / mounted into a container (host takeover). | CIS Docker · CWE-284 |
| Kubernetes RBAC (least privilege) | High | Permissive roles and broad cluster-admin bindings. | CIS K8s 5.1 · NIST AC-6 |
| Image vulnerability scanning | High | Vulnerable images shipped without scanning. | CIS Docker · A06:2021 |
Vulnerabilities we catch
- Root, privileged and capability-rich containers
- docker.sock and host filesystem mounts enabling host takeover
- Permissive Kubernetes RBAC and exposed API servers
- Unencrypted etcd secrets and privileged pods
- Over-privileged cloud IAM and publicly exposed storage
- Flat networks and unhardened Linux/Windows/AD configurations
How remediation works and standards
Detect → explain → fix → verify
How remediation works here
Every finding in this domain is explained in plain language with its reference, fixed with a concrete change to the exact file and line, committed as a reversible Git commit, then re-checked in a real browser against a healthy baseline — so a security fix never breaks your app.
Standards behind this domain
Mapped to recognized references
- OWASP WSTG
- OWASP ASVS 5.0
- OWASP API Top 10
- OWASP MASVS 2.1
- CIS Benchmarks
- MITRE ATT&CK
- CWE
FAQ
Infrastructure & Cloud — questions & answers
Why is this the biggest domain?
It spans containers, orchestration, three cloud providers, hosts, Active Directory, networking and IoT — 92 checks in total, mapped to CIS Benchmarks and NIST controls.
How does it scan Infrastructure as Code?
Checkov scans Dockerfiles, Kubernetes manifests and Terraform, while Trivy scans images for CVEs and misconfigurations. Both are optional and degrade gracefully if absent.
Does it cover AWS, Azure and GCP?
Yes — cloud checks address IAM least privilege, storage exposure, logging and encryption across AWS, Azure and GCP.
Related domains
Get started
Audit your app in the next five minutes
Clone the skill into ~/.claude/skills/, then ask Claude to audit your app (or type /securmyapp). The full audit starts on its own.
git clone https://github.com/mafady/securmyapp ~/.claude/skills/securmyapp
View on GitHub Browse the domains
New to Claude Code? Follow the step-by-step getting started guide.
Requires Node.js 18+, Claude Code, and a paid Claude subscription. Semgrep & Playwright recommended.