- Home
- Skills
- Williamzujkowski
- Cognitive Toolworks
- Security Container Validator
security-container-validator_skill
- Python
5
GitHub Stars
2
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill williamzujkowski/cognitive-toolworks --skill security-container-validator- CHANGELOG.md825 B
- SKILL.md7.7 KB
Overview
This skill validates container and Kubernetes security against CIS benchmarks, pod security standards, RBAC rules, and basic image checks. It produces structured findings, CIS-aligned remediation, and manifest or Dockerfile snippets to fix issues. The output is machine-readable and suitable for pre-production audits or post-incident reviews.
How this skill works
The checker inspects provided artifacts or a reachable Kubernetes cluster to evaluate image configuration, pod security settings, RBAC bindings, and network policies against CIS Docker and CIS Kubernetes controls. For each finding it assigns severity and CVSS, cites the relevant CIS control, and generates concrete remediation steps including YAML or Dockerfile changes and kubectl/docker commands. It enforces input validation and aborts or requests additional access when required (for example kubeconfig when cluster access is needed).
When to use it
- Pre-deployment container security audit
- Kubernetes cluster security review or compliance checks
- CIS benchmark compliance validation
- Post-incident container or cluster assessment
- Answering third-party security questionnaires
Best practices
- Provide kubeconfig or cluster details when checking Kubernetes to enable runtime and RBAC validation
- Scope checks explicitly (images, runtime, rbac, network) to optimize results and token use
- Run image signing and SBOM scans with dedicated tools and use this skill for configuration and policy validation
- Avoid embedding secrets in remediation snippets; the skill never outputs credentials
- Use the T1/T2 token budget guidance: T1 for critical quick checks, T2 for full CIS coverage
Example use cases
- Validate Dockerfiles and image policies before promoting to production, ensuring non-root users and no secrets
- Scan a Kubernetes namespace for pod security violations and get Restricted-level manifests to remediate
- Review ClusterRole and RoleBindings to remove wildcard permissions and enforce least privilege
- Assess namespace network policies and generate NetworkPolicy manifests to restrict ingress/egress
- Perform a rapid post-incident checklist to identify privileged containers and host namespace sharing
FAQ
Specify platform as docker, kubernetes, or both; choose check_scope; provide cluster_identifier or kubeconfig for Kubernetes runtime checks.
Does this perform CVE or SBOM scanning?
No. Use dedicated vulnerability or SBOM scanners for CVE analysis; this skill focuses on CIS configuration, pod security, RBAC, and network policy checks.
What happens if cluster access is unavailable?
The skill will request kubeconfig or architecture docs and will limit itself to manifest or Dockerfile review when runtime inspection is not possible.