security-container-validator_skill

This skill performs CIS-aligned container and Kubernetes security checks, offering remediation guidance for images, RBAC, and network configurations.
  • Python

5

GitHub Stars

2

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill williamzujkowski/cognitive-toolworks --skill security-container-validator

  • CHANGELOG.md825 B
  • SKILL.md7.7 KB

Overview

This skill validates container and Kubernetes security against CIS benchmarks, pod security standards, RBAC rules, and basic image checks. It produces structured findings, CIS-aligned remediation, and manifest or Dockerfile snippets to fix issues. The output is machine-readable and suitable for pre-production audits or post-incident reviews.

How this skill works

The checker inspects provided artifacts or a reachable Kubernetes cluster to evaluate image configuration, pod security settings, RBAC bindings, and network policies against CIS Docker and CIS Kubernetes controls. For each finding it assigns severity and CVSS, cites the relevant CIS control, and generates concrete remediation steps including YAML or Dockerfile changes and kubectl/docker commands. It enforces input validation and aborts or requests additional access when required (for example kubeconfig when cluster access is needed).

When to use it

  • Pre-deployment container security audit
  • Kubernetes cluster security review or compliance checks
  • CIS benchmark compliance validation
  • Post-incident container or cluster assessment
  • Answering third-party security questionnaires

Best practices

  • Provide kubeconfig or cluster details when checking Kubernetes to enable runtime and RBAC validation
  • Scope checks explicitly (images, runtime, rbac, network) to optimize results and token use
  • Run image signing and SBOM scans with dedicated tools and use this skill for configuration and policy validation
  • Avoid embedding secrets in remediation snippets; the skill never outputs credentials
  • Use the T1/T2 token budget guidance: T1 for critical quick checks, T2 for full CIS coverage

Example use cases

  • Validate Dockerfiles and image policies before promoting to production, ensuring non-root users and no secrets
  • Scan a Kubernetes namespace for pod security violations and get Restricted-level manifests to remediate
  • Review ClusterRole and RoleBindings to remove wildcard permissions and enforce least privilege
  • Assess namespace network policies and generate NetworkPolicy manifests to restrict ingress/egress
  • Perform a rapid post-incident checklist to identify privileged containers and host namespace sharing

FAQ

Specify platform as docker, kubernetes, or both; choose check_scope; provide cluster_identifier or kubeconfig for Kubernetes runtime checks.

Does this perform CVE or SBOM scanning?

No. Use dedicated vulnerability or SBOM scanners for CVE analysis; this skill focuses on CIS configuration, pod security, RBAC, and network policy checks.

What happens if cluster access is unavailable?

The skill will request kubeconfig or architecture docs and will limit itself to manifest or Dockerfile review when runtime inspection is not possible.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
security-container-validator skill by williamzujkowski/cognitive-toolworks | VeilStrat