feat: add cloud infrastructure security skill#44
Merged
Conversation
Add comprehensive cloud and infrastructure security skill covering: - IAM & access control (least privilege, MFA) - Secrets management & rotation - Network security (VPC, firewalls) - Logging & monitoring setup - CI/CD pipeline security - Cloudflare/CDN security - Backup & disaster recovery - Pre-deployment checklist Complements existing security-review skill with cloud-specific guidance.
Contributor
📝 WalkthroughWalkthroughA new comprehensive Cloud & Infrastructure Security skill guide is introduced, detailing security best practices through checklists, activation triggers, code examples, and verification steps across IAM, secrets management, networking, monitoring, CI/CD, CDN, and disaster recovery domains. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Contributor
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Fix all issues with AI agents
In `@skills/security-review/cloud-infrastructure-security.md`:
- Around line 144-164: The example uses an undefined cloudwatch variable,
imports CreateLogStreamCommand but never uses it, and references an undefined
SecurityEvent type; fix by instantiating a CloudWatchLogsClient (e.g., create a
const cloudwatch = new CloudWatchLogsClient({...}) at module scope) and send a
PutLogEventsCommand from the logSecurityEvent function instead of calling
cloudwatch.putLogEvents directly, remove the unused CreateLogStreamCommand
import (or replace it with PutLogEventsCommand if you prefer to import the
specific command), and add a minimal SecurityEvent type or interface definition
(with type, userId, ip, result) so the logSecurityEvent(signature: (event:
SecurityEvent) => Promise<void>) compiles.
- Around line 194-210: The workflow example pins some actions loosely (e.g.,
trufflesecurity/trufflehog@main, actions/checkout@v4,
aws-actions/configure-aws-credentials@v4); update these to immutable references
by replacing the trufflehog@main with a specific released tag or commit SHA and
similarly replace actions/checkout@v4 and
aws-actions/configure-aws-credentials@v4 with precise tags or SHAs (use the
official action release tag or commit SHA) so the Secret scanning step and
Configure AWS credentials step reference fixed, auditable versions.
- Around line 329-336: Replace the ACL-based example (use of put-bucket-acl)
with the modern AWS best-practice flow: set S3 Object Ownership to "Bucket owner
enforced" (which disables ACLs), enable S3 Block Public Access at the account or
bucket level, and demonstrate granting access only via a bucket policy
(policy.json) using put-bucket-policy; remove any guidance that recommends using
put-bucket-acl or public-read ACLs and instead document the Object Ownership and
Block Public Access settings alongside the bucket policy usage.
🧹 Nitpick comments (2)
skills/security-review/cloud-infrastructure-security.md (2)
67-77: Clarify the environment variable comment.The comment on Line 76 states "Not rotated, not audited" but this is imprecise. Environment variables can be populated from secrets managers (which are rotated and audited). The issue is hardcoding secrets directly in code or config files, not the use of
process.envitself.♻️ Suggested clarification
-// ❌ WRONG: Hardcoded or in environment variables only -const apiKey = process.env.API_KEY; // Not rotated, not audited +// ❌ WRONG: Hardcoded secrets without rotation +const apiKey = process.env.API_KEY; // If not from secrets manager: no rotation, no audit trail
239-258: Consider adding Content-Security-Policy header.The example includes several important security headers but is missing
Content-Security-Policy(CSP), which is one of the most effective defenses against XSS and injection attacks. For a comprehensive security guide, this is a notable omission.♻️ Suggested addition
// Add security headers const headers = new Headers(response.headers); headers.set('X-Frame-Options', 'DENY'); headers.set('X-Content-Type-Options', 'nosniff'); headers.set('Referrer-Policy', 'strict-origin-when-cross-origin'); headers.set('Permissions-Policy', 'geolocation=(), microphone=()'); + headers.set('Content-Security-Policy', "default-src 'self'; script-src 'self'; object-src 'none'");Note: CSP values should be customized based on your application's specific needs.
Comment on lines
+144
to
+164
| ```typescript | ||
| // ✅ CORRECT: Comprehensive logging | ||
| import { CloudWatchLogsClient, CreateLogStreamCommand } from '@aws-sdk/client-cloudwatch-logs'; | ||
|
|
||
| const logSecurityEvent = async (event: SecurityEvent) => { | ||
| await cloudwatch.putLogEvents({ | ||
| logGroupName: '/aws/security/events', | ||
| logStreamName: 'authentication', | ||
| logEvents: [{ | ||
| timestamp: Date.now(), | ||
| message: JSON.stringify({ | ||
| type: event.type, | ||
| userId: event.userId, | ||
| ip: event.ip, | ||
| result: event.result, | ||
| // Never log sensitive data | ||
| }) | ||
| }] | ||
| }); | ||
| }; | ||
| ``` |
Contributor
There was a problem hiding this comment.
Fix undefined variable and unused import in CloudWatch logging example.
The code has several issues:
cloudwatchvariable is used but never defined (line 149)CreateLogStreamCommandis imported but never used (line 146)SecurityEventtype is referenced but not defined
This code won't execute as written.
🐛 Proposed fix
// ✅ CORRECT: Comprehensive logging
-import { CloudWatchLogsClient, CreateLogStreamCommand } from '@aws-sdk/client-cloudwatch-logs';
+import { CloudWatchLogsClient, PutLogEventsCommand } from '@aws-sdk/client-cloudwatch-logs';
+
+const cloudwatch = new CloudWatchLogsClient({ region: 'us-east-1' });
+
+interface SecurityEvent {
+ type: string;
+ userId: string;
+ ip: string;
+ result: string;
+}
const logSecurityEvent = async (event: SecurityEvent) => {
await cloudwatch.putLogEvents({
logGroupName: '/aws/security/events',
logStreamName: 'authentication',
logEvents: [{
timestamp: Date.now(),
message: JSON.stringify({
type: event.type,
userId: event.userId,
ip: event.ip,
result: event.result,
// Never log sensitive data
})
}]
});
};📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| ```typescript | |
| // ✅ CORRECT: Comprehensive logging | |
| import { CloudWatchLogsClient, CreateLogStreamCommand } from '@aws-sdk/client-cloudwatch-logs'; | |
| const logSecurityEvent = async (event: SecurityEvent) => { | |
| await cloudwatch.putLogEvents({ | |
| logGroupName: '/aws/security/events', | |
| logStreamName: 'authentication', | |
| logEvents: [{ | |
| timestamp: Date.now(), | |
| message: JSON.stringify({ | |
| type: event.type, | |
| userId: event.userId, | |
| ip: event.ip, | |
| result: event.result, | |
| // Never log sensitive data | |
| }) | |
| }] | |
| }); | |
| }; | |
| ``` |
🤖 Prompt for AI Agents
In `@skills/security-review/cloud-infrastructure-security.md` around lines 144 -
164, The example uses an undefined cloudwatch variable, imports
CreateLogStreamCommand but never uses it, and references an undefined
SecurityEvent type; fix by instantiating a CloudWatchLogsClient (e.g., create a
const cloudwatch = new CloudWatchLogsClient({...}) at module scope) and send a
PutLogEventsCommand from the logSecurityEvent function instead of calling
cloudwatch.putLogEvents directly, remove the unused CreateLogStreamCommand
import (or replace it with PutLogEventsCommand if you prefer to import the
specific command), and add a minimal SecurityEvent type or interface definition
(with type, userId, ip, result) so the logSecurityEvent(signature: (event:
SecurityEvent) => Promise<void>) compiles.
Comment on lines
+194
to
+210
| - uses: actions/checkout@v4 | ||
|
|
||
| # Scan for secrets | ||
| - name: Secret scanning | ||
| uses: trufflesecurity/trufflehog@main | ||
|
|
||
| # Dependency audit | ||
| - name: Audit dependencies | ||
| run: npm audit --audit-level=high | ||
|
|
||
| # Use OIDC, not long-lived tokens | ||
| - name: Configure AWS credentials | ||
| uses: aws-actions/configure-aws-credentials@v4 | ||
| with: | ||
| role-to-assume: arn:aws:iam::123456789:role/GitHubActionsRole | ||
| aws-region: us-east-1 | ||
| ``` |
Contributor
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
find . -name "cloud-infrastructure-security.md" -type fRepository: affaan-m/everything-claude-code
Length of output: 132
🏁 Script executed:
cat -n ./skills/security-review/cloud-infrastructure-security.md | sed -n '190,215p'Repository: affaan-m/everything-claude-code
Length of output: 945
🏁 Script executed:
cat -n ./skills/security-review/cloud-infrastructure-security.md | sed -n '1,50p'Repository: affaan-m/everything-claude-code
Length of output: 1989
🏁 Script executed:
cat -n ./skills/security-review/cloud-infrastructure-security.md | sed -n '160,240p'Repository: affaan-m/everything-claude-code
Length of output: 2479
Pin GitHub Actions to specific versions or commit SHAs for supply chain security.
The workflow example uses trufflesecurity/trufflehog@main (line 198), which points to the latest code from the main branch and can introduce unexpected changes or security vulnerabilities. Since this is marked as a "CORRECT" example in a security guide, it should model best practices by pinning to specific versions or commit SHAs instead.
Other actions in the example (actions/checkout@v4, aws-actions/configure-aws-credentials@v4) use major version pins, which are better but still allow patch updates. For maximum security in production pipelines, consider pinning to immutable commit SHAs:
Recommended fix: Pin to specific versions or commit SHAs
# Scan for secrets
- name: Secret scanning
- uses: trufflesecurity/trufflehog@main
+ uses: trufflesecurity/trufflehog@v3.82.13
# Use OIDC, not long-lived tokens
- name: Configure AWS credentials
- uses: aws-actions/configure-aws-credentials@v4
+ uses: aws-actions/configure-aws-credentials@v4.1.1
- uses: actions/checkout@v4
+ # Or pin to commit SHA for maximum security:
+ # uses: actions/checkout@c85c95e3d7251135ba7147a3565fd5b7d086d798📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| - uses: actions/checkout@v4 | |
| # Scan for secrets | |
| - name: Secret scanning | |
| uses: trufflesecurity/trufflehog@main | |
| # Dependency audit | |
| - name: Audit dependencies | |
| run: npm audit --audit-level=high | |
| # Use OIDC, not long-lived tokens | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: arn:aws:iam::123456789:role/GitHubActionsRole | |
| aws-region: us-east-1 | |
| ``` | |
| - uses: actions/checkout@v4 | |
| # Or pin to commit SHA for maximum security: | |
| # uses: actions/checkout@c85c95e3d7251135ba7147a3565fd5b7d086d798 | |
| # Scan for secrets | |
| - name: Secret scanning | |
| uses: trufflesecurity/trufflehog@v3.82.13 | |
| # Dependency audit | |
| - name: Audit dependencies | |
| run: npm audit --audit-level=high | |
| # Use OIDC, not long-lived tokens | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4.1.1 | |
| with: | |
| role-to-assume: arn:aws:iam::123456789:role/GitHubActionsRole | |
| aws-region: us-east-1 |
🤖 Prompt for AI Agents
In `@skills/security-review/cloud-infrastructure-security.md` around lines 194 -
210, The workflow example pins some actions loosely (e.g.,
trufflesecurity/trufflehog@main, actions/checkout@v4,
aws-actions/configure-aws-credentials@v4); update these to immutable references
by replacing the trufflehog@main with a specific released tag or commit SHA and
similarly replace actions/checkout@v4 and
aws-actions/configure-aws-credentials@v4 with precise tags or SHAs (use the
official action release tag or commit SHA) so the Secret scanning step and
Configure AWS credentials step reference fixed, auditable versions.
Comment on lines
+329
to
+336
| ```bash | ||
| # ❌ WRONG: Public bucket | ||
| aws s3api put-bucket-acl --bucket my-bucket --acl public-read | ||
|
|
||
| # ✅ CORRECT: Private bucket with specific access | ||
| aws s3api put-bucket-acl --bucket my-bucket --acl private | ||
| aws s3api put-bucket-policy --bucket my-bucket --policy file://policy.json | ||
| ``` |
Contributor
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
AWS S3 bucket access control best practices 2025 ACL vs bucket policy S3 Block Public Access
💡 Result:
2025+ best practices for S3 access control (ACLs vs bucket policy, and Block Public Access)
1) Prefer policies; avoid ACLs for most use cases
- AWS recommends disabling ACLs for the “majority of modern use cases” and using policies instead (IAM identity policies, S3 bucket policies, VPC endpoint policies, SCPs/RCPs). [2][6]
- Do this with S3 Object Ownership = “Bucket owner enforced” (this disables ACLs and makes the bucket owner own all objects). It’s the default for new buckets. [2][1]
When would you still use ACLs? Only for unusual cases where you truly need per-object ACL control; AWS generally discourages this. [6]
2) If you must support cross-account uploads, use Object Ownership + policy patterns
- Default/modern pattern: Bucket owner enforced + bucket policy/IAM for access. [2][6]
- If you cannot fully disable ACL semantics yet: Bucket owner preferred and require uploads to include the
bucket-owner-full-controlcanned ACL via bucket policy (AWS strongly recommends this when using Bucket owner preferred). [7][5]
3) Turn on S3 Block Public Access (and do it at the account level)
- Keep all four BPA settings enabled unless you have a specific, validated need to allow public access. [1]
- AWS recommends applying Block Public Access at the account level for stronger protection (so a bucket policy change can’t easily circumvent your intent). [3]
Context: since April 2023, new buckets are created with Block Public Access enabled and ACLs disabled by default (unless you deliberately change them). [8]
4) Continuously detect unintended exposure
- Use IAM Access Analyzer for S3 to identify buckets with public access, and you can “Block all public access” from there; AWS recommends blocking public access unless you explicitly need it. [4]
Practical default “secure baseline” (what most orgs should standardize on)
- Object Ownership: Bucket owner enforced (ACLs disabled) [2][6]
- Block Public Access: all settings ON, ideally account-level [3][1]
- Grant access via IAM + bucket policy (least privilege), and monitor with Access Analyzer for S3 [6][4]
Sources: AWS S3 docs + AWS “What’s New” post. [1][2][3][4][5][6][8]
Update S3 access control example to match current AWS best practices.
AWS now recommends disabling S3 ACLs entirely for all modern use cases and managing access exclusively through bucket policies with "Bucket owner enforced" Object Ownership. Rather than using put-bucket-acl, the example should show setting Object Ownership to "Bucket owner enforced" (which disables ACLs by default), then granting access solely via bucket policy. Additionally, S3 Block Public Access should be enabled at the account level. While the current example is better than public ACLs, it reflects outdated guidance and should be updated to align with 2025+ AWS recommendations.
🤖 Prompt for AI Agents
In `@skills/security-review/cloud-infrastructure-security.md` around lines 329 -
336, Replace the ACL-based example (use of put-bucket-acl) with the modern AWS
best-practice flow: set S3 Object Ownership to "Bucket owner enforced" (which
disables ACLs), enable S3 Block Public Access at the account or bucket level,
and demonstrate granting access only via a bucket policy (policy.json) using
put-bucket-policy; remove any guidance that recommends using put-bucket-acl or
public-read ACLs and instead document the Object Ownership and Block Public
Access settings alongside the bucket policy usage.
moyueheng
added a commit
to moyueheng/everything-claude-code
that referenced
this pull request
Jan 29, 2026
675db95 feat: unify commands and skills (v1.2.0) ca584e2 fix: escape pipe in markdown table for markdownlint a44a055 fix: resolve ESLint errors and update tests for project-name fallback c9ef02b docs: add requirements section and hooks field warning 0c53ad8 Revert "docs: update shorthand to shortform terminology" c3430bd docs: add Traditional Chinese translation fbe2e56 docs: add simplified Chinese README 7c0bc25 feat: add comprehensive CI/CD pipeline 58a97c8 docs: update shorthand to shortform terminology 04ee208 docs: add plugin manifest validation notes e3a1306 fix: remove duplicate hooks declaration from plugin.json 81003b1 feat: use project name as session filename fallback 8996303 fix: prevent command injection in Prettier hook (affaan-m#102) 8894e1b docs: update README with skill-create and instinct commands 9bc587a feat: add skill-create and continuous-learning-v2 commands 0ced59a Merge pull request affaan-m#91 from Hor1zonZzz/fix/readme-rules-limitation 2563d1e Merge pull request affaan-m#92 from jhsong-musinsa/fix/plugin-manifest-validation 5dc1edb Merge pull request affaan-m#93 from pangerlkr/patch-3 2aac2d9 Create PLUGIN_SCHEMA_NOTES.md cdf987d fix: use explicit file paths for agents in plugin.json 384b255 docs: add note about rules limitation in plugin installation accbb47 feat: add proper header banner to shortform guide ff67b03 feat: add images and rename guides to the-shortform-guide.md and the-longform-guide.md 7fc5ef1 Merge pull request affaan-m#83 from msyahidin/claude/add-golang-support-frw0Z 779085e fix: add missing agents and hooks declarations to plugin.json 5e1835a Merge pull request affaan-m#81 from pangerlkr/patch-2 2abefe6 Merge pull request affaan-m#79 from pangerlkr/patch-1 4bca615 Merge pull request affaan-m#80 from lichengzhe/fix/stop-hook-shell-error a1f47f1 Merge pull request affaan-m#85 from roeiba/add-license-file 01ad21b docs: add missing MIT LICENSE file c6c32cd fix: add language labels to fenced code blocks for MD040 compliance 75e1e46 feat: add comprehensive Golang language support 2feac5a docs: add The Longform Guide to Everything Claude Code a0b84f7 Fix: Move Stop hook inline code to separate script file 1564213 docs: add The Shorthand Guide to Everything Claude Code 56ff5d4 fix: use correct unscoped agent-browser package name (affaan-m#77) 5c63fa9 feat: v1.1.0 release - session ID tracking, async hooks, new skills 5670fcd Fix plugin manifest validation errors (affaan-m#75) 1c9fa0b Add hooks.md to documentation index (affaan-m#40) 2bfd2fb feat: add cloud infrastructure security skill (affaan-m#44) fae9716 feat(agents): add database-reviewer agent with Supabase patterns (affaan-m#48) a2087a8 fix: remove unnecessary .sh hooks (affaan-m#41) b9b7831 fix: multiple community-reported issues 660e0d3 fix: security and documentation fixes a7bc5f2 revert: remove hooks declaration - auto-loaded by convention 22ad036 fix: add hooks declaration to plugin.json for proper hook loading 5230892 fix: remove version fields from marketplace.json 970f8bf feat: cross-platform support with Node.js scripts 4ec7a6b fix: remove version field to enable automatic plugin updates 0d438dd style: side-by-side guide layout matching profile README 7f4f622 feat: add star history chart and minimal badge bar c3f1594 fix: move session-end hooks from Stop to SessionEnd 19345df fix: remove duplicate hooks field from plugin.json 73bda1a fix: use ${CLAUDE_PLUGIN_ROOT} for hook script paths ecfbbd3 fix: use relative path './' for plugin source instead of GitHub object ee5affb fix: remove agents field temporarily to debug validation d362ae6 fix: use string format for repository field in plugin.json 9e8006c fix: use GitHub source object in marketplace.json 5010f82 feat: package as Claude Code plugin with marketplace distribution 4491f15 Clarify README description of the repository e6440d3 docs: restructure README to flow shorthand → longform guides together fa0928a Enhance README with update section and resources 2d6fd70 feat: add strategic-compact hook and update hooks.json with all hooks f96ef1e feat: add memory persistence hooks and context files 7d3ea0f feat: add strategic compact skill 6bf102d feat: add continuous learning skill with session examples 3c1e7d9 Clarify repository purpose and additional resources 62a80df Update README with image and guide link 6eefb41 Update README with guide reading reminder d7cf890 Fix formatting in README.md for guide link e57979c Update README with image and guide link 45959c3 Initial release: Complete Claude Code configuration collection REVERT: 69c0b1a Add link to Agent Skills specification website (affaan-m#160) REVERT: be229a5 Fix links in agent skills specification (affaan-m#159) REVERT: f232228 Split agent-skills-spec into separate authoring and client integration guides (affaan-m#148) REVERT: 0075614 Add doc-coauthoring skill and update example skills (affaan-m#134) REVERT: ef74077 Move example skills into dedicated folder and create minimal top-level folder structure (affaan-m#129) REVERT: 0f77e50 Update example skills and rename 'artifacts-builder' (affaan-m#112) REVERT: e5c6015 Add 'frontend-design' example skill (affaan-m#98) REVERT: c74d647 Clarify Claude Code installation in README.md (#20) REVERT: 0877bae Updates to README.md (affaan-m#9) REVERT: b118d29 Add Claude Claude instructions to the readme (#8) REVERT: 4d1e3f3 Add Claude Code Marketplace (affaan-m#5) REVERT: 9b61003 Small tweak to blog link (#7) REVERT: 10e0fbe Add initial Agent Skills Spec (#2) REVERT: ec84104 Add 3rd Party notices (affaan-m#4) REVERT: 67ada86 Adding more details to README (affaan-m#3) REVERT: 83291af Reorganize the example skills (affaan-m#1) REVERT: 37292f3 init repo git-subtree-dir: upstream/anthropics-skills git-subtree-split: 675db95
charlesbmi
pushed a commit
to charlesbmi/everything-claude-code
that referenced
this pull request
Jan 29, 2026
Adds cloud infrastructure security skill with AWS/Vercel/Railway patterns
Josz009
pushed a commit
to Josz009/everything-claude-code
that referenced
this pull request
May 19, 2026
Adds cloud infrastructure security skill with AWS/Vercel/Railway patterns
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add comprehensive cloud and infrastructure security skill covering:
Complements existing security-review skill with cloud-specific guidance.
Summary by CodeRabbit
✏️ Tip: You can customize this high-level summary in your review settings.