Security Infra Review

1A — Exhaustive Config Discovery

Run ALL these searches in parallel using Grep and Glob:

Containers & Orchestration:

• Glob: **/docker-compose*.yml, **/docker-compose*.yaml, **/Dockerfile*, **/podman-compose*
• Glob: **/k8s/**, **/helm/**, **/kustomize/**, **/*.deployment.yaml, **/*.service.yaml
• Grep: (image:|ports:|volumes:|environment:|privileged|cap_add|security_context) in YAML files
• Grep: (FROM|EXPOSE|RUN|COPY|ADD|ENV|USER|ENTRYPOINT|CMD)\s in Dockerfiles

Reverse Proxy & Web Server:

• Glob: **/nginx*.conf, **/nginx/**, **/Caddyfile, **/traefik*.yml, **/haproxy.cfg, **/apache*.conf
• Glob: **/vercel.json, **/netlify.toml, **/fly.toml, **/render.yaml
• Grep: (server_tokens|add_header|proxy_pass|ssl_protocols|ssl_ciphers|limit_req) in config files

Databases:

• Glob: **/redis.conf, **/pg_hba.conf, **/postgresql.conf, **/mongod.conf, **/my.cnf, **/mysql.cnf
• Grep: (DATABASE_URL|REDIS_URL|MONGO_URI|connection_string|connectionString) — connection strings
• Grep: (requirepass|bind|maxmemory|ssl-cert|auth|trust) in database configs

Environment & Secrets:

• Glob: **/.env*, **/*.env, **/.env.example, **/.env.local, **/.env.production
• Glob: **/*.pem, **/*.key, **/*.crt, **/*.cert, **/*.p12, **/*.pfx
• Bash: git ls-files '*.env' '.env*' — check if env files are tracked
• Bash: git log --all --diff-filter=D -- '*.env' '*.pem' '*.key' — deleted secrets in history
• Grep: (api[_-]?key|secret|password|token|private[_-]?key|access[_-]?key)\s*[:=] in all source files

CI/CD Pipelines:

• Glob: **/.github/workflows/*.yml, **/.gitlab-ci.yml, **/Jenkinsfile, **/bitbucket-pipelines.yml
• Glob: **/.circleci/config.yml, **/azure-pipelines.yml, **/.drone.yml
• Grep: (secrets\.|\$\{\{|env\.|permissions:|write-all|contents: write) in CI files

Cloud / IaC:

• Glob: **/terraform/*.tf, **/terraform.tfstate*, **/pulumi/**, **/cloudformation*.yml
• Glob: **/.aws/**, **/gcp-*.json, **/azure-*.json, **/service-account*.json
• Grep: (aws_|azurerm_|google_|resource |data |module ) in .tf files
• Grep: (public-read|public-read-write|AllUsers|\*:\*) — public access patterns

BaaS & Third-party Platforms:

• Glob: **/supabase/config.toml, **/supabase/migrations/**, **/supabase/functions/**
• Glob: **/firestore.rules, **/storage.rules, **/database.rules.json, **/firebase.json
• Grep: (SUPABASE_SERVICE_ROLE|STRIPE_SECRET|CLERK_SECRET|FIREBASE_ADMIN)\s*[:=] — secret keys in config
• Grep: (NEXT_PUBLIC_|VITE_|REACT_APP_).*(SERVICE_ROLE|SECRET|PRIVATE) — secret keys accidentally exposed as public env vars
• Grep: (allow read, write: if true|".read":\s*true|".write":\s*true) — open Firebase rules

App Security Config:

• Glob: **/next.config.*, **/nuxt.config.*, **/vite.config.*
• Grep: (helmet|cors|csp|content-security-policy|x-frame-options|rate-limit) in source
• Grep: (productionSourceMap|devtool|source-map|sourcemap) — source maps config

1B — Build Structured Audit TODO

After discovery, organize all found configs into a prioritized checklist:

## INFRA AUDIT TODO — [Project Name]

### P1 — Critical (secrets, auth, exposed services)
- [ ] `.env.production` — committed to git with real credentials
- [ ] `docker-compose.yml` — redis exposed on 0.0.0.0:6379
- [ ] `terraform.tfstate` — state file in repo

### P2 — High (containers, proxy, database config)
- [ ] `Dockerfile` — running as root, unpinned base image
- [ ] `nginx.conf` — missing security headers
- [ ] `pg_hba.conf` — trust auth for remote connections

### P3 — Medium (CI/CD, TLS, cloud)
- [ ] `.github/workflows/deploy.yml` — write-all permissions
- [ ] `nginx.conf` — TLS 1.0/1.1 still enabled

### P4 — Low (hardening, defense-in-depth)
- [ ] `docker-compose.yml` — no resource limits
- [ ] `redis.conf` — dangerous commands not disabled

Rules for the TODO:

• One line per config file, with the specific concern noted
• Include line number when a specific pattern was matched
• Group by security priority, not by component type
• If >50 configs found, ask user: "Full audit (~X files) or focused on P1-P2 (~Y files)?"

1C — Progress Tracking

As you audit each config, update the checklist:

• [x] — Audited, no issues found
• [!] — Audited, finding(s) reported
• [ ] — Not yet audited

Print the checklist status at each major milestone so progress is visible.

Step 2 — Audit Each Component

Containers (Docker / Podman / K8s)

• Services bound to 0.0.0.0 instead of 127.0.0.1 — network exposure (CWE-668)
• Containers running as root — missing USER/user: directive (CWE-250)
• Secrets hardcoded in compose/Dockerfile (CWE-798)
• No resource limits (mem_limit, cpus, pids_limit) (CWE-770)
• Unnecessary ports exposed to host (CWE-668)
• Base images unpinned :latest — supply chain risk (CWE-1395)
• privileged: true or dangerous cap_add (NET_ADMIN, SYS_ADMIN) (CWE-250)
• Build secrets in image layers (multi-stage build not used) (CWE-798)
• docker.sock mounted into container (CWE-250)

Reverse Proxy & Web Server

• Rate limiting too permissive (>50 req/s = ineffective) (CWE-770)
• Missing security headers: HSTS, X-Content-Type-Options, Referrer-Policy, Permissions-Policy (CWE-16)
• server_tokens on / ServerSignature On — version leak (CWE-200)
• Upstream proxy headers not stripped: X-Forwarded-Host, X-Forwarded-Server (CWE-644)
• Weak TLS: missing TLS 1.3, weak ciphers (3DES, RC4), no OCSP stapling (CWE-326)
• HSTS max-age < 31536000 or missing includeSubDomains (CWE-319)
• Conflicting security headers between proxy and app framework (CWE-16)
• Directory listing enabled (CWE-548)
• Proxy passing to upstream without request size limits (CWE-770)

Databases

Redis:

• No requirepass — unauthenticated access (CWE-306)
• Bound to 0.0.0.0 (CWE-668)
• Dangerous commands not disabled: CONFIG, DEBUG, FLUSHALL, KEYS (CWE-250)
• No maxmemory + eviction policy (CWE-770)
• TLS disabled for client connections (CWE-319)

PostgreSQL / MySQL:

• trust or password-less auth for non-local connections (CWE-306)
• Listening on all interfaces without firewall (CWE-668)
• Application using superuser role instead of limited role (CWE-250)
• SSL disabled for client connections (CWE-319)
• log_statement = 'all' logging sensitive queries (CWE-532)

MongoDB:

• Authorization disabled (--noauth) (CWE-306)
• Bound to 0.0.0.0 without bindIp restriction (CWE-668)
• No TLS for connections (CWE-319)

Environment & Secrets

• .env files committed to git: git ls-files '*.env' '.env*' (CWE-798)
• .env.example containing real values instead of placeholders (CWE-798)
• Missing .gitignore entries for *.env, *.pem, *.key (CWE-538)
• Secrets in plaintext config — not using vault/env vars/sealed secrets (CWE-798)
• Deleted secrets still in git history (CWE-798)
• Connection strings with embedded credentials in committed files (CWE-798)

CI/CD Pipelines

• Secrets hardcoded in pipeline YAML — not using CI secret store (CWE-798)
• Pipeline jobs running with write/admin permissions when read suffices (CWE-250)
• Missing dependency scanning step (npm audit, pip audit, cargo audit) (CWE-1395)
• Artifacts or build outputs accessible without authentication (CWE-668)
• Pull request pipelines running untrusted fork code with secret access (CWE-829)
• No branch protection on main/production branches
• Missing SAST/DAST integration

BaaS & Third-party Platforms

Supabase:

• SUPABASE_SERVICE_ROLE_KEY exposed in client-side env vars (e.g. NEXT_PUBLIC_, VITE_, REACT_APP_) — bypasses all RLS (CWE-798)
• Tables with RLS disabled: verify in supabase/migrations/ that ALTER TABLE ... ENABLE ROW LEVEL SECURITY is present for every user-data table (CWE-284)
• Storage buckets set to public in supabase/config.toml or dashboard config (CWE-668)
• Edge Functions deployed without JWT verification (Authorization header not checked) (CWE-306)

Firebase:

• firestore.rules / storage.rules containing allow read, write: if true; (CWE-284)
• firebaseConfig object with unrestricted API key (no HTTP referrer or IP restriction) in client bundle (CWE-284)
• Cloud Functions without functions.https.onCall auth check or admin SDK without service account restrictions (CWE-306)
• database.rules.json with ".read": true or ".write": true at root (CWE-284)

Clerk / Auth.js / BetterAuth:

• Secret key (CLERK_SECRET_KEY, AUTH_SECRET) in client-side env var (CWE-798)
• Middleware publicRoutes pattern too broad (e.g. /(.*) instead of specific paths) — accidentally exposes protected routes (CWE-284)

Stripe / Payment Providers:

• STRIPE_SECRET_KEY or STRIPE_WEBHOOK_SECRET exposed via NEXT_PUBLIC_ / VITE_ prefix (CWE-798)
• Webhook endpoint not protected by signature verification in deployment config (missing env var) (CWE-345)

Cloud / IaC

• Storage buckets with public read/write (S3, GCS, Azure Blob) (CWE-668)
• IAM roles with * or overly broad permissions (CWE-250)
• Security groups allowing 0.0.0.0/0 inbound on non-HTTP ports (CWE-668)
• Secrets in Terraform state without sensitive = true (CWE-798)
• terraform.tfstate committed to git (CWE-798)
• Cloud metadata endpoint not blocked from application containers (CWE-918)

Step 3 — Report

Per finding:

### [SEVERITY] Title — CWE-XXX

**File**: `path/to/config:line`
**Confidence**: confirmed | probable
**Issue**: What is wrong (specific).
**Risk**: What an attacker gains and how.

**Fix**:
Before:
[exact current config line]

After:
[exact fixed config line]

**Effort**: ~Xmin

End with executive summary: total findings by severity, top priority fixes, production readiness assessment, and Files Discovered: X total (Y audited, Z skipped).

Exclusions

• Performance tuning (unless security-relevant resource limits)
• Cosmetic config formatting
• Hypothetical network topology you cannot verify from files
• Deprecated but unused/commented config blocks

CORE RULES — REREAD BEFORE REPORTING

• Only report issues found in actual config files. No hypotheticals.
• Every finding: file path, line, CWE, risk description, exact before/after remediation.
• Confidence threshold: 0.7 minimum.
• Be specific: exact config lines, not "review your security settings".
• Full discovery phase MUST complete before auditing begins.