Stats
Actions
Tags
From k8s-validation
Run a Kubernetes best-practices audit (security, code logic, correctness) and write findings to SECURITY-POSTURE.md. Optionally scope to a specific path: /k8s-validation:audit llm-gateway/
How this command is triggered — by the user, by Claude, or both
Slash command
/k8s-validation:auditFiles this command reads when invoked
The summary Claude sees in its command listing — used to decide when to auto-load this command
You are performing a comprehensive Kubernetes best-practices audit covering security, code correctness, and logic errors. Follow these steps precisely: ## Step 0: Determine scope Check whether a path argument was provided (e.g. `/k8s-validation:audit llm-gateway/`). - **If a path was provided**: restrict all discovery and auditing to that directory. Note the scope at the top of SECURITY-POSTURE.md: `> Scope: <path>`. - **If no path was provided**: audit the entire repository from the root. ## Step 1: Discover all resources to audit Within the determined scope, search for: - All Kuberne...
You are performing a comprehensive Kubernetes best-practices audit covering security, code correctness, and logic errors. Follow these steps precisely:
Check whether a path argument was provided (e.g. /k8s-validation:audit llm-gateway/).
> Scope: <path>.Within the determined scope, search for:
**/*.yaml, **/*.yml) that contain kind: fields**/Dockerfile*)**/Chart.yaml).github/workflows/*.yml, etc.)@app.route, router.get, router.post, app.get, app.post, @router., func.*Handler, http.HandleFunc in **/*.py, **/*.js, **/*.ts, **/*.go, **/*.java, **/*.rb. Do not read all app files — only grep for these patterns to find files that define HTTP endpoints.SELECT, INSERT, UPDATE, DELETE, db.query, pool.query, .execute(, .raw(, knex(, prisma., sequelize. in the same file types. These are candidates for logic-bug analysis.openai, anthropic, langchain, llm, chat.completions, embeddings, prompt, generate_content, GenerativeModel in the same file types. These require LLM-specific security checks on top of standard app security.List each file found before proceeding.
Based on what was found in Step 1, load only the reference files that apply. Do not load references for artifact types that were not discovered.
| Condition | Load |
|---|---|
| Any k8s manifest found | references/secrets-management.md |
Any manifest with kind: Deployment, Pod, DaemonSet, StatefulSet, Job, or CronJob | references/pod-container-security.md |
Any manifest with kind: Service, Ingress, or NetworkPolicy | references/network-exposure.md |
Any manifest with kind: Role, ClusterRole, RoleBinding, or ClusterRoleBinding; or any serviceAccountName reference | references/rbac-service-accounts.md |
Any Dockerfile* or CI/CD pipeline file found | references/supply-chain-security.md |
Any Chart.yaml (Helm chart) found | references/helm-manifest-security.md |
| Any manifest or code file referencing inter-service auth, mTLS, JWT, or service mesh annotations | references/internal-service-auth.md |
| Any application code with HTTP endpoint definitions found | references/app-security.md, references/correctness-http-and-types.md, references/correctness-api-contracts.md, references/correctness-test-coverage.md |
| Any application code with database queries found | references/correctness-data-flow.md |
| Any application code with async/await patterns or error handling found | references/correctness-async-and-errors.md |
Any application code that reads environment variables, OR any manifest with env blocks, OR any Helm chart with values.yaml | references/correctness-environment-config.md |
Any application code with file upload or file path operations (send_file, open(, fs.readFile, os.path, filepath.Join) | references/file-handling-security.md |
Any file with LLM/AI indicators: filenames or content containing llm, openai, anthropic, langchain, embeddings, prompt, completion | references/llm-ai-security.md |
| Any k8s manifest or application code found (i.e. almost always) | references/observability-incident-response.md |
List which reference files were loaded and which were skipped (with the reason) before proceeding.
For each discovered file, check every applicable NEVER/ALWAYS rule from both security and code-logic references. Read application code files fully — do not just grep for patterns. Trace data flow from request input through query construction to response output.
Apply all NEVER/ALWAYS rules from security reference files (secrets, pod security, RBAC, etc.).
For every HTTP handler, route, or background job, verify:
req.body only in POST/PUT/PATCH, req.query/req.params in GET/DELETE.row.slug, the SQL must SELECT ... AS slug.catch { return [] } and similar patterns hide real failures and must be flagged.os.environ[...] / process.env.X access, check whether a manifest in the repo defines the same name in an env block or secretKeyRef. Flag mismatches.tests/integration/ (or the project's equivalent), flag it.Classify each finding as:
Output findings directly in chat using this compact format, then write a minimal SECURITY-POSTURE.md. Ensure SECURITY-POSTURE.md is in .gitignore.
Chat output — severity table then one line per finding:
CRITICAL N | HIGH N | MEDIUM N | INFO N
[CRITICAL] path/to/file.yaml — Finding title (rule ref) → one-line fix
[HIGH] path/to/file.yaml — Finding title (rule ref) → one-line fix
...
Only include MEDIUM/INFO if there are no CRITICAL/HIGH findings, or append them briefly after.
SECURITY-POSTURE.md — minimal file:
# Security Posture
> <date> · Scope: <path or "repo">
| Severity | Count |
|----------|-------|
| CRITICAL | N |
| HIGH | N |
| MEDIUM | N |
| INFO | N |
## Findings
| Sev | File | Issue | Fix |
|-----|------|-------|-----|
| CRITICAL | `file.yaml` | Finding title | One-line remediation |
| HIGH | `file.yaml` | Finding title | One-line remediation |
Do NOT auto-fix anything. If the user asks to fix a specific finding after the audit, address it one file at a time with their confirmation.
/auditLogs and labels agent interactions (prompts, responses, tool calls) to an append-only JSONL file. Subcommands: record and label.
/auditAudits UI code against design system for spacing, depth, color, and pattern violations. Reports file-specific issues and suggestions. Supports path argument or defaults to common UI paths.
/auditAudits an existing asset for on-page SEO, content quality (CORE-EEAT), technical SEO, AI-visibility/GEO readiness, and domain authority. Also supports --full, --tech, --visibility, --authority, and --competitors flags.
/auditPerforms security audit of codebase for dependency vulnerabilities, secrets, OWASP Top 10, input validation, auth issues, and misconfigs. Outputs findings report by severity with fixes and references.
/auditRuns a heavy-weight security and safety audit on Rust projects using os-checker tools. Checks for CVEs, unsafe code issues, undefined behavior, and concurrency bugs. Supports security, safety, concurrency, and full audit modes.
/auditPerforms security audit on codebase or specified target, checking dependency vulnerabilities, auth, input validation, data exposure, configs, and secrets. Outputs prioritized findings with remediation steps.
npx claudepluginhub metalbear-co/k8s-validation-plugin --plugin k8s-validation