security-audit

> Agent for `istio-ambient-mesh-review`. Review Istio ambient mesh configuration — ztunnel L4 vs waypoint L7 enforcement, AuthorizationPolicy scope, PeerAuthentication mTLS mode, RequestAuthentication JWKs, and gateway configuration for service mesh security posture.

> Agent for `prometheus-alerting-cardinality-review`. Reviews Prometheus and AlertManager configuration for cardinality explosion, alert expression correctness, scrape security, routing safety, and retention adequacy.

Use this skill when reviewing Sigstore Cosign supply chain security for Kubernetes workloads. Trigger when the user asks whether images are properly signed, whether Kyverno imageVerify policy is correctly scoped, whether SLSA provenance attestations exist, whether SBOM…

Technical debt detection and remediation. Run at session end to find duplicated code, dead imports, security issues, and complexity hotspots. Triggers: 'find tech debt', 'scan for issues', 'check code quality', 'wrap up session', 'ready to commit', 'before merge', 'code review…

> Agent for gcp-apigee-api-platform-operator. Design and operate Apigee X API proxies — rate limiting, OAuth/JWT security policies, quota plans, developer portal setup, and API product management.

> Agent for `gcp-gke-platform-operator`. Operate GKE clusters (Standard and Autopilot), manage node pools, configure Workload Identity, enforce Binary Authorization, plan node pool upgrades, and review cluster security posture.

> Agent for `gcp-landing-zone-architect`. Design and review GCP landing zone foundations: organization setup, folder hierarchy, resource hierarchy, org policies baseline, Shared VPC, billing account structure, Security Command Center activation, and audit logging.

> Agent for `gcp-networking-observability`. Investigate GCP network issues using VPC Flow Logs, firewall logs, Cloud NAT logs, threat logs, and networking metrics with a BigQuery-first methodology.

> Agent for `gcp-secret-kms-lifecycle-steward`. Audit and govern Cloud KMS key lifecycles, Secret Manager secrets, CMEK configurations across GCP services (Cloud SQL, BigQuery, GCS, Compute), key rotation schedules, and envelope encryption patterns.

Map AWS compliance evidence for audits across Security Hub controls, AWS Config rules/conformance packs, Audit Manager assessments, evidence folders, manual evidence, AWS Artifact reports, CloudTrail, and control narratives. Use for evidence packaging and audit readiness, not…

Review AWS workloads against the Well-Architected Framework Security Pillar: identity foundations, detective controls, infrastructure protection, data protection, and incident response readiness.

Design and operate Apigee X API proxies — rate limiting, OAuth/JWT security policies, quota plans, developer portal setup, and API product management.

Audit GCP IAM bindings across the resource hierarchy (org/folder/project), identify overprivileged Service Accounts, review Workload Identity Federation configurations, evaluate org policy conditions, and recommend least-privilege remediation. Prefer…

Design and review GCP landing zone foundations including organization setup, folder hierarchy, org policy baseline, Shared VPC, billing account structure, Security Command Center, and audit logging.

Gate Cloud KMS key version destruction and key ring deletion against a complete CMEK dependency audit. All Cloud SQL, GCS, BigQuery, Compute Engine disk, and Secret Manager resources encrypted by the key version become permanently inaccessible once destruction completes — this…

Audit and govern Cloud KMS key lifecycles, Secret Manager secrets, CMEK configurations across GCP services (Cloud SQL, BigQuery, GCS, Compute), key rotation schedules, and envelope encryption patterns. Prefer gcp-iam-least-privilege-review for IAM binding review on KMS keys and…

> Agent for `alibaba-actiontrail-audit-analyst`. Query ActionTrail management API events, build governance audit reports, create SLS-based compliance evidence trails, detect anomalous admin activity.

> Agent for `alibaba-china-compliance`. Advise on MLPS 2.0 (GB/T 22239-2019), Data Security Law (DSL), Cybersecurity Law (CSL), PIPL, ICP filing requirements, and cross-border data transfer obligations for mainland China (CN-*) workloads.

> Agent for `alibaba-security-center-hardening`. Harden Alibaba Cloud security posture via Security Center (threat detection, vulnerability scanning), WAF, Anti-DDoS Pro, Cloud Firewall (north-south and east-west), and Network Traffic Analysis (NTA).

> Agent for `alibaba-waf-security-review`. Assess Alibaba Cloud workload security posture: RAM least-privilege, VPC isolation, KMS/HSM encryption, Cloud Security Center threat detection, ActionTrail audit, WAF/Anti-DDoS web protection, and Chinese regulatory compliance (MLPS…

> Agent for `huawei-iac-change-safety-review`. Review Terraform and RFS (Resource Formation Service) changes targeting Huawei Cloud — blast radius analysis, resource deletion detection, Organizations SCP cascade scope, cross-stack dependency impact, state file security, and…

> Agent for `huawei-iam-least-privilege-review`. Audit IAM fine-grained policies, SCP (Service Control Policy) statements at Organizations level, agency trust relationships, and enterprise project permission boundaries for Huawei Cloud.

> Agent for `huawei-secmaster-security-operations`. Drive SecMaster SIEM/SOAR threat detection, HSS host risk baseline, CFW policy review, WAF rule governance, Anti-DDoS EIP binding audit, and VSS vulnerability scan management on Huawei Cloud.

> Agent for `huawei-waf-security-review`. Assess Huawei Cloud workload security posture via IAM SCP governance, VPC isolation, DEW key management, SecMaster SIEM/SOAR, and MLPS 2.0 technical controls.

> Agent for `oci-live-autonomous-db-lifecycle-guard`. Guard Autonomous Database scale, start, stop, clone, and terminate operations with protection-tag check, wallet backup, and connection-string audit before any lifecycle mutation.