Yeni skill: server-security-audit (Kastell)

[omrfc]

Özet

Development kategorisine sunucu güvenlik denetimi ve sertleştirme skill'i ekler.

Kastell MCP araçlarıyla:

• 468+ güvenlik kontrolü, 31 kategori
• CIS/PCI-DSS/HIPAA uyumluluk haritalama
• 24 adımlı production sertleştirme
• 14 MCP tool — otomatik fix dahil (SAFE/FORBIDDEN tier sistemi)
• Filo yönetimi: birden fazla sunucuyu tek noktadan izle
• 9,611 test, 215 suite, %90+ coverage

Neden Development Kategorisi?

DevOps / altyapı güvenliği, yazılım geliştirme sürecinin ayrılmaz parçası. Production'a deploy etmeden önce sunucu güvenliğinin sağlanması gerekiyor. Mevcut skill'lerle (api-gateway-design, blue-green-deployment, alerting-strategy) tamamlayıcı.

Yenilikler (v1.15+)

• server_fix MCP tool — audit→backup→fix→score pipeline
• TypeScript FORBIDDEN tier — SSH/Firewall/Docker asla otomatik değiştirilmez
• DDoS hardening + Edge/WAF audit kategorileri
• Telegram bot (5 komut: /status /audit /health /doctor /help)
• 34 CLI komut, 468+ check, 9,611 test

Bağımlılık

claude plugins add kastell ile kurulur.

[coderabbitai]

📝 Walkthrough

Walkthrough

Added a new skill documentation page describing a server security audit and hardening workflow: required inputs, optional frameworks and output formats, a 413-control scan across 29 categories, classification into 5 security areas, a 19-step hardening process, post-hardening validation, QC checks, and a 13-tool Kastell catalog.

Changes

Cohort / File(s)

Summary

Server Security Audit Skill Documentation .claude/skills/development/server-security-audit/SKILL.md

New markdown doc defining required inputs (server info, claude plugins add kastell), optional compatibility frameworks (cis-level1, cis-level2, pci-dss, hipaa) and output formats (summary, json, score); describes 413 controls/29 categories, 5 security area classifications, 19-step production hardening, post-hardening re-audit and QC checklist; includes Kastell MCP tool catalog (13 tools: server_audit, server_lock, server_secure, server_doctor, server_fleet, server_info, server_logs, server_guard, server_evidence, server_backup, server_provision, server_manage, server_maintain).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐇 I hopped through configs, checks in a stack,
Counting four-hundred thirteen, then coming back,
Nineteen fixes stitched tight like a seam,
Thirteen small tools hum—soft, steady, and keen,
I nibble the bugs and guard every dream.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: adding a new skill for server security auditing integrated with Kastell, which is the primary purpose of this pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

.claude/skills/development/server-security-audit/SKILL.md (2)

22-23: Consider clarifying parameter value format.

The optional input values are listed without format indication. Consider specifying whether these are exact strings, case-sensitive, or provide example usage to help users invoke the skill correctly.

For example:

-**Uyumluluk Framework'ü**: cis-level1, cis-level2, pci-dss, hipaa
-**Çıktı Formatı**: summary, json, score
+**Uyumluluk Framework'ü**: `cis-level1`, `cis-level2`, `pci-dss`, `hipaa`
+**Çıktı Formatı**: `summary`, `json`, `score`

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/skills/development/server-security-audit/SKILL.md around lines 22 -
23, The listed optional parameters "Uyumluluk Framework'ü" (values: cis-level1,
cis-level2, pci-dss, hipaa) and "Çıktı Formatı" (values: summary, json, score)
lack format and case-sensitivity guidance; update SKILL.md to state that these
are exact string literals (case-sensitive), enumerate allowed values, and add
one or two example invocations showing correct usage (e.g., Uyumluluk
Framework'ü: "cis-level1", Çıktı Formatı: "json") so callers know the exact
format to pass.

---

50-56: Clarify that hardening steps are examples.

The section claims "19 adımlı production hardening" but only lists 5 bullet points. While this appears intentional (showing key highlights), it could confuse users who expect to see all 19 steps documented.

Consider adding clarifying text:

-19 adımlı production hardening:
+19 adımlı production hardening (öne çıkan adımlar):

or

-19 adımlı production hardening:
+19 adımlı production hardening (örnek adımlar):

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/skills/development/server-security-audit/SKILL.md around lines 50 -
56, The heading "19 adımlı production hardening:" and the subsequent 5-item
bullet list in SKILL.md are misleading; update the section to clarify these are
highlights/examples rather than the full 19 steps by either changing the heading
to something like "Production hardening highlights (5 of 19)" or adding a single
line sentence after the heading such as "These five items are highlights—see
full 19-step checklist elsewhere or link to the full list." Adjust the text
around the existing heading and the bullet list so readers understand the list
is illustrative and include a pointer to the complete checklist if available.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.claude/skills/development/server-security-audit/SKILL.md:
- Around line 22-23: The listed optional parameters "Uyumluluk Framework'ü"
(values: cis-level1, cis-level2, pci-dss, hipaa) and "Çıktı Formatı" (values:
summary, json, score) lack format and case-sensitivity guidance; update SKILL.md
to state that these are exact string literals (case-sensitive), enumerate
allowed values, and add one or two example invocations showing correct usage
(e.g., Uyumluluk Framework'ü: "cis-level1", Çıktı Formatı: "json") so callers
know the exact format to pass.
- Around line 50-56: The heading "19 adımlı production hardening:" and the
subsequent 5-item bullet list in SKILL.md are misleading; update the section to
clarify these are highlights/examples rather than the full 19 steps by either
changing the heading to something like "Production hardening highlights (5 of
19)" or adding a single line sentence after the heading such as "These five
items are highlights—see full 19-step checklist elsewhere or link to the full
list." Adjust the text around the existing heading and the bullet list so
readers understand the list is illustrative and include a pointer to the
complete checklist if available.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8dd085b7-fda0-4aa4-bab6-6962a19aeea7

📥 Commits

Reviewing files that changed from the base of the PR and between e151682 and 148de8c.

📒 Files selected for processing (1)

• .claude/skills/development/server-security-audit/SKILL.md

[omrfc]

Friendly bump — any chance this could get a review? Happy to address any feedback. Thanks!