Skill Being Reviewed
Skill name: firewall-review
Skill path: skills/network/firewall-review/SKILL.md
False Positive Analysis
Benign code/configuration that can be over-flagged:
egress: tcp/443 to approved proxy only
cloud effective rules confirm no direct internet route from workload subnet
Why this is a false positive:
egress: tcp/443 to approved proxy only can be safe when the missing compensating evidence is present, but the current skill does not ask reviewers to distinguish that evidence from the risky pattern. The review should require proof of the guardrail before escalating severity.
Coverage Gaps
Missed variant 1:
security_group egress 0.0.0.0/0:*
# justified by "stateful return traffic" but actually allows arbitrary outbound C2
Why it should be caught:
This variant leaves a realistic attack path open while still satisfying the current high-level checklist language.
Missed variant 2:
temporary_rule expires_at: null
source: 10.0.0.0/8
destination: any
created_for: incident bridge
Why it should be caught:
This is a common production edge case where policy exists on paper but does not bind the runtime behavior or evidence trail.
Edge Cases
Firewall reviews can over-credit declared rules and miss cloud effective policy, inherited defaults, broad egress, and temporary rules that never expire.
Remediation Quality
Comparison to Other Tools
| Tool |
Catches this? |
Notes |
| Cloud security posture tools |
Partial |
Surface broad rules but may miss business justification and expiry. |
| Nmap |
Partial |
Tests reachable ingress, not all egress paths. |
| Firewall managers |
Partial |
Show policy but not cloud route/NAT effective path alone. |
Overall Assessment
Strengths:
The skill covers rule review and segmentation fundamentals.
Needs improvement:
It needs stronger treatment of outbound access and temporary exception lifecycle.
Priority recommendations:
- Add explicit egress review criteria for arbitrary outbound access and proxy bypass.
- Require cloud effective-rule and route/NAT evidence, not only IaC declarations.
- Score temporary rules without expiry or owner as findings even if they were initially approved.
Bounty Info
Skill Being Reviewed
Skill name: firewall-review
Skill path:
skills/network/firewall-review/SKILL.mdFalse Positive Analysis
Benign code/configuration that can be over-flagged:
Why this is a false positive:
egress: tcp/443 to approved proxy only can be safe when the missing compensating evidence is present, but the current skill does not ask reviewers to distinguish that evidence from the risky pattern. The review should require proof of the guardrail before escalating severity.
Coverage Gaps
Missed variant 1:
Why it should be caught:
This variant leaves a realistic attack path open while still satisfying the current high-level checklist language.
Missed variant 2:
Why it should be caught:
This is a common production edge case where policy exists on paper but does not bind the runtime behavior or evidence trail.
Edge Cases
Firewall reviews can over-credit declared rules and miss cloud effective policy, inherited defaults, broad egress, and temporary rules that never expire.
Remediation Quality
Comparison to Other Tools
Overall Assessment
Strengths:
The skill covers rule review and segmentation fundamentals.
Needs improvement:
It needs stronger treatment of outbound access and temporary exception lifecycle.
Priority recommendations:
Bounty Info