@jetrabbits/agentic 0.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/AGENTS.md +143 -0
- package/README.md +154 -0
- package/agentic +1615 -0
- package/areas/devops/ci-cd/AGENTS.md +48 -0
- package/areas/devops/ci-cd/PROMPTS.md +7 -0
- package/areas/devops/ci-cd/prompts/onboard-repo.md +97 -0
- package/areas/devops/ci-cd/prompts/pipeline-debug.md +103 -0
- package/areas/devops/ci-cd/prompts/release-pipeline.md +115 -0
- package/areas/devops/ci-cd/rules/pipeline-standards.md +33 -0
- package/areas/devops/ci-cd/rules/quality-gates.md +24 -0
- package/areas/devops/ci-cd/rules/supply-chain-security.md +34 -0
- package/areas/devops/ci-cd/skills/artifact-management/SKILL.md +157 -0
- package/areas/devops/ci-cd/skills/build-optimization/SKILL.md +168 -0
- package/areas/devops/ci-cd/skills/github-actions-patterns/SKILL.md +190 -0
- package/areas/devops/ci-cd/skills/gitlab-ci-patterns/SKILL.md +169 -0
- package/areas/devops/ci-cd/skills/pipeline-security/SKILL.md +161 -0
- package/areas/devops/ci-cd/workflows/onboard-repo.md +73 -0
- package/areas/devops/ci-cd/workflows/pipeline-debug.md +66 -0
- package/areas/devops/ci-cd/workflows/release-pipeline.md +115 -0
- package/areas/devops/database-ops/AGENTS.md +47 -0
- package/areas/devops/database-ops/prompts/backup-verify.md +83 -0
- package/areas/devops/database-ops/prompts/db-incident.md +127 -0
- package/areas/devops/database-ops/rules/access-control.md +20 -0
- package/areas/devops/database-ops/rules/backup-policy.md +33 -0
- package/areas/devops/database-ops/rules/migration-runbook.md +32 -0
- package/areas/devops/database-ops/skills/backup-restore/SKILL.md +226 -0
- package/areas/devops/database-ops/skills/db-performance/SKILL.md +205 -0
- package/areas/devops/database-ops/skills/migration-safety/SKILL.md +155 -0
- package/areas/devops/database-ops/skills/postgres-operations/SKILL.md +156 -0
- package/areas/devops/database-ops/skills/redis-operations/SKILL.md +174 -0
- package/areas/devops/database-ops/workflows/backup-verify.md +107 -0
- package/areas/devops/database-ops/workflows/db-incident.md +86 -0
- package/areas/devops/devsecops/AGENTS.md +47 -0
- package/areas/devops/devsecops/prompts/policy-onboard.md +79 -0
- package/areas/devops/devsecops/prompts/security-scan-pipeline.md +131 -0
- package/areas/devops/devsecops/rules/container-security.md +22 -0
- package/areas/devops/devsecops/rules/policy-as-code.md +37 -0
- package/areas/devops/devsecops/rules/shift-left-policy.md +26 -0
- package/areas/devops/devsecops/skills/container-hardening/SKILL.md +146 -0
- package/areas/devops/devsecops/skills/opa-policies/SKILL.md +188 -0
- package/areas/devops/devsecops/skills/sbom-supply-chain/SKILL.md +165 -0
- package/areas/devops/devsecops/skills/secret-detection/SKILL.md +190 -0
- package/areas/devops/devsecops/skills/sigstore-signing/SKILL.md +184 -0
- package/areas/devops/devsecops/workflows/policy-onboard.md +104 -0
- package/areas/devops/devsecops/workflows/security-scan-pipeline.md +155 -0
- package/areas/devops/infrastructure/AGENTS.md +50 -0
- package/areas/devops/infrastructure/prompts/destroy-environment.md +81 -0
- package/areas/devops/infrastructure/prompts/drift-remediation.md +71 -0
- package/areas/devops/infrastructure/prompts/module-development.md +69 -0
- package/areas/devops/infrastructure/prompts/provision-environment.md +121 -0
- package/areas/devops/infrastructure/rules/iac-standards.md +80 -0
- package/areas/devops/infrastructure/rules/immutability.md +28 -0
- package/areas/devops/infrastructure/rules/secret-hygiene.md +53 -0
- package/areas/devops/infrastructure/rules/state-management.md +47 -0
- package/areas/devops/infrastructure/skills/ansible-playbooks/SKILL.md +174 -0
- package/areas/devops/infrastructure/skills/cost-optimization/SKILL.md +177 -0
- package/areas/devops/infrastructure/skills/drift-detection/SKILL.md +178 -0
- package/areas/devops/infrastructure/skills/state-management/SKILL.md +159 -0
- package/areas/devops/infrastructure/skills/terraform-modules/SKILL.md +169 -0
- package/areas/devops/infrastructure/workflows/destroy-environment.md +96 -0
- package/areas/devops/infrastructure/workflows/drift-remediation.md +66 -0
- package/areas/devops/infrastructure/workflows/module-development.md +101 -0
- package/areas/devops/infrastructure/workflows/provision-environment.md +96 -0
- package/areas/devops/kubernetes/AGENTS.md +57 -0
- package/areas/devops/kubernetes/PROMPTS.md +9 -0
- package/areas/devops/kubernetes/prompts/cluster-bootstrap.md +67 -0
- package/areas/devops/kubernetes/prompts/debug-workload.md +91 -0
- package/areas/devops/kubernetes/prompts/onboard-service.md +101 -0
- package/areas/devops/kubernetes/prompts/upgrade-cluster.md +63 -0
- package/areas/devops/kubernetes/rules/cluster-standards.md +51 -0
- package/areas/devops/kubernetes/rules/resource-governance.md +80 -0
- package/areas/devops/kubernetes/rules/upgrade-policy.md +52 -0
- package/areas/devops/kubernetes/rules/workload-security.md +64 -0
- package/areas/devops/kubernetes/skills/cluster-operations/SKILL.md +136 -0
- package/areas/devops/kubernetes/skills/helm-charts/SKILL.md +152 -0
- package/areas/devops/kubernetes/skills/network-policies/SKILL.md +169 -0
- package/areas/devops/kubernetes/skills/pod-troubleshooting/SKILL.md +129 -0
- package/areas/devops/kubernetes/skills/rbac-design/SKILL.md +148 -0
- package/areas/devops/kubernetes/skills/resource-tuning/SKILL.md +156 -0
- package/areas/devops/kubernetes/workflows/cluster-bootstrap.md +194 -0
- package/areas/devops/kubernetes/workflows/debug-workload.md +108 -0
- package/areas/devops/kubernetes/workflows/onboard-service.md +124 -0
- package/areas/devops/kubernetes/workflows/upgrade-cluster.md +165 -0
- package/areas/devops/networking/AGENTS.md +47 -0
- package/areas/devops/networking/prompts/onboard-ingress.md +119 -0
- package/areas/devops/networking/prompts/service-mesh-onboard.md +77 -0
- package/areas/devops/networking/rules/ingress-standards.md +17 -0
- package/areas/devops/networking/rules/network-segmentation.md +24 -0
- package/areas/devops/networking/rules/tls-policy.md +32 -0
- package/areas/devops/networking/skills/dns-management/SKILL.md +169 -0
- package/areas/devops/networking/skills/ingress-patterns/SKILL.md +165 -0
- package/areas/devops/networking/skills/service-mesh/SKILL.md +206 -0
- package/areas/devops/networking/skills/tls-termination/SKILL.md +198 -0
- package/areas/devops/networking/skills/vpc-design/SKILL.md +132 -0
- package/areas/devops/networking/workflows/onboard-ingress.md +64 -0
- package/areas/devops/networking/workflows/service-mesh-onboard.md +122 -0
- package/areas/devops/observability/AGENTS.md +48 -0
- package/areas/devops/observability/prompts/alert-investigation.md +117 -0
- package/areas/devops/observability/prompts/observability-stack-setup.md +99 -0
- package/areas/devops/observability/prompts/onboard-service-monitoring.md +79 -0
- package/areas/devops/observability/rules/alerting-standards.md +36 -0
- package/areas/devops/observability/rules/data-retention.md +19 -0
- package/areas/devops/observability/rules/golden-signals.md +28 -0
- package/areas/devops/observability/skills/distributed-tracing/SKILL.md +149 -0
- package/areas/devops/observability/skills/grafana-dashboards/SKILL.md +201 -0
- package/areas/devops/observability/skills/log-aggregation/SKILL.md +159 -0
- package/areas/devops/observability/skills/prometheus-alertmanager/SKILL.md +188 -0
- package/areas/devops/observability/skills/slo-implementation/SKILL.md +189 -0
- package/areas/devops/observability/workflows/alert-investigation.md +98 -0
- package/areas/devops/observability/workflows/observability-stack-setup.md +156 -0
- package/areas/devops/observability/workflows/onboard-service-monitoring.md +83 -0
- package/areas/devops/sre/AGENTS.md +48 -0
- package/areas/devops/sre/prompts/incident-response.md +129 -0
- package/areas/devops/sre/prompts/postmortem.md +101 -0
- package/areas/devops/sre/prompts/slo-review.md +125 -0
- package/areas/devops/sre/rules/error-budget-policy.md +25 -0
- package/areas/devops/sre/rules/on-call-standards.md +25 -0
- package/areas/devops/sre/rules/slo-policy.md +31 -0
- package/areas/devops/sre/skills/capacity-planning/SKILL.md +162 -0
- package/areas/devops/sre/skills/chaos-engineering/SKILL.md +186 -0
- package/areas/devops/sre/skills/incident-command/SKILL.md +119 -0
- package/areas/devops/sre/skills/postmortem-analysis/SKILL.md +104 -0
- package/areas/devops/sre/skills/slo-sli-design/SKILL.md +145 -0
- package/areas/devops/sre/workflows/incident-response.md +66 -0
- package/areas/devops/sre/workflows/postmortem.md +90 -0
- package/areas/devops/sre/workflows/slo-review.md +95 -0
- package/areas/software/backend/AGENTS.md +59 -0
- package/areas/software/backend/PROMPTS.md +50 -0
- package/areas/software/backend/README.md +48 -0
- package/areas/software/backend/prompts/add-migration.md +93 -0
- package/areas/software/backend/prompts/create-endpoint.md +97 -0
- package/areas/software/backend/prompts/debug-issue.md +87 -0
- package/areas/software/backend/prompts/develop-epic.md +83 -0
- package/areas/software/backend/prompts/develop-feature.md +91 -0
- package/areas/software/backend/prompts/refactor-module.md +79 -0
- package/areas/software/backend/prompts/test-feature.md +89 -0
- package/areas/software/backend/rules/architecture.md +20 -0
- package/areas/software/backend/rules/data_access.md +20 -0
- package/areas/software/backend/rules/security.md +20 -0
- package/areas/software/backend/rules/testing.md +19 -0
- package/areas/software/backend/skills/api-design/SKILL.md +170 -0
- package/areas/software/backend/skills/async-processing/SKILL.md +152 -0
- package/areas/software/backend/skills/database-modeling/SKILL.md +173 -0
- package/areas/software/backend/skills/observability/SKILL.md +162 -0
- package/areas/software/backend/skills/troubleshooting/SKILL.md +139 -0
- package/areas/software/backend/workflows/add-migration.md +79 -0
- package/areas/software/backend/workflows/create-endpoint.md +89 -0
- package/areas/software/backend/workflows/debug-issue.md +77 -0
- package/areas/software/backend/workflows/develop-epic.md +78 -0
- package/areas/software/backend/workflows/develop-feature.md +98 -0
- package/areas/software/backend/workflows/refactor-module.md +73 -0
- package/areas/software/backend/workflows/test-feature.md +67 -0
- package/areas/software/data-engineering/AGENTS.md +59 -0
- package/areas/software/data-engineering/PROMPTS.md +32 -0
- package/areas/software/data-engineering/prompts/backfill-data.md +107 -0
- package/areas/software/data-engineering/prompts/data-quality-incident.md +109 -0
- package/areas/software/data-engineering/prompts/lineage-trace.md +121 -0
- package/areas/software/data-engineering/prompts/new-model.md +117 -0
- package/areas/software/data-engineering/prompts/schema-migration.md +111 -0
- package/areas/software/data-engineering/rules/data-governance.md +11 -0
- package/areas/software/data-engineering/rules/pii-handling.md +19 -0
- package/areas/software/data-engineering/rules/pipeline-integrity.md +11 -0
- package/areas/software/data-engineering/rules/schema-management.md +21 -0
- package/areas/software/data-engineering/skills/data-modeling/SKILL.md +49 -0
- package/areas/software/data-engineering/skills/dbt-patterns/SKILL.md +43 -0
- package/areas/software/data-engineering/skills/lineage-governance/SKILL.md +38 -0
- package/areas/software/data-engineering/skills/orchestration/SKILL.md +35 -0
- package/areas/software/data-engineering/skills/quality-checks/SKILL.md +50 -0
- package/areas/software/data-engineering/skills/sql-optimization/SKILL.md +47 -0
- package/areas/software/data-engineering/skills/streaming-patterns/SKILL.md +48 -0
- package/areas/software/data-engineering/workflows/backfill-data.md +59 -0
- package/areas/software/data-engineering/workflows/data-quality-incident.md +64 -0
- package/areas/software/data-engineering/workflows/lineage-trace.md +56 -0
- package/areas/software/data-engineering/workflows/new-model.md +71 -0
- package/areas/software/data-engineering/workflows/schema-migration.md +67 -0
- package/areas/software/frontend/AGENTS.md +60 -0
- package/areas/software/frontend/PROMPTS.md +32 -0
- package/areas/software/frontend/prompts/a11y-fix.md +75 -0
- package/areas/software/frontend/prompts/bundle-analyze.md +75 -0
- package/areas/software/frontend/prompts/release-prep.md +83 -0
- package/areas/software/frontend/prompts/scaffold-component.md +69 -0
- package/areas/software/frontend/prompts/visual-regression.md +73 -0
- package/areas/software/frontend/rules/accessibility.md +16 -0
- package/areas/software/frontend/rules/architecture.md +29 -0
- package/areas/software/frontend/rules/performance.md +23 -0
- package/areas/software/frontend/rules/quality.md +12 -0
- package/areas/software/frontend/skills/a11y-audit/SKILL.md +61 -0
- package/areas/software/frontend/skills/api-integration/SKILL.md +58 -0
- package/areas/software/frontend/skills/component-design/SKILL.md +171 -0
- package/areas/software/frontend/skills/css-architecture/SKILL.md +146 -0
- package/areas/software/frontend/skills/error-handling/SKILL.md +55 -0
- package/areas/software/frontend/skills/performance-tuning/SKILL.md +58 -0
- package/areas/software/frontend/skills/state-management/SKILL.md +54 -0
- package/areas/software/frontend/skills/testing-patterns/SKILL.md +69 -0
- package/areas/software/frontend/workflows/a11y-fix.md +63 -0
- package/areas/software/frontend/workflows/bundle-analyze.md +56 -0
- package/areas/software/frontend/workflows/release-prep.md +66 -0
- package/areas/software/frontend/workflows/scaffold-component.md +67 -0
- package/areas/software/frontend/workflows/visual-regression.md +65 -0
- package/areas/software/full-stack/AGENTS.md +72 -0
- package/areas/software/full-stack/PROMPTS.md +66 -0
- package/areas/software/full-stack/prompts/backend-project-full-cycle.md +141 -0
- package/areas/software/full-stack/prompts/debug-issue.md +115 -0
- package/areas/software/full-stack/prompts/develop-feature.md +119 -0
- package/areas/software/full-stack/prompts/feature-implementation-flow.md +137 -0
- package/areas/software/full-stack/prompts/testing-ci-pipeline.md +119 -0
- package/areas/software/full-stack/rules/api-design-guide.md +24 -0
- package/areas/software/full-stack/rules/async-concurrency-guide.md +21 -0
- package/areas/software/full-stack/rules/backend-architecture-rule.md +41 -0
- package/areas/software/full-stack/rules/background-jobs-guide.md +20 -0
- package/areas/software/full-stack/rules/code-quality-guide.md +22 -0
- package/areas/software/full-stack/rules/database-access-guide.md +24 -0
- package/areas/software/full-stack/rules/database-migrations-guide.md +24 -0
- package/areas/software/full-stack/rules/domain-models-guide.md +28 -0
- package/areas/software/full-stack/rules/e2e-test-guide.md +18 -0
- package/areas/software/full-stack/rules/env-settings-guide.md +34 -0
- package/areas/software/full-stack/rules/error-handling-guide.md +20 -0
- package/areas/software/full-stack/rules/logging-observability-guide.md +22 -0
- package/areas/software/full-stack/rules/project-guide.md +34 -0
- package/areas/software/full-stack/rules/python-venv-guide.md +23 -0
- package/areas/software/full-stack/rules/security-guide.md +22 -0
- package/areas/software/full-stack/rules/svt-test-guide.md +17 -0
- package/areas/software/full-stack/rules/testing-ci-guide.md +25 -0
- package/areas/software/full-stack/skills/api-design-principles/SKILL.md +125 -0
- package/areas/software/full-stack/skills/api-design-principles/assets/api-design-checklist.md +155 -0
- package/areas/software/full-stack/skills/api-design-principles/assets/rest-api-template.py +182 -0
- package/areas/software/full-stack/skills/api-design-principles/references/graphql-schema-design.md +583 -0
- package/areas/software/full-stack/skills/api-design-principles/references/rest-best-practices.md +408 -0
- package/areas/software/full-stack/skills/api-design-principles/resources/implementation-playbook.md +513 -0
- package/areas/software/full-stack/skills/api-patterns/SKILL.md +81 -0
- package/areas/software/full-stack/skills/api-patterns/api-style.md +42 -0
- package/areas/software/full-stack/skills/api-patterns/auth.md +24 -0
- package/areas/software/full-stack/skills/api-patterns/documentation.md +26 -0
- package/areas/software/full-stack/skills/api-patterns/graphql.md +41 -0
- package/areas/software/full-stack/skills/api-patterns/rate-limiting.md +31 -0
- package/areas/software/full-stack/skills/api-patterns/response.md +37 -0
- package/areas/software/full-stack/skills/api-patterns/rest.md +40 -0
- package/areas/software/full-stack/skills/api-patterns/scripts/api_validator.py +211 -0
- package/areas/software/full-stack/skills/api-patterns/security-testing.md +122 -0
- package/areas/software/full-stack/skills/api-patterns/trpc.md +41 -0
- package/areas/software/full-stack/skills/api-patterns/versioning.md +22 -0
- package/areas/software/full-stack/skills/app-builder/SKILL.md +135 -0
- package/areas/software/full-stack/skills/app-builder/agent-coordination.md +71 -0
- package/areas/software/full-stack/skills/app-builder/feature-building.md +53 -0
- package/areas/software/full-stack/skills/app-builder/project-detection.md +34 -0
- package/areas/software/full-stack/skills/app-builder/scaffolding.md +118 -0
- package/areas/software/full-stack/skills/app-builder/tech-stack.md +40 -0
- package/areas/software/full-stack/skills/app-builder/templates/SKILL.md +39 -0
- package/areas/software/full-stack/skills/app-builder/templates/astro-static/TEMPLATE.md +76 -0
- package/areas/software/full-stack/skills/app-builder/templates/chrome-extension/TEMPLATE.md +92 -0
- package/areas/software/full-stack/skills/app-builder/templates/cli-tool/TEMPLATE.md +88 -0
- package/areas/software/full-stack/skills/app-builder/templates/electron-desktop/TEMPLATE.md +88 -0
- package/areas/software/full-stack/skills/app-builder/templates/express-api/TEMPLATE.md +83 -0
- package/areas/software/full-stack/skills/app-builder/templates/flutter-app/TEMPLATE.md +90 -0
- package/areas/software/full-stack/skills/app-builder/templates/monorepo-turborepo/TEMPLATE.md +90 -0
- package/areas/software/full-stack/skills/app-builder/templates/nextjs-fullstack/TEMPLATE.md +82 -0
- package/areas/software/full-stack/skills/app-builder/templates/nextjs-saas/TEMPLATE.md +100 -0
- package/areas/software/full-stack/skills/app-builder/templates/nextjs-static/TEMPLATE.md +106 -0
- package/areas/software/full-stack/skills/app-builder/templates/nuxt-app/TEMPLATE.md +101 -0
- package/areas/software/full-stack/skills/app-builder/templates/python-fastapi/TEMPLATE.md +83 -0
- package/areas/software/full-stack/skills/app-builder/templates/react-native-app/TEMPLATE.md +93 -0
- package/areas/software/full-stack/skills/backend-developer/SKILL.md +58 -0
- package/areas/software/full-stack/skills/bash-pro/SKILL.md +310 -0
- package/areas/software/full-stack/skills/blackbox-test/SKILL.md +84 -0
- package/areas/software/full-stack/skills/prompt-project-planner/SKILL.md +130 -0
- package/areas/software/full-stack/skills/prompt-project-planner/output.schema.md +68 -0
- package/areas/software/full-stack/skills/prompt-project-planner/questions.md +80 -0
- package/areas/software/full-stack/skills/python-pro/SKILL.md +158 -0
- package/areas/software/full-stack/skills/skill-creator/LICENSE.txt +202 -0
- package/areas/software/full-stack/skills/skill-creator/SKILL.md +356 -0
- package/areas/software/full-stack/skills/skill-creator/references/output-patterns.md +82 -0
- package/areas/software/full-stack/skills/skill-creator/references/workflows.md +28 -0
- package/areas/software/full-stack/skills/skill-creator/scripts/init_skill.py +303 -0
- package/areas/software/full-stack/skills/skill-creator/scripts/package_skill.py +110 -0
- package/areas/software/full-stack/skills/skill-creator/scripts/quick_validate.py +95 -0
- package/areas/software/full-stack/workflows/backend-project-full-cycle.md +132 -0
- package/areas/software/full-stack/workflows/debug-issue.md +70 -0
- package/areas/software/full-stack/workflows/develop-feature.md +85 -0
- package/areas/software/full-stack/workflows/feature-implementation-flow.md +78 -0
- package/areas/software/full-stack/workflows/testing-ci-pipeline.md +65 -0
- package/areas/software/general/AGENTS.md +68 -0
- package/areas/software/general/prompts/code-review-workflow.md +87 -0
- package/areas/software/general/prompts/development-cycle-workflow.md +83 -0
- package/areas/software/general/prompts/project-setup-workflow.md +93 -0
- package/areas/software/general/rules/code-style-guide.md +31 -0
- package/areas/software/general/rules/docker-compose-guide.md +27 -0
- package/areas/software/general/rules/git-workflow-guide.md +27 -0
- package/areas/software/general/rules/github-workflow-guide.md +27 -0
- package/areas/software/general/rules/gitlab-ci-guide.md +27 -0
- package/areas/software/general/rules/lint-format-guide.md +29 -0
- package/areas/software/general/rules/makefile-guide.md +34 -0
- package/areas/software/general/rules/readme-sync-guide.md +40 -0
- package/areas/software/general/rules/sdlc-methodology-guide.md +27 -0
- package/areas/software/general/rules/sdlc-role-responsibilities.md +108 -0
- package/areas/software/general/skills/general-dev-tools/SKILL.md +324 -0
- package/areas/software/general/workflows/code-review-workflow.md +84 -0
- package/areas/software/general/workflows/development-cycle-workflow.md +85 -0
- package/areas/software/general/workflows/project-setup-workflow.md +94 -0
- package/areas/software/mlops/AGENTS.md +57 -0
- package/areas/software/mlops/PROMPTS.md +32 -0
- package/areas/software/mlops/prompts/champion-challenger.md +87 -0
- package/areas/software/mlops/prompts/deploy-endpoint.md +91 -0
- package/areas/software/mlops/prompts/evaluate-model.md +87 -0
- package/areas/software/mlops/prompts/model-incident.md +87 -0
- package/areas/software/mlops/prompts/train-experiment.md +83 -0
- package/areas/software/mlops/rules/data-integrity.md +9 -0
- package/areas/software/mlops/rules/model-governance.md +9 -0
- package/areas/software/mlops/rules/production-safety.md +9 -0
- package/areas/software/mlops/rules/reproducibility.md +9 -0
- package/areas/software/mlops/skills/experiment-tracking/SKILL.md +29 -0
- package/areas/software/mlops/skills/feature-engineering/SKILL.md +44 -0
- package/areas/software/mlops/skills/inference-serving/SKILL.md +35 -0
- package/areas/software/mlops/skills/model-evaluation/SKILL.md +40 -0
- package/areas/software/mlops/skills/model-monitoring/SKILL.md +32 -0
- package/areas/software/mlops/workflows/champion-challenger.md +65 -0
- package/areas/software/mlops/workflows/deploy-endpoint.md +70 -0
- package/areas/software/mlops/workflows/evaluate-model.md +63 -0
- package/areas/software/mlops/workflows/model-incident.md +64 -0
- package/areas/software/mlops/workflows/train-experiment.md +56 -0
- package/areas/software/mobile/AGENTS.md +58 -0
- package/areas/software/mobile/PROMPTS.md +32 -0
- package/areas/software/mobile/prompts/crash-triage.md +63 -0
- package/areas/software/mobile/prompts/device-testing.md +83 -0
- package/areas/software/mobile/prompts/ota-update.md +75 -0
- package/areas/software/mobile/prompts/release-build.md +67 -0
- package/areas/software/mobile/prompts/store-submission.md +79 -0
- package/areas/software/mobile/rules/offline-first.md +10 -0
- package/areas/software/mobile/rules/performance-budget.md +20 -0
- package/areas/software/mobile/rules/platform-compliance.md +17 -0
- package/areas/software/mobile/rules/security-mobile.md +9 -0
- package/areas/software/mobile/skills/app-store-prep/SKILL.md +27 -0
- package/areas/software/mobile/skills/mobile-testing/SKILL.md +36 -0
- package/areas/software/mobile/skills/native-modules/SKILL.md +38 -0
- package/areas/software/mobile/skills/navigation-patterns/SKILL.md +49 -0
- package/areas/software/mobile/skills/push-notifications/SKILL.md +40 -0
- package/areas/software/mobile/skills/state-sync/SKILL.md +48 -0
- package/areas/software/mobile/workflows/crash-triage.md +63 -0
- package/areas/software/mobile/workflows/device-testing.md +54 -0
- package/areas/software/mobile/workflows/ota-update.md +54 -0
- package/areas/software/mobile/workflows/release-build.md +67 -0
- package/areas/software/mobile/workflows/store-submission.md +63 -0
- package/areas/software/platform/AGENTS.md +67 -0
- package/areas/software/platform/PROMPTS.md +32 -0
- package/areas/software/platform/prompts/cost-audit.md +117 -0
- package/areas/software/platform/prompts/deploy-production.md +109 -0
- package/areas/software/platform/prompts/drift-check.md +107 -0
- package/areas/software/platform/prompts/incident-response.md +121 -0
- package/areas/software/platform/prompts/provision-env.md +113 -0
- package/areas/software/platform/rules/cost-governance.md +11 -0
- package/areas/software/platform/rules/immutability.md +17 -0
- package/areas/software/platform/rules/reliability.md +19 -0
- package/areas/software/platform/rules/security-posture.md +12 -0
- package/areas/software/platform/skills/ci-cd-pipelines/SKILL.md +58 -0
- package/areas/software/platform/skills/incident-response/SKILL.md +41 -0
- package/areas/software/platform/skills/k8s-manifests/SKILL.md +56 -0
- package/areas/software/platform/skills/networking/SKILL.md +44 -0
- package/areas/software/platform/skills/observability-setup/SKILL.md +49 -0
- package/areas/software/platform/skills/secrets-management/SKILL.md +43 -0
- package/areas/software/platform/skills/terraform-patterns/SKILL.md +75 -0
- package/areas/software/platform/workflows/cost-audit.md +61 -0
- package/areas/software/platform/workflows/deploy-production.md +67 -0
- package/areas/software/platform/workflows/drift-check.md +61 -0
- package/areas/software/platform/workflows/incident-response.md +69 -0
- package/areas/software/platform/workflows/provision-env.md +77 -0
- package/areas/software/qa/AGENTS.md +58 -0
- package/areas/software/qa/PROMPTS.md +32 -0
- package/areas/software/qa/prompts/flakiness-investigation.md +61 -0
- package/areas/software/qa/prompts/performance-audit.md +65 -0
- package/areas/software/qa/prompts/regression-suite.md +61 -0
- package/areas/software/qa/prompts/smoke-test.md +65 -0
- package/areas/software/qa/prompts/test-coverage-report.md +61 -0
- package/areas/software/qa/rules/flakiness-policy.md +12 -0
- package/areas/software/qa/rules/quality-gates.md +28 -0
- package/areas/software/qa/rules/test-data.md +9 -0
- package/areas/software/qa/rules/test-strategy.md +11 -0
- package/areas/software/qa/skills/accessibility-testing/SKILL.md +139 -0
- package/areas/software/qa/skills/api-testing/SKILL.md +140 -0
- package/areas/software/qa/skills/e2e-patterns/SKILL.md +152 -0
- package/areas/software/qa/skills/performance-testing/SKILL.md +177 -0
- package/areas/software/qa/skills/test-data-management/SKILL.md +161 -0
- package/areas/software/qa/skills/test-pyramid/SKILL.md +127 -0
- package/areas/software/qa/workflows/flakiness-investigation.md +63 -0
- package/areas/software/qa/workflows/performance-audit.md +59 -0
- package/areas/software/qa/workflows/regression-suite.md +59 -0
- package/areas/software/qa/workflows/smoke-test.md +64 -0
- package/areas/software/qa/workflows/test-coverage-report.md +57 -0
- package/areas/software/security/AGENTS.md +58 -0
- package/areas/software/security/PROMPTS.md +32 -0
- package/areas/software/security/prompts/compliance-report.md +113 -0
- package/areas/software/security/prompts/pen-test-sim.md +113 -0
- package/areas/software/security/prompts/secret-rotation.md +115 -0
- package/areas/software/security/prompts/security-scan.md +91 -0
- package/areas/software/security/prompts/threat-model-review.md +105 -0
- package/areas/software/security/rules/compliance-baseline.md +23 -0
- package/areas/software/security/rules/dependency-policy.md +12 -0
- package/areas/software/security/rules/secrets-policy.md +22 -0
- package/areas/software/security/rules/secure-coding.md +22 -0
- package/areas/software/security/skills/auth-patterns/SKILL.md +42 -0
- package/areas/software/security/skills/crypto-standards/SKILL.md +42 -0
- package/areas/software/security/skills/dependency-audit/SKILL.md +29 -0
- package/areas/software/security/skills/sast-dast-interpretation/SKILL.md +33 -0
- package/areas/software/security/skills/security-headers/SKILL.md +29 -0
- package/areas/software/security/skills/threat-modeling/SKILL.md +36 -0
- package/areas/software/security/workflows/compliance-report.md +57 -0
- package/areas/software/security/workflows/pen-test-sim.md +63 -0
- package/areas/software/security/workflows/secret-rotation.md +67 -0
- package/areas/software/security/workflows/security-scan.md +64 -0
- package/areas/software/security/workflows/threat-model-review.md +62 -0
- package/areas/template/AGENTS-area.tmpl.md +61 -0
- package/areas/template/AGENTS.tmpl.md +67 -0
- package/areas/template/GUIDE.md +102 -0
- package/areas/template/PROMPTS.tmpl.md +29 -0
- package/areas/template/README.md +57 -0
- package/areas/template/README.tmpl.md +51 -0
- package/areas/template/prompt.tmpl.md +101 -0
- package/areas/template/rule.tmpl.md +71 -0
- package/areas/template/skill.tmpl.md +108 -0
- package/areas/template/workflow.tmpl.md +104 -0
- package/bin/agentic.js +24 -0
- package/extensions/antigravity/GEMINI.md +10 -0
- package/extensions/claude/CLAUDE.md +10 -0
- package/extensions/codex/AGENTS.override.md +93 -0
- package/extensions/gemini/GEMINI.md +10 -0
- package/extensions/opencode/agents/designer.md +65 -0
- package/extensions/opencode/agents/developer.md +63 -0
- package/extensions/opencode/agents/devops-engineer.md +69 -0
- package/extensions/opencode/agents/pm.md +61 -0
- package/extensions/opencode/agents/product-owner.md +76 -0
- package/extensions/opencode/agents/qa.md +66 -0
- package/extensions/opencode/agents/team-lead.md +67 -0
- package/extensions/opencode/commands/feature.md +75 -0
- package/extensions/opencode/opencode.json +93 -0
- package/extensions/opencode/plugins/model-checker.json +14 -0
- package/extensions/opencode/plugins/model-checker.ts +279 -0
- package/extensions/opencode/plugins/sound-notification.ts +13 -0
- package/extensions/opencode/plugins/telegram-notification.ts +86 -0
- package/extensions/opencode/skills/code_review_expert/SKILL.md +144 -0
- package/extensions/opencode/skills/design_expert/SKILL.md +42 -0
- package/extensions/opencode/skills/qa_expert/SKILL.md +116 -0
- package/package.json +19 -0
|
@@ -0,0 +1,131 @@
|
|
|
1
|
+
---
|
|
2
|
+
workflow: security-scan-pipeline
|
|
3
|
+
---
|
|
4
|
+
|
|
5
|
+
# Prompt: `/security-scan-pipeline`
|
|
6
|
+
|
|
7
|
+
Use when: running a release-blocking security scan pipeline or remediating findings across secrets, containers, dependencies, and SBOM/signing controls.
|
|
8
|
+
|
|
9
|
+
---
|
|
10
|
+
|
|
11
|
+
## Example 1 — Full pre-release security scan
|
|
12
|
+
|
|
13
|
+
**EN:**
|
|
14
|
+
```
|
|
15
|
+
/security-scan-pipeline
|
|
16
|
+
|
|
17
|
+
Service: payment-service / Version: v2.5.0
|
|
18
|
+
Scope: full scan (code, dependencies, image, IaC)
|
|
19
|
+
Pipeline stage: pre-release gate
|
|
20
|
+
Scans to run:
|
|
21
|
+
1. SAST: semgrep (ruleset: python, owasp) on src/
|
|
22
|
+
2. Dependency CVE: trivy fs . (CRITICAL+HIGH block)
|
|
23
|
+
3. Secrets: trufflehog git --since-commit HEAD~10
|
|
24
|
+
4. Image: trivy image registry.internal/payment-service:v2.5.0 (CRITICAL+HIGH block)
|
|
25
|
+
5. IaC: tfsec terraform/ (CRITICAL+HIGH block)
|
|
26
|
+
6. SBOM: generate CycloneDX from image; attach via cosign
|
|
27
|
+
Expected output: pass/fail per scan + finding summary + exceptions list
|
|
28
|
+
Block release if: any unresolved Critical/High without approved exception
|
|
29
|
+
```
|
|
30
|
+
|
|
31
|
+
**RU:**
|
|
32
|
+
```
|
|
33
|
+
/security-scan-pipeline
|
|
34
|
+
|
|
35
|
+
Сервис: payment-service / Версия: v2.5.0
|
|
36
|
+
Скоуп: полное сканирование (код, зависимости, образ, IaC)
|
|
37
|
+
Стадия pipeline: pre-release gate
|
|
38
|
+
Сканирования:
|
|
39
|
+
1. SAST: semgrep (ruleset: python, owasp) на src/
|
|
40
|
+
2. CVE зависимостей: trivy fs . (CRITICAL+HIGH блокируют)
|
|
41
|
+
3. Секреты: trufflehog git --since-commit HEAD~10
|
|
42
|
+
4. Образ: trivy image registry.internal/payment-service:v2.5.0 (CRITICAL+HIGH блокируют)
|
|
43
|
+
5. IaC: tfsec terraform/ (CRITICAL+HIGH блокируют)
|
|
44
|
+
6. SBOM: генерация CycloneDX из образа; прикрепление через cosign
|
|
45
|
+
Ожидаемый результат: pass/fail по каждому скану + сводка находок + список исключений
|
|
46
|
+
Блокировать релиз если: есть неразрешённые Critical/High без утверждённого исключения
|
|
47
|
+
```
|
|
48
|
+
|
|
49
|
+
---
|
|
50
|
+
|
|
51
|
+
## Example 2 — Harden existing Python service Dockerfile
|
|
52
|
+
|
|
53
|
+
**EN:**
|
|
54
|
+
```
|
|
55
|
+
/security-scan-pipeline
|
|
56
|
+
|
|
57
|
+
Service: notification-service / Language: Python 3.12 + FastAPI
|
|
58
|
+
Current Dockerfile issues (from Trivy + OPA scan):
|
|
59
|
+
- Runs as root (no USER instruction)
|
|
60
|
+
- Base image: python:3.12 (full, not slim; 800MB with dev tools)
|
|
61
|
+
- No multi-stage (test deps included in production image)
|
|
62
|
+
- Base image tag not pinned to digest
|
|
63
|
+
- COPY . . copies .env and .git into image
|
|
64
|
+
Hardening targets:
|
|
65
|
+
1. Distroless or python:3.12-slim@sha256:<digest> base (< 150MB final)
|
|
66
|
+
2. Non-root user (UID 1000)
|
|
67
|
+
3. Multi-stage: builder with pip install; runtime with only app + deps
|
|
68
|
+
4. .dockerignore: exclude .env, .git, tests/, __pycache__, *.pyc
|
|
69
|
+
5. readOnlyRootFilesystem: true in K8s (mount emptyDir for /tmp)
|
|
70
|
+
6. drop ALL capabilities; no privilege escalation
|
|
71
|
+
Show: before/after Dockerfile + Helm values securityContext patch
|
|
72
|
+
```
|
|
73
|
+
|
|
74
|
+
**RU:**
|
|
75
|
+
```
|
|
76
|
+
/security-scan-pipeline
|
|
77
|
+
|
|
78
|
+
Сервис: notification-service / Язык: Python 3.12 + FastAPI
|
|
79
|
+
Текущие проблемы Dockerfile (из Trivy + OPA скана):
|
|
80
|
+
- Запуск от root (нет инструкции USER)
|
|
81
|
+
- Base image: python:3.12 (полный, не slim; 800MB с dev tools)
|
|
82
|
+
- Нет multi-stage (зависимости для тестов включены в production образ)
|
|
83
|
+
- Тег base image не закреплён с digest
|
|
84
|
+
- COPY . . копирует .env и .git в образ
|
|
85
|
+
Цели hardening:
|
|
86
|
+
1. Distroless или python:3.12-slim@sha256:<digest> база (финальный < 150MB)
|
|
87
|
+
2. Не-root пользователь (UID 1000)
|
|
88
|
+
3. Multi-stage: builder с pip install; runtime только с приложением + зависимостями
|
|
89
|
+
4. .dockerignore: исключить .env, .git, tests/, __pycache__, *.pyc
|
|
90
|
+
5. readOnlyRootFilesystem: true в K8s (монтировать emptyDir для /tmp)
|
|
91
|
+
6. drop ALL capabilities; без повышения привилегий
|
|
92
|
+
Показать: Dockerfile до/после + патч securityContext в Helm values
|
|
93
|
+
```
|
|
94
|
+
|
|
95
|
+
---
|
|
96
|
+
|
|
97
|
+
## Example 3 — Add SBOM + cosign to existing pipeline
|
|
98
|
+
|
|
99
|
+
**EN:**
|
|
100
|
+
```
|
|
101
|
+
/security-scan-pipeline
|
|
102
|
+
|
|
103
|
+
Service: payment-service / CI: GitHub Actions
|
|
104
|
+
Image: ghcr.io/myorg/payment-service:${{ github.sha }}
|
|
105
|
+
Current state: image built and pushed; no SBOM, no signature
|
|
106
|
+
Add to pipeline (after image push step):
|
|
107
|
+
1. Generate SBOM in CycloneDX format using Syft
|
|
108
|
+
2. Attach SBOM to image in OCI registry using cosign attach sbom
|
|
109
|
+
3. Sign image with cosign using GitHub OIDC (keyless — no private key management)
|
|
110
|
+
4. Generate SLSA provenance attestation (via docker/build-push-action provenance:true)
|
|
111
|
+
5. Add verification step in deploy job: cosign verify before helm upgrade
|
|
112
|
+
6. Store SBOM as build artifact (for audit/compliance download)
|
|
113
|
+
Show: complete GitHub Actions steps to insert after existing push step
|
|
114
|
+
```
|
|
115
|
+
|
|
116
|
+
**RU:**
|
|
117
|
+
```
|
|
118
|
+
/security-scan-pipeline
|
|
119
|
+
|
|
120
|
+
Сервис: payment-service / CI: GitHub Actions
|
|
121
|
+
Образ: ghcr.io/myorg/payment-service:${{ github.sha }}
|
|
122
|
+
Текущее состояние: образ собирается и пушится; без SBOM, без подписи
|
|
123
|
+
Добавить в pipeline (после шага push образа):
|
|
124
|
+
1. Генерация SBOM в формате CycloneDX через Syft
|
|
125
|
+
2. Прикрепление SBOM к образу в OCI registry через cosign attach sbom
|
|
126
|
+
3. Подпись образа через cosign с GitHub OIDC (keyless — без управления приватным ключом)
|
|
127
|
+
4. Генерация SLSA provenance attestation (через docker/build-push-action provenance:true)
|
|
128
|
+
5. Добавить шаг верификации в deploy job: cosign verify перед helm upgrade
|
|
129
|
+
6. Сохранить SBOM как build artifact (для загрузки при аудите/compliance)
|
|
130
|
+
Показать: полные шаги GitHub Actions для вставки после существующего шага push
|
|
131
|
+
```
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
# Rule: Container Security Standards
|
|
2
|
+
|
|
3
|
+
**Priority**: P0 — Containers violating these standards are rejected at deploy time via policy.
|
|
4
|
+
|
|
5
|
+
## Dockerfile Standards
|
|
6
|
+
|
|
7
|
+
1. **Non-root user** — `USER 1000:1000` in Dockerfile; never run as root.
|
|
8
|
+
2. **Minimal base image** — prefer distroless or Alpine; never `FROM ubuntu:latest`.
|
|
9
|
+
3. **Pin base image to digest** — `FROM python:3.12-slim@sha256:...` (not tag-only).
|
|
10
|
+
4. **No secrets in layers** — no `COPY .env`, no `ARG password=`; multi-stage to exclude build secrets.
|
|
11
|
+
5. **No SETUID binaries** — `RUN find / -perm /6000 -type f -exec chmod a-s {} \;`
|
|
12
|
+
6. **Read-only filesystem** where possible — `readOnlyRootFilesystem: true` in pod spec.
|
|
13
|
+
|
|
14
|
+
## K8s Admission Policy (OPA/Gatekeeper or Kyverno)
|
|
15
|
+
|
|
16
|
+
Blocked at admission:
|
|
17
|
+
- `privileged: true` containers in production namespace
|
|
18
|
+
- `runAsRoot: true` or missing `runAsNonRoot`
|
|
19
|
+
- `allowPrivilegeEscalation: true`
|
|
20
|
+
- Missing `resources.requests` / `resources.limits`
|
|
21
|
+
- Image without digest (`:latest` or mutable tag)
|
|
22
|
+
- Unsigned images (if cosign policy enabled)
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
# Rule: Policy as Code
|
|
2
|
+
|
|
3
|
+
**Priority**: P1 — Security policies enforced as admission controllers, not documentation.
|
|
4
|
+
|
|
5
|
+
## OPA/Gatekeeper vs Kyverno
|
|
6
|
+
|
|
7
|
+
| | OPA/Gatekeeper | Kyverno |
|
|
8
|
+
|:---|:---|:---|
|
|
9
|
+
| Language | Rego | YAML/JMESPath |
|
|
10
|
+
| Learning curve | Higher | Lower |
|
|
11
|
+
| Best for | Complex logic, cross-resource | Simple K8s guardrails |
|
|
12
|
+
| Mutation | Limited | Built-in |
|
|
13
|
+
|
|
14
|
+
## Policy Categories
|
|
15
|
+
|
|
16
|
+
1. **Validation** — reject non-compliant resources (privilege escalation, missing labels)
|
|
17
|
+
2. **Mutation** — auto-add default values (labels, security context defaults)
|
|
18
|
+
3. **Generation** — auto-create companion resources (default NetworkPolicy per namespace)
|
|
19
|
+
|
|
20
|
+
## Policy Testing (required before deploy)
|
|
21
|
+
|
|
22
|
+
```bash
|
|
23
|
+
# OPA/Gatekeeper: unit test policies
|
|
24
|
+
opa test policies/ -v
|
|
25
|
+
|
|
26
|
+
# Kyverno: test policies against example manifests
|
|
27
|
+
kyverno test . --test-case-selector "policy=disallow-privileged"
|
|
28
|
+
```
|
|
29
|
+
|
|
30
|
+
## Mandatory Policies (deploy to all clusters)
|
|
31
|
+
|
|
32
|
+
- `disallow-privileged-containers`
|
|
33
|
+
- `require-non-root-user`
|
|
34
|
+
- `require-resource-limits`
|
|
35
|
+
- `require-readonly-root-filesystem` (warn in staging, enforce in production)
|
|
36
|
+
- `require-image-digest` (no `:latest` tags)
|
|
37
|
+
- `disallow-host-namespaces` (no hostNetwork, hostPID, hostIPC)
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
# Rule: Shift-Left Security Policy
|
|
2
|
+
|
|
3
|
+
**Priority**: P0 — Security checks are part of CI, not a post-deployment audit.
|
|
4
|
+
|
|
5
|
+
## Security Pipeline Gates (mandatory, in order)
|
|
6
|
+
|
|
7
|
+
1. **Pre-commit**: `trufflehog` / `git-secrets` — detect secrets before they enter repo
|
|
8
|
+
2. **CI lint stage**: `semgrep` (SAST) — detect code-level vulnerabilities
|
|
9
|
+
3. **CI build stage**: `trivy fs .` — scan dependencies before building image
|
|
10
|
+
4. **CI after build**: `trivy image` — scan built image for OS + package CVEs
|
|
11
|
+
5. **CI after build**: SBOM generated (Syft) + attached to image (cosign)
|
|
12
|
+
6. **CD pre-deploy**: image signature verified (cosign verify) — unsigned = blocked
|
|
13
|
+
|
|
14
|
+
## Severity Thresholds
|
|
15
|
+
|
|
16
|
+
| Severity | In PR/CI | In CD (deploy) |
|
|
17
|
+
|:---|:---|:---|
|
|
18
|
+
| Critical | Block merge | Block deploy |
|
|
19
|
+
| High | Block merge | Block deploy |
|
|
20
|
+
| Medium | Warning comment | Warning; deploy allowed |
|
|
21
|
+
| Low | Informational | Pass |
|
|
22
|
+
|
|
23
|
+
## Exception Process
|
|
24
|
+
|
|
25
|
+
- Critical/High with no available fix: documented exception + Jira ticket + 30-day expiry.
|
|
26
|
+
- CVE in base image, fix not yet available: pin exception with digest; revisit weekly.
|
|
@@ -0,0 +1,146 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: container-hardening
|
|
3
|
+
type: skill
|
|
4
|
+
description: Harden container images and Kubernetes workload security contexts — distroless, multi-stage, minimal attack surface.
|
|
5
|
+
related-rules:
|
|
6
|
+
- container-security.md
|
|
7
|
+
- shift-left-policy.md
|
|
8
|
+
allowed-tools: Read, Write, Edit, Bash
|
|
9
|
+
---
|
|
10
|
+
|
|
11
|
+
# Skill: Container Hardening
|
|
12
|
+
|
|
13
|
+
> **Expertise:** Minimal images, distroless, multi-stage builds, security context, Dockerfile best practices, Trivy scanning.
|
|
14
|
+
|
|
15
|
+
## When to load
|
|
16
|
+
|
|
17
|
+
When building a new Dockerfile, hardening an existing image, failing Trivy scan, or setting up pod security contexts.
|
|
18
|
+
|
|
19
|
+
## Hardened Dockerfile (Python example)
|
|
20
|
+
|
|
21
|
+
```dockerfile
|
|
22
|
+
# ── Stage 1: Build (has build tools, not in final image) ──
|
|
23
|
+
FROM python:3.12-slim@sha256:<pinned-digest> AS builder
|
|
24
|
+
|
|
25
|
+
WORKDIR /app
|
|
26
|
+
COPY requirements.txt .
|
|
27
|
+
RUN pip install --user --no-cache-dir -r requirements.txt
|
|
28
|
+
|
|
29
|
+
# ── Stage 2: Runtime (minimal, no build tools) ───────────
|
|
30
|
+
FROM python:3.12-slim@sha256:<pinned-digest>
|
|
31
|
+
|
|
32
|
+
# Create non-root user
|
|
33
|
+
RUN groupadd -r appgroup --gid=1000 && \
|
|
34
|
+
useradd -r -g appgroup --uid=1000 --no-create-home appuser
|
|
35
|
+
|
|
36
|
+
WORKDIR /app
|
|
37
|
+
|
|
38
|
+
# Copy only built artifacts from builder
|
|
39
|
+
COPY --from=builder /root/.local /home/appuser/.local
|
|
40
|
+
COPY --chown=appuser:appgroup src/ ./src/
|
|
41
|
+
|
|
42
|
+
# Remove SETUID binaries (attack surface reduction)
|
|
43
|
+
RUN find / -perm /6000 -type f -exec chmod a-s {} \; 2>/dev/null || true
|
|
44
|
+
|
|
45
|
+
# Switch to non-root
|
|
46
|
+
USER 1000:1000
|
|
47
|
+
|
|
48
|
+
# Read-only filesystem friendly: temp dir for app writes
|
|
49
|
+
VOLUME ["/tmp"]
|
|
50
|
+
|
|
51
|
+
EXPOSE 8080
|
|
52
|
+
|
|
53
|
+
# Prefer exec form (handles signals correctly)
|
|
54
|
+
ENTRYPOINT ["python", "-m", "uvicorn", "src.main:app", "--host", "0.0.0.0", "--port", "8080"]
|
|
55
|
+
```
|
|
56
|
+
|
|
57
|
+
## Distroless (Go example — smallest attack surface)
|
|
58
|
+
|
|
59
|
+
```dockerfile
|
|
60
|
+
FROM golang:1.23-alpine AS builder
|
|
61
|
+
WORKDIR /app
|
|
62
|
+
COPY . .
|
|
63
|
+
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-w -s" -o server ./cmd/server
|
|
64
|
+
|
|
65
|
+
# Distroless: no shell, no package manager, no OS utilities
|
|
66
|
+
FROM gcr.io/distroless/static-debian12:nonroot
|
|
67
|
+
COPY --from=builder /app/server /server
|
|
68
|
+
USER nonroot:nonroot
|
|
69
|
+
EXPOSE 8080
|
|
70
|
+
ENTRYPOINT ["/server"]
|
|
71
|
+
```
|
|
72
|
+
|
|
73
|
+
## Pod Security Context (K8s manifest)
|
|
74
|
+
|
|
75
|
+
```yaml
|
|
76
|
+
spec:
|
|
77
|
+
securityContext:
|
|
78
|
+
# Pod-level
|
|
79
|
+
runAsNonRoot: true
|
|
80
|
+
runAsUser: 1000
|
|
81
|
+
runAsGroup: 1000
|
|
82
|
+
fsGroup: 1000
|
|
83
|
+
seccompProfile:
|
|
84
|
+
type: RuntimeDefault # enables syscall filtering
|
|
85
|
+
|
|
86
|
+
containers:
|
|
87
|
+
- name: app
|
|
88
|
+
securityContext:
|
|
89
|
+
# Container-level
|
|
90
|
+
allowPrivilegeEscalation: false
|
|
91
|
+
readOnlyRootFilesystem: true
|
|
92
|
+
capabilities:
|
|
93
|
+
drop: ["ALL"]
|
|
94
|
+
# add only if explicitly needed:
|
|
95
|
+
# add: ["NET_BIND_SERVICE"] # bind to port < 1024
|
|
96
|
+
|
|
97
|
+
# Writable temp dir for app that needs /tmp
|
|
98
|
+
volumeMounts:
|
|
99
|
+
- name: tmp
|
|
100
|
+
mountPath: /tmp
|
|
101
|
+
|
|
102
|
+
volumes:
|
|
103
|
+
- name: tmp
|
|
104
|
+
emptyDir: {}
|
|
105
|
+
```
|
|
106
|
+
|
|
107
|
+
## Trivy Scan Workflow
|
|
108
|
+
|
|
109
|
+
```bash
|
|
110
|
+
# Scan filesystem (during build, before image creation)
|
|
111
|
+
trivy fs . \
|
|
112
|
+
--severity CRITICAL,HIGH \
|
|
113
|
+
--exit-code 1 \
|
|
114
|
+
--ignorefile .trivyignore
|
|
115
|
+
|
|
116
|
+
# Scan built image
|
|
117
|
+
trivy image \
|
|
118
|
+
--severity CRITICAL,HIGH \
|
|
119
|
+
--exit-code 1 \
|
|
120
|
+
--format sarif \
|
|
121
|
+
--output trivy-results.sarif \
|
|
122
|
+
registry.example.com/my-service:${GIT_SHA}
|
|
123
|
+
|
|
124
|
+
# Scan with SBOM (generates and scans simultaneously)
|
|
125
|
+
trivy image \
|
|
126
|
+
--format cyclonedx \
|
|
127
|
+
--output sbom.json \
|
|
128
|
+
registry.example.com/my-service:${GIT_SHA}
|
|
129
|
+
```
|
|
130
|
+
|
|
131
|
+
## .trivyignore (CVE exceptions)
|
|
132
|
+
|
|
133
|
+
```
|
|
134
|
+
# CVE-2024-XXXXX - no fix available; tracked in JIRA SEC-456; review 2024-12-01
|
|
135
|
+
CVE-2024-XXXXX
|
|
136
|
+
```
|
|
137
|
+
|
|
138
|
+
## Common Hardening Failures + Fixes
|
|
139
|
+
|
|
140
|
+
| Failure | Cause | Fix |
|
|
141
|
+
|:---|:---|:---|
|
|
142
|
+
| `runAsRoot` | No USER in Dockerfile | Add `USER 1000:1000` |
|
|
143
|
+
| Mutable tag | `:latest` or `:main` | Pin to `@sha256:digest` |
|
|
144
|
+
| SETUID binary | Default OS image | Strip: `chmod a-s /usr/bin/passwd` |
|
|
145
|
+
| Writable root FS | `readOnlyRootFilesystem: true` blocks writes | Mount `emptyDir` for `/tmp`, `/var/run` |
|
|
146
|
+
| Secrets in image | `COPY .env` or `ARG password` | Multi-stage + Docker secrets |
|
|
@@ -0,0 +1,188 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: opa-policies
|
|
3
|
+
type: skill
|
|
4
|
+
description: Write OPA/Gatekeeper and Kyverno admission policies for Kubernetes security guardrails.
|
|
5
|
+
related-rules:
|
|
6
|
+
- policy-as-code.md
|
|
7
|
+
- container-security.md
|
|
8
|
+
allowed-tools: Read, Write, Edit, Bash
|
|
9
|
+
---
|
|
10
|
+
|
|
11
|
+
# Skill: OPA Policies & Kyverno
|
|
12
|
+
|
|
13
|
+
> **Expertise:** Gatekeeper ConstraintTemplates, Kyverno ClusterPolicies, validation + mutation + generation.
|
|
14
|
+
|
|
15
|
+
## When to load
|
|
16
|
+
|
|
17
|
+
When writing admission policies, testing policy changes, or debugging policy-blocked deployments.
|
|
18
|
+
|
|
19
|
+
## Gatekeeper: ConstraintTemplate + Constraint
|
|
20
|
+
|
|
21
|
+
```yaml
|
|
22
|
+
# 1. ConstraintTemplate — defines the policy logic in Rego
|
|
23
|
+
apiVersion: templates.gatekeeper.sh/v1
|
|
24
|
+
kind: ConstraintTemplate
|
|
25
|
+
metadata:
|
|
26
|
+
name: k8srequirenonroot
|
|
27
|
+
spec:
|
|
28
|
+
crd:
|
|
29
|
+
spec:
|
|
30
|
+
names: { kind: K8sRequireNonRoot }
|
|
31
|
+
targets:
|
|
32
|
+
- target: admission.k8s.gatekeeper.sh
|
|
33
|
+
rego: |
|
|
34
|
+
package k8srequirenonroot
|
|
35
|
+
|
|
36
|
+
violation[{"msg": msg}] {
|
|
37
|
+
container := input.review.object.spec.containers[_]
|
|
38
|
+
not container.securityContext.runAsNonRoot
|
|
39
|
+
msg := sprintf("Container '%v' must set runAsNonRoot: true", [container.name])
|
|
40
|
+
}
|
|
41
|
+
|
|
42
|
+
violation[{"msg": msg}] {
|
|
43
|
+
container := input.review.object.spec.containers[_]
|
|
44
|
+
container.securityContext.runAsUser == 0
|
|
45
|
+
msg := sprintf("Container '%v' must not run as UID 0", [container.name])
|
|
46
|
+
}
|
|
47
|
+
|
|
48
|
+
---
|
|
49
|
+
# 2. Constraint — applies the template to specific resources/namespaces
|
|
50
|
+
apiVersion: constraints.gatekeeper.sh/v1beta1
|
|
51
|
+
kind: K8sRequireNonRoot
|
|
52
|
+
metadata:
|
|
53
|
+
name: require-non-root-production
|
|
54
|
+
spec:
|
|
55
|
+
enforcementAction: deny # deny | warn | dryrun
|
|
56
|
+
match:
|
|
57
|
+
kinds:
|
|
58
|
+
- apiGroups: [apps]
|
|
59
|
+
kinds: [Deployment, StatefulSet, DaemonSet]
|
|
60
|
+
namespaceSelector:
|
|
61
|
+
matchExpressions:
|
|
62
|
+
- key: environment
|
|
63
|
+
operator: In
|
|
64
|
+
values: [production, staging]
|
|
65
|
+
```
|
|
66
|
+
|
|
67
|
+
## Gatekeeper: Require Image Digest
|
|
68
|
+
|
|
69
|
+
```yaml
|
|
70
|
+
apiVersion: templates.gatekeeper.sh/v1
|
|
71
|
+
kind: ConstraintTemplate
|
|
72
|
+
metadata:
|
|
73
|
+
name: k8srequireimagedigest
|
|
74
|
+
spec:
|
|
75
|
+
crd:
|
|
76
|
+
spec:
|
|
77
|
+
names: { kind: K8sRequireImageDigest }
|
|
78
|
+
targets:
|
|
79
|
+
- target: admission.k8s.gatekeeper.sh
|
|
80
|
+
rego: |
|
|
81
|
+
package k8srequireimagedigest
|
|
82
|
+
|
|
83
|
+
violation[{"msg": msg}] {
|
|
84
|
+
container := input.review.object.spec.containers[_]
|
|
85
|
+
not contains(container.image, "@sha256:")
|
|
86
|
+
msg := sprintf(
|
|
87
|
+
"Container '%v' image '%v' must reference a digest (@sha256:...), not a mutable tag",
|
|
88
|
+
[container.name, container.image]
|
|
89
|
+
)
|
|
90
|
+
}
|
|
91
|
+
```
|
|
92
|
+
|
|
93
|
+
## Kyverno: Simpler YAML Policies
|
|
94
|
+
|
|
95
|
+
```yaml
|
|
96
|
+
# Disallow privileged containers (Kyverno)
|
|
97
|
+
apiVersion: kyverno.io/v1
|
|
98
|
+
kind: ClusterPolicy
|
|
99
|
+
metadata:
|
|
100
|
+
name: disallow-privileged-containers
|
|
101
|
+
spec:
|
|
102
|
+
validationFailureAction: Enforce
|
|
103
|
+
rules:
|
|
104
|
+
- name: check-privileged
|
|
105
|
+
match:
|
|
106
|
+
any:
|
|
107
|
+
- resources:
|
|
108
|
+
kinds: [Pod]
|
|
109
|
+
namespaces: [production, staging]
|
|
110
|
+
validate:
|
|
111
|
+
message: "Privileged containers are not allowed in production/staging"
|
|
112
|
+
pattern:
|
|
113
|
+
spec:
|
|
114
|
+
containers:
|
|
115
|
+
- =(securityContext):
|
|
116
|
+
=(privileged): "false"
|
|
117
|
+
```
|
|
118
|
+
|
|
119
|
+
```yaml
|
|
120
|
+
# Kyverno MUTATION — auto-add security context defaults
|
|
121
|
+
apiVersion: kyverno.io/v1
|
|
122
|
+
kind: ClusterPolicy
|
|
123
|
+
metadata:
|
|
124
|
+
name: add-default-securitycontext
|
|
125
|
+
spec:
|
|
126
|
+
rules:
|
|
127
|
+
- name: add-security-context
|
|
128
|
+
match:
|
|
129
|
+
any:
|
|
130
|
+
- resources: { kinds: [Pod] }
|
|
131
|
+
mutate:
|
|
132
|
+
patchStrategicMerge:
|
|
133
|
+
spec:
|
|
134
|
+
containers:
|
|
135
|
+
- (name): "*"
|
|
136
|
+
securityContext:
|
|
137
|
+
+(runAsNonRoot): true
|
|
138
|
+
+(allowPrivilegeEscalation): false
|
|
139
|
+
+(readOnlyRootFilesystem): true
|
|
140
|
+
```
|
|
141
|
+
|
|
142
|
+
## Policy Testing
|
|
143
|
+
|
|
144
|
+
```bash
|
|
145
|
+
# OPA unit tests
|
|
146
|
+
cat > policies/test_nonroot.rego << 'REGO'
|
|
147
|
+
package k8srequirenonroot
|
|
148
|
+
|
|
149
|
+
test_deny_root_container {
|
|
150
|
+
violation[{"msg": _}] with input as {
|
|
151
|
+
"review": {"object": {"spec": {"containers": [
|
|
152
|
+
{"name": "app", "securityContext": {"runAsUser": 0}}
|
|
153
|
+
]}}}
|
|
154
|
+
}
|
|
155
|
+
}
|
|
156
|
+
|
|
157
|
+
test_allow_nonroot_container {
|
|
158
|
+
count(violation) == 0 with input as {
|
|
159
|
+
"review": {"object": {"spec": {"containers": [
|
|
160
|
+
{"name": "app", "securityContext": {"runAsNonRoot": true, "runAsUser": 1000}}
|
|
161
|
+
]}}}
|
|
162
|
+
}
|
|
163
|
+
}
|
|
164
|
+
REGO
|
|
165
|
+
|
|
166
|
+
opa test policies/ -v
|
|
167
|
+
|
|
168
|
+
# Kyverno test with example manifests
|
|
169
|
+
kyverno test . \
|
|
170
|
+
--test-case-selector "policy=disallow-privileged-containers"
|
|
171
|
+
|
|
172
|
+
# Check which policies blocked a recent admission
|
|
173
|
+
kubectl get events -n <ns> | grep "denied\|violated"
|
|
174
|
+
```
|
|
175
|
+
|
|
176
|
+
## Debugging Policy Denials
|
|
177
|
+
|
|
178
|
+
```bash
|
|
179
|
+
# See why a deployment was rejected
|
|
180
|
+
kubectl describe deploy <n> -n <ns>
|
|
181
|
+
# Look at Events section for: "admission webhook ... denied"
|
|
182
|
+
|
|
183
|
+
# Check active constraints
|
|
184
|
+
kubectl get constraints
|
|
185
|
+
|
|
186
|
+
# Check constraint violations (audit mode)
|
|
187
|
+
kubectl get k8srequirenonroot.constraints.gatekeeper.sh -o jsonpath='{.items[*].status.violations}'
|
|
188
|
+
```
|