@jetrabbits/agentic 0.0.1

package/areas/devops/devsecops/skills/sbom-supply-chain/SKILL.md

@@ -0,0 +1,165 @@
+---
+name: sbom-supply-chain
+type: skill
+description: Generate, attach, and verify SBOMs (CycloneDX/SPDX) for container images; implement SLSA provenance; harden software supply chain.
+related-rules:
+  - supply-chain-security.md (ci-cd)
+  - shift-left-policy.md
+allowed-tools: Read, Write, Edit, Bash
+---
+
+# Skill: SBOM & Supply Chain Security
+
+> **Expertise:** Syft/Trivy SBOM generation, cosign SBOM attestation, SLSA provenance, dependency pinning, OCI attestations.
+
+## When to load
+
+When generating SBOMs for images, attaching attestations to OCI registry, verifying supply chain integrity, or achieving SLSA compliance.
+
+## SBOM Generation (Syft)
+
+```bash
+# Generate CycloneDX SBOM from image (OCI)
+syft registry.example.com/myorg/order-service:v1.2.3 \
+  -o cyclonedx-json=sbom.cdx.json
+
+# Generate SPDX SBOM from image
+syft registry.example.com/myorg/order-service:v1.2.3 \
+  -o spdx-json=sbom.spdx.json
+
+# Generate from local directory (during build)
+syft dir:. -o cyclonedx-json=sbom.cdx.json
+
+# Generate from Dockerfile build context (before push)
+syft packages docker:myimage:latest -o cyclonedx-json=sbom.cdx.json
+```
+
+## SBOM Attestation via cosign
+
+```bash
+# Sign image and attach SBOM as OCI attestation
+# Step 1: Build and push image
+docker buildx build --push \
+  -t registry.example.com/myorg/order-service:v1.2.3 .
+
+# Step 2: Get digest
+DIGEST=$(crane digest registry.example.com/myorg/order-service:v1.2.3)
+
+# Step 3: Generate SBOM
+syft registry.example.com/myorg/order-service:v1.2.3 \
+  -o cyclonedx-json=sbom.cdx.json
+
+# Step 4: Attach SBOM as attestation (Sigstore keyless)
+cosign attest \
+  --predicate sbom.cdx.json \
+  --type cyclonedx \
+  registry.example.com/myorg/order-service@${DIGEST}
+
+# Step 5: Verify attestation exists
+cosign verify-attestation \
+  --type cyclonedx \
+  --certificate-identity-regexp ".*" \
+  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+  registry.example.com/myorg/order-service@${DIGEST} \
+  | jq '.payload | @base64d | fromjson | .predicate.metadata'
+```
+
+## GitHub Actions: Full Supply Chain Pipeline
+
+```yaml
+# .github/workflows/supply-chain.yml
+jobs:
+  build-sign-attest:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write         # for cosign keyless signing
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+
+      - name: Install syft
+        uses: anchore/sbom-action/download-syft@v0
+
+      - name: Build and push
+        id: build
+        uses: docker/build-push-action@v6
+        with:
+          push: true
+          tags: registry.example.com/myorg/order-service:${{ github.sha }}
+
+      - name: Sign image (keyless via OIDC)
+        run: |
+          cosign sign \
+            registry.example.com/myorg/order-service@${{ steps.build.outputs.digest }}
+
+      - name: Generate SBOM
+        run: |
+          syft registry.example.com/myorg/order-service@${{ steps.build.outputs.digest }} \
+            -o cyclonedx-json=sbom.cdx.json
+
+      - name: Attach SBOM attestation
+        run: |
+          cosign attest \
+            --predicate sbom.cdx.json \
+            --type cyclonedx \
+            registry.example.com/myorg/order-service@${{ steps.build.outputs.digest }}
+
+      - name: Generate SLSA provenance
+        uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2
+        with:
+          image: registry.example.com/myorg/order-service
+          digest: ${{ steps.build.outputs.digest }}
+```
+
+## Verify Before Deploy (admission check)
+
+```bash
+# Verify image is signed before deploying
+cosign verify \
+  --certificate-identity-regexp "https://github.com/myorg/myrepo" \
+  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+  registry.example.com/myorg/order-service@sha256:<digest>
+
+# Kyverno policy: enforce signed images in production
+# (see opa-policies skill for full Kyverno policy)
+```
+
+## Dependency Pinning (supply chain hardening)
+
+```dockerfile
+# Pin base image to digest — not just tag
+FROM python:3.12-slim@sha256:abc123...   # ✅
+FROM python:3.12-slim                    # ❌ tag can be replaced
+
+# Verify base image digest in CI
+crane digest python:3.12-slim
+```
+
+```bash
+# Python: generate requirements with hashes (pip-compile)
+pip-compile --generate-hashes requirements.in -o requirements.txt
+
+# Install with hash verification
+pip install -r requirements.txt --require-hashes
+
+# Node: lock file with integrity hashes (automatic in npm/yarn)
+npm ci   # uses package-lock.json with sha512 integrity hashes
+```
+
+## SBOM Analysis
+
+```bash
+# Scan SBOM for vulnerabilities (without re-pulling image)
+grype sbom:sbom.cdx.json --fail-on high
+
+# List all packages in SBOM
+cat sbom.cdx.json | jq '.components[] | {name: .name, version: .version, purl: .purl}'
+
+# Check for GPL licenses in SBOM
+cat sbom.cdx.json | jq '.components[] | select(.licenses[]?.license.id | startswith("GPL"))'
+```

package/areas/devops/devsecops/skills/secret-detection/SKILL.md

@@ -0,0 +1,190 @@
+---
+name: secret-detection
+type: skill
+description: Detect secrets in code, git history, and running containers — pre-commit hooks, CI scanning, and incident response for exposed credentials.
+related-rules:
+  - shift-left-policy.md
+  - secret-hygiene.md (infrastructure)
+allowed-tools: Read, Write, Edit, Bash
+---
+
+# Skill: Secret Detection
+
+> **Expertise:** trufflehog, gitleaks, git-secrets, pre-commit hooks, CI scanning, secret rotation playbook.
+
+## When to load
+
+When setting up secret scanning pre-commit or in CI, investigating a potential credential leak, or remediating secrets found in git history.
+
+## Pre-Commit Hook Setup
+
+```bash
+# Install pre-commit
+pip install pre-commit
+
+# .pre-commit-config.yaml
+repos:
+  - repo: https://github.com/trufflesecurity/trufflehog
+    rev: v3.88.0
+    hooks:
+      - id: trufflehog
+        name: TruffleHog — secret scan
+        entry: trufflehog git file://. --since-commit HEAD --only-verified --fail
+        language: system
+        pass_filenames: false
+
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.21.0
+    hooks:
+      - id: gitleaks
+        name: Gitleaks — detect hardcoded secrets
+```
+
+```bash
+# Install hooks for all team members (add to onboarding docs)
+pre-commit install
+pre-commit install --hook-type commit-msg
+
+# Run against all files (one-time audit)
+pre-commit run trufflehog --all-files
+pre-commit run gitleaks --all-files
+```
+
+## CI: trufflehog (GitHub Actions)
+
+```yaml
+- name: Scan for secrets (trufflehog)
+  uses: trufflesecurity/trufflehog@main
+  with:
+    path: ./
+    base: ${{ github.event.repository.default_branch }}
+    head: HEAD
+    extra_args: >
+      --only-verified
+      --fail
+      --format json
+      --json-output trufflehog-results.json
+  continue-on-error: false    # hard fail
+
+- name: Upload results
+  if: failure()
+  uses: actions/upload-artifact@v4
+  with:
+    name: secret-scan-results
+    path: trufflehog-results.json
+```
+
+## CI: gitleaks (GitLab CI)
+
+```yaml
+secret-scan:
+  stage: validate
+  image: zricethezav/gitleaks:latest
+  script:
+    - gitleaks detect
+        --source .
+        --config .gitleaks.toml
+        --redact
+        --exit-code 1
+        --report-format json
+        --report-path gitleaks-report.json
+  artifacts:
+    when: on_failure
+    paths: [gitleaks-report.json]
+```
+
+## gitleaks Configuration (.gitleaks.toml)
+
+```toml
+# .gitleaks.toml
+title = "MyProject Gitleaks Config"
+
+[extend]
+useDefault = true   # use built-in rules + extend
+
+# Custom rule: internal API keys
+[[rules]]
+id = "internal-api-key"
+description = "Internal API Key"
+regex = '''MYCOMPANY_API_KEY_[A-Za-z0-9]{32}'''
+tags = ["key", "internal"]
+
+# Allowlist: suppress known false positives
+[allowlist]
+description = "Global allowlist"
+regexes = [
+  '''EXAMPLE_.*''',       # example values in docs
+  '''test_.*_key''',      # test fixtures
+]
+paths = [
+  '''.gitleaks.toml''',   # this file itself
+  '''tests/fixtures/''',  # test data
+]
+commits = [
+  "abc123def456"          # specific commit with known false positive
+]
+```
+
+## Full Repo Audit (historical scan)
+
+```bash
+# Scan all branches and full history
+trufflehog git file://. \
+  --only-verified \
+  --format json | tee trufflehog-full-audit.json
+
+# Gitleaks: scan full history
+gitleaks detect \
+  --source . \
+  --log-opts "--all" \
+  --report-format json \
+  --report-path gitleaks-full-audit.json
+
+# Summary: count findings by type
+cat trufflehog-full-audit.json | jq 'group_by(.DetectorName) | map({type: .[0].DetectorName, count: length})'
+```
+
+## Incident Response: Secret Exposed in Git
+
+```bash
+# STOP: rotate the secret FIRST, before anything else
+# Only after rotation (new secret is active and old one invalid):
+
+# 1. Remove from git history using git-filter-repo (safer than filter-branch)
+pip install git-filter-repo
+
+git filter-repo \
+  --replace-text <(echo 'EXPOSED_SECRET==>REMOVED') \
+  --force
+
+# 2. Force push (coordinate with team — everyone must re-clone)
+git push --force --all
+git push --force --tags
+
+# 3. Notify all contributors to re-clone (old clones have the secret in history)
+
+# 4. Check if GitHub/GitLab cached the secret (check forks, PRs, CI logs)
+# GitHub: check cached pipelines in CI for the old secret
+# GitLab: check CI job logs, pipeline artifacts
+
+# 5. Audit: who may have cloned or cached the repo during exposure window
+# Check VCS audit logs for clone events
+
+# 6. File security incident report
+```
+
+## False Positive Management
+
+```bash
+# Inline suppression (trufflehog)
+SOME_VAR="obviously-not-a-secret"  # trufflehog:ignore
+
+# Inline suppression (gitleaks)
+SOME_VAR="test-value"  # gitleaks:allow
+
+# .gitleaksignore file (commit-hash based)
+# Get commit hash of false positive commit:
+git log --oneline | grep "Add example config"
+# Add to .gitleaksignore:
+echo "abc123def456:path/to/file.yaml" >> .gitleaksignore
+```

package/areas/devops/devsecops/skills/sigstore-signing/SKILL.md

@@ -0,0 +1,184 @@
+---
+name: sigstore-signing
+type: skill
+description: Sign container images and artifacts with cosign (keyless via OIDC and key-based); verify signatures in CD pipelines and admission policies.
+related-rules:
+  - supply-chain-security.md (ci-cd)
+  - shift-left-policy.md
+allowed-tools: Read, Write, Edit, Bash
+---
+
+# Skill: Sigstore / cosign Signing
+
+> **Expertise:** cosign keyless signing (Sigstore), key-based signing, signature verification, Kyverno/OPA enforcement, Rekor transparency log.
+
+## When to load
+
+When setting up image signing in CI, verifying signatures before deploy, or enforcing signature policies in K8s admission.
+
+## Keyless Signing (OIDC — GitHub Actions)
+
+```yaml
+# .github/workflows/sign.yml
+jobs:
+  sign:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write    # ← required for keyless OIDC signing
+
+    steps:
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+
+      - name: Build and push
+        id: build
+        uses: docker/build-push-action@v6
+        with:
+          push: true
+          tags: ghcr.io/myorg/order-service:${{ github.sha }}
+
+      - name: Sign image (keyless)
+        run: |
+          cosign sign \
+            --yes \
+            ghcr.io/myorg/order-service@${{ steps.build.outputs.digest }}
+          # Signature stored in Rekor transparency log
+          # No private key needed — OIDC token proves identity
+```
+
+## Key-Based Signing (when OIDC not available)
+
+```bash
+# Generate signing key pair (do once; store private key in Vault)
+cosign generate-key-pair
+# Creates: cosign.key (private — store in Vault) + cosign.pub (public — commit to repo)
+
+# Sign with key
+cosign sign \
+  --key cosign.key \
+  registry.example.com/myorg/order-service:v1.2.3
+
+# Sign in CI using secret
+cosign sign \
+  --key env://COSIGN_PRIVATE_KEY \    # inject from CI secret
+  registry.example.com/myorg/order-service:v1.2.3
+```
+
+## Verification
+
+```bash
+# Verify keyless signature (GitHub Actions OIDC)
+cosign verify \
+  --certificate-identity-regexp "https://github.com/myorg/myrepo/.github/workflows/.*" \
+  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+  ghcr.io/myorg/order-service:v1.2.3
+
+# Verify key-based signature
+cosign verify \
+  --key cosign.pub \
+  registry.example.com/myorg/order-service:v1.2.3
+
+# Verify and show full certificate info
+cosign verify \
+  --certificate-identity-regexp ".*" \
+  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+  ghcr.io/myorg/order-service:v1.2.3 | jq '.[0].optional'
+
+# Check Rekor transparency log entry
+cosign verify \
+  --rekor-url https://rekor.sigstore.dev \
+  ... | jq '.[0].rekorLogIndex'
+```
+
+## Verification in CD Pipeline (before deploy)
+
+```bash
+# Add to Helm pre-upgrade hook or CD pipeline
+DIGEST=$(crane digest registry.example.com/myorg/order-service:${VERSION})
+
+cosign verify \
+  --certificate-identity-regexp "https://github.com/myorg/.*" \
+  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+  registry.example.com/myorg/order-service@${DIGEST} || {
+    echo "Image signature verification FAILED — aborting deploy"
+    exit 1
+  }
+
+echo "Signature verified — proceeding with deploy"
+helm upgrade ...
+```
+
+## Kyverno Policy: Enforce Signed Images
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-signed-images
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+    - name: verify-image-signature
+      match:
+        any:
+          - resources:
+              kinds: [Pod]
+              namespaces: [production, staging]
+      verifyImages:
+        - imageReferences:
+            - "registry.example.com/myorg/*"
+          attestors:
+            - count: 1
+              entries:
+                - keyless:
+                    subject: "https://github.com/myorg/*"
+                    issuer: "https://token.actions.githubusercontent.com"
+                    rekor:
+                      url: https://rekor.sigstore.dev
+```
+
+## Custom Attestations (beyond SBOM)
+
+```bash
+# Attach custom attestation (e.g., test results, compliance evidence)
+cat > test-results.json << 'EOF'
+{
+  "tests_passed": 142,
+  "tests_failed": 0,
+  "coverage_pct": 84.2,
+  "timestamp": "2024-11-15T14:22:00Z"
+}
+EOF
+
+cosign attest \
+  --predicate test-results.json \
+  --type https://example.com/predicates/test-results/v1 \
+  registry.example.com/myorg/order-service@${DIGEST}
+
+# Verify custom attestation
+cosign verify-attestation \
+  --type https://example.com/predicates/test-results/v1 \
+  --certificate-identity-regexp ".*" \
+  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+  registry.example.com/myorg/order-service@${DIGEST} \
+  | jq '.payload | @base64d | fromjson | .predicate'
+```
+
+## Signing Key Rotation
+
+```bash
+# 1. Generate new key pair
+cosign generate-key-pair  # → new cosign.key + cosign.pub
+
+# 2. Re-sign all production images with new key
+for image in $(cat production-images.txt); do
+  cosign sign --key new-cosign.key $image
+done
+
+# 3. Update Kyverno policy to accept BOTH old and new key during transition
+# 4. After all images re-signed: remove old key from policy
+# 5. Revoke old key in Vault; delete from CI secrets
+```

package/areas/devops/devsecops/workflows/policy-onboard.md

@@ -0,0 +1,104 @@
+---
+name: policy-onboard
+type: workflow
+trigger: /policy-onboard
+description: Deploy OPA/Gatekeeper or Kyverno admission policies to a cluster or namespace — design, test, dry-run, enforce.
+inputs:
+  - policy_name
+  - engine (gatekeeper|kyverno)
+  - target_namespaces
+  - enforcement_action (deny|warn|dryrun)
+outputs:
+  - deployed_policies
+  - test_results
+roles:
+  - devops-engineer
+execution:
+  initiator: developer
+related-rules:
+  - policy-as-code.md
+  - container-security.md
+uses-skills:
+  - opa-policies
+  - container-hardening
+quality-gates:
+  - each policy tested with passing AND failing manifest before deploy
+  - dryrun in staging before enforce in production
+  - existing workloads checked for compliance before switching to enforce
+---
+
+## Steps
+
+### 1. Design Policy — `@devops-engineer`
+- What is the policy checking? (privilege escalation / missing limits / bad image tag)
+- Which resource types and namespaces does it apply to?
+- What is the enforcement mode for each environment?
+  - staging: `warn` or `dryrun` → gather data, don't break things
+  - production: `deny` (after staging validation)
+- Write policy in Rego (Gatekeeper) or YAML (Kyverno)
+
+### 2. Unit Test — `@devops-engineer`
+```bash
+# Gatekeeper / OPA
+opa test policies/ -v --ignore='*_test.rego'
+
+# Kyverno
+kyverno test . --test-case-selector "policy=${POLICY_NAME}"
+
+# Manual: apply failing manifest and expect rejection
+kubectl apply --dry-run=server -f test/failing-manifest.yaml
+# Should output: "admission webhook ... denied"
+
+kubectl apply --dry-run=server -f test/passing-manifest.yaml
+# Should output: "... configured (dry run)"
+```
+- **Done when:** unit tests pass; both positive and negative cases covered
+
+### 3. Dryrun in Staging — `@devops-engineer`
+```bash
+# Gatekeeper: deploy with dryrun enforcement
+kubectl apply -f policies/gatekeeper/constraints/${POLICY}-staging.yaml
+# enforcement_action: dryrun   ← logs violations, does not block
+
+# Wait 10 minutes, then check for violations
+kubectl get constraint ${POLICY} -o json | \
+  jq '.status.violations'
+
+# Kyverno: audit mode
+# spec.validationFailureAction: Audit   ← logs, does not block
+kubectl get polr -n ${NAMESPACE}   # policy reports
+```
+- Document: which existing workloads would be blocked if set to `deny`?
+- For each violation: fix workload OR create documented exception
+
+### 4. Fix Existing Violations — `@developer` + `@devops-engineer`
+- For each dryrun violation: fix the workload manifest (add securityContext, resource limits, etc.)
+- Create tracking tickets for violations that require code changes
+- **Do not proceed to enforce until existing violations are resolved**
+
+### 5. Switch to Enforce — `@devops-engineer` + `@team-lead`
+```bash
+# After all violations resolved in staging:
+# Update constraint enforcement action
+kubectl patch constraint ${POLICY} \
+  --type=merge \
+  -p '{"spec":{"enforcementAction":"deny"}}'
+
+# Verify: try deploying a non-compliant manifest
+kubectl apply --dry-run=server -f test/failing-manifest.yaml
+# Must be rejected
+```
+- Apply same enforce mode to production after staging confirmed clean
+- Announce in #devops-changes: "Policy ${POLICY} now enforcing in production"
+
+### 6. Monitor Policy Health — `@devops-engineer`
+```bash
+# Gatekeeper: ongoing violation audit (runs every 60s)
+kubectl get constraint ${POLICY} -o jsonpath='{.status.byPod}'
+
+# Set up Prometheus alert for policy violations
+# metric: gatekeeper_violations_total{enforcement_action="deny"}
+```
+
+## Exit
+Policy tested + existing violations resolved + enforce mode active + monitoring in place = policy onboarded.