npm - @synapta/skills - Versions diffs - 0.1.1 → 0.1.2 - Mend

@synapta/skills 0.1.1 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (353) hide show

package/skills/iac-scan/references/suppression_guide.md ADDED Viewed

@@ -0,0 +1,431 @@
+# Checkov Suppression and Exception Handling Guide
+Best practices for suppressing false positives and managing policy exceptions in Checkov.
+## Suppression Methods
+### Inline Suppression (Recommended)
+#### Terraform
+```hcl
+# Single check suppression with justification
+resource "aws_s3_bucket" "public_site" {
+  # checkov:skip=CKV_AWS_18:Public bucket for static website hosting
+  bucket = "my-public-website"
+  acl    = "public-read"
+}
+# Multiple checks suppression
+resource "aws_security_group" "legacy" {
+  # checkov:skip=CKV_AWS_23:Legacy app requires open access
+  # checkov:skip=CKV_AWS_24:IPv6 not supported by application
+  name = "legacy-sg"
+  ingress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+```
+#### Kubernetes
+```yaml
+# Annotation-based suppression
+apiVersion: v1
+kind: Pod
+metadata:
+  name: legacy-app
+  annotations:
+    checkov.io/skip: CKV_K8S_16=Legacy application requires elevated privileges
+spec:
+  containers:
+  - name: app
+    image: myapp:1.0
+    securityContext:
+      privileged: true
+```
+#### CloudFormation
+```yaml
+Resources:
+  PublicBucket:
+    Type: AWS::S3::Bucket
+    Metadata:
+      checkov:
+        skip:
+          - id: CKV_AWS_18
+            comment: "Public bucket for CDN origin"
+    Properties:
+      BucketName: my-public-bucket
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: false
+```
+### Configuration File Suppression
+#### .checkov.yaml
+```yaml
+# .checkov.yaml (project root)
+skip-check:
+  - CKV_AWS_8   # Ensure CloudWatch log groups encrypted
+  - CKV_K8S_43  # Image pull policy Always
+# Skip specific paths
+skip-path:
+  - .terraform/
+  - node_modules/
+  - vendor/
+# Severity-based soft fail
+soft-fail-on:
+  - LOW
+  - MEDIUM
+# Hard fail on critical/high only
+hard-fail-on:
+  - CRITICAL
+  - HIGH
+```
+### CLI-Based Suppression
+```bash
+# Skip specific checks
+checkov -d ./terraform --skip-check CKV_AWS_8,CKV_AWS_21
+# Skip entire frameworks
+checkov -d ./infra --skip-framework secrets
+# Skip paths
+checkov -d ./terraform --skip-path .terraform/ --skip-path vendor/
+```
+## Suppression Governance
+### Approval Workflow
+```yaml
+# .github/workflows/checkov-review.yml
+name: Review Checkov Suppressions
+on:
+  pull_request:
+    paths:
+      - '**.tf'
+      - '**.yaml'
+      - '**.yml'
+jobs:
+  check-suppressions:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Check for New Suppressions
+        run: |
+          # Count suppressions in PR
+          SUPPRESSIONS=$(git diff origin/main | grep -c "checkov:skip" || true)
+          if [ "$SUPPRESSIONS" -gt 0 ]; then
+            echo "::warning::PR contains $SUPPRESSIONS new suppression(s)"
+            echo "Security team review required"
+            # Request review from security team
+          fi
+```
+### Suppression Documentation Template
+```hcl
+resource "aws_security_group" "example" {
+  # checkov:skip=CKV_AWS_23:TICKET-1234 - Business justification here
+  # Approved by: security-team@example.com
+  # Review date: 2024-01-15
+  # Expiration: 2024-06-15 (review quarterly)
+  #
+  # Compensating controls:
+  # - WAF rule blocks malicious traffic
+  # - Application-level authentication required
+  # - IP allow-listing at load balancer
+  # - 24/7 monitoring and alerting
+  name = "approved-exception"
+  # ... configuration
+}
+```
+## Suppression Best Practices
+### 1. Always Provide Justification
+```hcl
+# ❌ BAD: No justification
+resource "aws_s3_bucket" "example" {
+  # checkov:skip=CKV_AWS_18
+  bucket = "my-bucket"
+}
+# ✅ GOOD: Clear business justification
+resource "aws_s3_bucket" "example" {
+  # checkov:skip=CKV_AWS_18:Public bucket required for static website hosting.
+  # Content is non-sensitive marketing materials. CloudFront restricts direct access.
+  bucket = "marketing-website"
+}
+```
+### 2. Document Compensating Controls
+```hcl
+resource "aws_security_group" "app" {
+  # checkov:skip=CKV_AWS_23:Office IP range access required for developers
+  #
+  # Compensating controls:
+  # 1. IP range limited to corporate /24 subnet (203.0.113.0/24)
+  # 2. MFA required for VPN access to corporate network
+  # 3. Additional application-level authentication
+  # 4. Session timeout of 15 minutes
+  # 5. All access logged to SIEM
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["203.0.113.0/24"]
+  }
+}
+```
+### 3. Set Expiration Dates
+```hcl
+resource "aws_instance" "temp" {
+  # checkov:skip=CKV_AWS_8:Temporary instance for POC
+  # EXPIRES: 2024-03-31
+  # After expiration: Remove or apply encryption
+  ami           = "ami-12345678"
+  instance_type = "t3.micro"
+}
+```
+### 4. Use Granular Suppressions
+```hcl
+# ❌ BAD: Suppress entire file or directory
+# checkov:skip=* (Don't do this!)
+# ✅ GOOD: Suppress specific checks on specific resources
+resource "aws_s3_bucket" "example" {
+  # checkov:skip=CKV_AWS_18:Specific reason for this resource only
+  bucket = "specific-bucket"
+}
+```
+## Exception Categories
+### Legitimate Exceptions
+#### 1. Public Resources by Design
+```hcl
+resource "aws_s3_bucket" "website" {
+  # checkov:skip=CKV_AWS_18:Public bucket for static website
+  # checkov:skip=CKV_AWS_93:Public access required by design
+  # Content: Marketing materials (non-sensitive)
+  # Access: Read-only via CloudFront
+  bucket = "company-website"
+}
+```
+#### 2. Legacy System Constraints
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: legacy-app
+  annotations:
+    checkov.io/skip: CKV_K8S_16=Legacy app built before containers, requires host access
+    # Migration plan: TICKET-5678
+    # Target date: Q2 2024
+spec:
+  hostNetwork: true
+  containers:
+  - name: legacy
+    image: legacy-app:1.0
+```
+#### 3. Development/Testing Environments
+```hcl
+resource "aws_db_instance" "dev_db" {
+  # checkov:skip=CKV_AWS_17:Dev environment - backups not required
+  # checkov:skip=CKV_AWS_61:Dev environment - encryption overhead not needed
+  # Environment: Non-production only
+  # Data: Synthetic test data (no PII/PHI)
+  identifier = "dev-database"
+  backup_retention_period = 0
+  storage_encrypted = false
+  tags = {
+    Environment = "development"
+  }
+}
+```
+### Temporary Exceptions
+```hcl
+resource "aws_rds_cluster" "temp_unencrypted" {
+  # checkov:skip=CKV_AWS_96:Temporary exception during migration
+  # TICKET: INFRA-1234
+  # EXPIRES: 2024-02-15
+  # PLAN: Enable encryption at rest in Phase 2 migration
+  # OWNER: platform-team@example.com
+  cluster_identifier = "migration-temp"
+  storage_encrypted = false
+}
+```
+## Suppression Anti-Patterns
+### ❌ Don't: Blanket Suppressions
+```yaml
+# BAD: Suppress all checks
+skip-check:
+  - "*"
+```
+### ❌ Don't: Suppress Without Documentation
+```hcl
+# BAD: No explanation
+resource "aws_s3_bucket" "example" {
+  # checkov:skip=CKV_AWS_18
+  bucket = "my-bucket"
+}
+```
+### ❌ Don't: Permanent Suppressions for Production
+```hcl
+# BAD: Permanent suppression of critical security control
+resource "aws_rds_cluster" "prod" {
+  # checkov:skip=CKV_AWS_96:Too expensive
+  # ^ This is unacceptable for production!
+  cluster_identifier = "production-db"
+  storage_encrypted = false
+}
+```
+### ❌ Don't: Suppress High/Critical Without Review
+```hcl
+# DANGEROUS: Suppressing critical finding without security review
+resource "aws_security_group" "prod" {
+  # checkov:skip=CKV_AWS_23:Need access from anywhere
+  # ^ Requires security team approval!
+  ingress {
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+```
+## Monitoring Suppressions
+### Track Suppression Metrics
+```bash
+# Count suppressions by type
+grep -r "checkov:skip" ./terraform | \
+  sed 's/.*checkov:skip=\([^:]*\).*/\1/' | \
+  sort | uniq -c | sort -rn
+# Find suppressions without justification
+grep -r "checkov:skip=" ./terraform | \
+  grep -v "checkov:skip=.*:.*"
+```
+### Suppression Audit Report
+```python
+#!/usr/bin/env python3
+"""Generate suppression audit report."""
+import re
+import sys
+from pathlib import Path
+from datetime import datetime
+def find_suppressions(directory):
+    """Find all Checkov suppressions."""
+    suppressions = []
+    for file_path in Path(directory).rglob('*.tf'):
+        with open(file_path) as f:
+            content = f.read()
+        # Find suppressions
+        matches = re.findall(
+            r'#\s*checkov:skip=([^:]+):(.*)',
+            content
+        )
+        for check_id, reason in matches:
+            suppressions.append({
+                'file': str(file_path),
+                'check_id': check_id.strip(),
+                'reason': reason.strip()
+            })
+    return suppressions
+def generate_report(suppressions):
+    """Generate markdown report."""
+    print("# Checkov Suppression Audit Report")
+    print(f"\nGenerated: {datetime.now().isoformat()}")
+    print(f"\nTotal Suppressions: {len(suppressions)}\n")
+    print("## Suppressions by Check")
+    check_counts = {}
+    for s in suppressions:
+        check_counts[s['check_id']] = check_counts.get(s['check_id'], 0) + 1
+    for check_id, count in sorted(check_counts.items(), key=lambda x: -x[1]):
+        print(f"- {check_id}: {count}")
+    print("\n## All Suppressions")
+    for s in suppressions:
+        print(f"\n### {s['file']}")
+        print(f"**Check:** {s['check_id']}")
+        print(f"**Reason:** {s['reason'] or '(no justification provided)'}")
+if __name__ == '__main__':
+    directory = sys.argv[1] if len(sys.argv) > 1 else './terraform'
+    suppressions = find_suppressions(directory)
+    generate_report(suppressions)
+```
+## Quarterly Review Process
+1. **Generate Suppression Report**: List all active suppressions
+2. **Review Expirations**: Check for expired temporary suppressions
+3. **Validate Justifications**: Ensure reasons still apply
+4. **Verify Compensating Controls**: Confirm controls are still in place
+5. **Update or Remove**: Update suppressions or fix underlying issues
+## Additional Resources
+- [Checkov Suppression Documentation](https://www.checkov.io/2.Basics/Suppressing%20and%20Skipping%20Policies.html)
+- [Security Exception Management Best Practices](https://owasp.org/www-community/Security_Exception_Management)

package/skills/incident-briefing/SKILL.md ADDED Viewed

@@ -0,0 +1,66 @@
+---
+name: incident-briefing
+description: Generate voice-only incident summaries for hands-free use. Sub-30-second narration, structured by severity → service → impact → suggested action.
+triggers: [synapta incident voice, drive briefing, voice summary, hands-free incident]
+network: off
+tools: []
+source:
+  origin: authored-by-synapta
+  reason: "Synapta-specific TTS-ready incident summary."
+  citation_patterns:
+    - "SSML 1.1 (W3C)"
+    - "Apple Speech framework (AVSpeechSynthesizer)"
+---
+# Incident Briefing (Voice)
+Produce a structured voice-readable incident summary for CarPlay / Siri / AirPods reading. Max 30 seconds spoken (≈75 words).
+## Structure (in order)
+1. **Severity + count**: "One severity-one incident, three severity-twos active."
+2. **Top service**: "Payments API has the most users affected, about twelve thousand."
+3. **Impact**: "Checkout is failing for users on the European region."
+4. **Age**: "Started fourteen minutes ago."
+5. **Status**: "Mitigation in progress; rollback is the next planned action."
+6. **Suggested next**: "Say 'approve rollback' when parked."
+## Phrasing rules
+- Spelled-out for clarity: "fourteen minutes", not "14m"
+- Service names spoken naturally: "Payments API" not "payments-api"
+- Avoid acronyms unless the user has defined them as personal pronunciations
+- Numbers > 1000: round and say magnitude ("about twelve thousand", "around two million requests per minute")
+- SSML allowed only for pauses and emphasis; don't try to engineer prosody
+## Inputs
+```ts
+type IncidentBriefingInput = {
+  window: { start: string; end: string };  // ISO
+  incidents: Array<{
+    id: string;
+    severity: 1 | 2 | 3 | 4;
+    service: string;
+    impact: string;
+    age: string;
+    status: 'detected' | 'investigating' | 'mitigating' | 'resolved' | 'monitoring';
+    pendingActions: string[];
+  }>;
+};
+```
+## Output
+```ts
+type IncidentBriefing = {
+  ssml: string;        // <speak>...</speak>
+  plainText: string;   // for caption display
+  duration_estimate_seconds: number;
+  suggested_voice_commands: string[];
+};
+```
+## Refusals
+If there are no active incidents, output: "All clear. No active incidents." Do not pad with "as of <timestamp>" unless the user explicitly asks.