@synapta/skills 0.1.1 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +11 -4
- package/package.json +3 -4
- package/skills/ATTRIBUTION.md +80 -0
- package/skills/accessibility-audit/SKILL.md +325 -0
- package/skills/accessibility-audit/reference/wcag-checklist.md +103 -0
- package/skills/apns-notifier/SKILL.md +86 -0
- package/skills/approval-policy-enforcer/SKILL.md +66 -0
- package/skills/apps-sdk-builder/LICENSE.txt +201 -0
- package/skills/apps-sdk-builder/SKILL.md +328 -0
- package/skills/apps-sdk-builder/agents/openai.yaml +13 -0
- package/skills/apps-sdk-builder/references/app-archetypes.md +132 -0
- package/skills/apps-sdk-builder/references/apps-sdk-docs-workflow.md +135 -0
- package/skills/apps-sdk-builder/references/interactive-state-sync-patterns.md +113 -0
- package/skills/apps-sdk-builder/references/repo-contract-and-validation.md +93 -0
- package/skills/apps-sdk-builder/references/search-fetch-standard.md +67 -0
- package/skills/apps-sdk-builder/references/upstream-example-workflow.md +79 -0
- package/skills/apps-sdk-builder/references/window-openai-patterns.md +79 -0
- package/skills/apps-sdk-builder/scripts/scaffold_node_ext_apps.mjs +606 -0
- package/skills/architecture-selector/SKILL.md +64 -0
- package/skills/backlog-planner/SKILL.md +68 -0
- package/skills/carplay-entitlement-checker/SKILL.md +82 -0
- package/skills/concept-deepener/SKILL.md +86 -0
- package/skills/concept-discovery/SKILL.md +517 -0
- package/skills/concept-discovery/assets/sample-analysis.json +81 -0
- package/skills/concept-discovery/expected_outputs/sample-enum-dictionary.md +25 -0
- package/skills/concept-discovery/expected_outputs/sample-page-user-list.md +83 -0
- package/skills/concept-discovery/expected_outputs/sample-prd-readme.md +43 -0
- package/skills/concept-discovery/references/framework-patterns.md +228 -0
- package/skills/concept-discovery/references/prd-quality-checklist.md +65 -0
- package/skills/concept-discovery/scripts/codebase_analyzer.py +732 -0
- package/skills/concept-discovery/scripts/prd_scaffolder.py +435 -0
- package/skills/dast-zap/SKILL.md +453 -0
- package/skills/dast-zap/assets/.gitkeep +9 -0
- package/skills/dast-zap/assets/github_action.yml +207 -0
- package/skills/dast-zap/assets/gitlab_ci.yml +226 -0
- package/skills/dast-zap/assets/zap_automation.yaml +196 -0
- package/skills/dast-zap/assets/zap_context.xml +192 -0
- package/skills/dast-zap/references/EXAMPLE.md +40 -0
- package/skills/dast-zap/references/api_testing_guide.md +475 -0
- package/skills/dast-zap/references/authentication_guide.md +431 -0
- package/skills/dast-zap/references/false_positive_handling.md +427 -0
- package/skills/dast-zap/references/owasp_mapping.md +255 -0
- package/skills/dep-sbom-scan/SKILL.md +466 -0
- package/skills/deploy-cloudflare/SKILL.md +930 -0
- package/skills/deploy-docker/SKILL.md +55 -0
- package/skills/deploy-fly/SKILL.md +228 -0
- package/skills/deploy-k8s/SKILL.md +108 -0
- package/skills/deploy-k8s/assets/logo.png +0 -0
- package/skills/deploy-k8s/docs/README.md +29 -0
- package/skills/deploy-k8s/docs/SUMMARY.md +56 -0
- package/skills/deploy-k8s/docs/advanced/token-efficiency.md +61 -0
- package/skills/deploy-k8s/docs/architecture/multi-tenancy.md +96 -0
- package/skills/deploy-k8s/docs/architecture/storage-and-state.md +102 -0
- package/skills/deploy-k8s/docs/architecture/workload-patterns.md +87 -0
- package/skills/deploy-k8s/docs/book.json +16 -0
- package/skills/deploy-k8s/docs/community/changelog.md +34 -0
- package/skills/deploy-k8s/docs/community/contributing.md +67 -0
- package/skills/deploy-k8s/docs/core-concepts/failure-modes.md +153 -0
- package/skills/deploy-k8s/docs/core-concepts/philosophy.md +83 -0
- package/skills/deploy-k8s/docs/core-concepts/workflow.md +124 -0
- package/skills/deploy-k8s/docs/examples/bad-patterns.md +47 -0
- package/skills/deploy-k8s/docs/examples/do-dont-checklist.md +37 -0
- package/skills/deploy-k8s/docs/examples/good-patterns.md +49 -0
- package/skills/deploy-k8s/docs/failure-modes/api-drift.md +104 -0
- package/skills/deploy-k8s/docs/failure-modes/fragile-rollouts.md +99 -0
- package/skills/deploy-k8s/docs/failure-modes/insecure-workload-defaults.md +80 -0
- package/skills/deploy-k8s/docs/failure-modes/network-exposure.md +98 -0
- package/skills/deploy-k8s/docs/failure-modes/privilege-sprawl.md +91 -0
- package/skills/deploy-k8s/docs/failure-modes/resource-starvation.md +85 -0
- package/skills/deploy-k8s/docs/getting-started/installation.md +152 -0
- package/skills/deploy-k8s/docs/getting-started/quick-start.md +115 -0
- package/skills/deploy-k8s/docs/guides/helm-patterns.md +71 -0
- package/skills/deploy-k8s/docs/guides/kustomize-patterns.md +65 -0
- package/skills/deploy-k8s/docs/guides/observability.md +67 -0
- package/skills/deploy-k8s/docs/guides/security-hardening.md +59 -0
- package/skills/deploy-k8s/docs/guides/validation-and-policy.md +66 -0
- package/skills/deploy-k8s/docs/integrations/mcp-integration.md +52 -0
- package/skills/deploy-k8s/docs/package-lock.json +2892 -0
- package/skills/deploy-k8s/docs/package.json +13 -0
- package/skills/deploy-k8s/references/api-drift.md +298 -0
- package/skills/deploy-k8s/references/conditional/aks-patterns.md +70 -0
- package/skills/deploy-k8s/references/conditional/eks-patterns.md +79 -0
- package/skills/deploy-k8s/references/conditional/gitops-controllers.md +71 -0
- package/skills/deploy-k8s/references/conditional/gke-patterns.md +74 -0
- package/skills/deploy-k8s/references/conditional/observability-stacks.md +80 -0
- package/skills/deploy-k8s/references/conditional/openshift-patterns.md +67 -0
- package/skills/deploy-k8s/references/daemonset-operator-patterns.md +155 -0
- package/skills/deploy-k8s/references/deployment-patterns.md +146 -0
- package/skills/deploy-k8s/references/do-dont-patterns.md +87 -0
- package/skills/deploy-k8s/references/examples-bad.md +282 -0
- package/skills/deploy-k8s/references/examples-good.md +440 -0
- package/skills/deploy-k8s/references/fragile-rollouts.md +303 -0
- package/skills/deploy-k8s/references/helm-patterns.md +203 -0
- package/skills/deploy-k8s/references/insecure-workload-defaults.md +300 -0
- package/skills/deploy-k8s/references/job-patterns.md +120 -0
- package/skills/deploy-k8s/references/kustomize-patterns.md +239 -0
- package/skills/deploy-k8s/references/multi-tenancy.md +343 -0
- package/skills/deploy-k8s/references/network-exposure.md +481 -0
- package/skills/deploy-k8s/references/observability.md +302 -0
- package/skills/deploy-k8s/references/privilege-sprawl.md +273 -0
- package/skills/deploy-k8s/references/resource-starvation.md +374 -0
- package/skills/deploy-k8s/references/security-hardening.md +209 -0
- package/skills/deploy-k8s/references/stateful-patterns.md +130 -0
- package/skills/deploy-k8s/references/storage-and-state.md +330 -0
- package/skills/deploy-k8s/references/validation-and-policy.md +242 -0
- package/skills/deploy-railway/SKILL.md +235 -0
- package/skills/deploy-railway/references/analyze-db-mongo.md +84 -0
- package/skills/deploy-railway/references/analyze-db-mysql.md +254 -0
- package/skills/deploy-railway/references/analyze-db-postgres.md +479 -0
- package/skills/deploy-railway/references/analyze-db-redis.md +208 -0
- package/skills/deploy-railway/references/analyze-db.md +344 -0
- package/skills/deploy-railway/references/configure.md +309 -0
- package/skills/deploy-railway/references/deploy.md +195 -0
- package/skills/deploy-railway/references/operate.md +214 -0
- package/skills/deploy-railway/references/request.md +248 -0
- package/skills/deploy-railway/references/setup.md +312 -0
- package/skills/deploy-railway/scripts/analyze-mongo.py +1549 -0
- package/skills/deploy-railway/scripts/analyze-mysql.py +1195 -0
- package/skills/deploy-railway/scripts/analyze-postgres.py +3058 -0
- package/skills/deploy-railway/scripts/analyze-redis.py +1090 -0
- package/skills/deploy-railway/scripts/dal.py +671 -0
- package/skills/deploy-railway/scripts/enable-pg-stats.py +170 -0
- package/skills/deploy-railway/scripts/pg-extensions.py +370 -0
- package/skills/deploy-railway/scripts/railway-api.sh +52 -0
- package/skills/deploy-ssh/SKILL.md +91 -0
- package/skills/deploy-vercel/SKILL.md +304 -0
- package/skills/deploy-vercel/resources/deploy-codex.sh +301 -0
- package/skills/deploy-vercel/resources/deploy.sh +301 -0
- package/skills/docs-runbooks/SKILL.md +399 -0
- package/skills/drive-status-renderer/SKILL.md +62 -0
- package/skills/iac-scan/SKILL.md +680 -0
- package/skills/iac-scan/assets/.gitkeep +9 -0
- package/skills/iac-scan/assets/checkov_config.yaml +94 -0
- package/skills/iac-scan/assets/github_actions.yml +199 -0
- package/skills/iac-scan/assets/gitlab_ci.yml +218 -0
- package/skills/iac-scan/assets/pre_commit_config.yaml +92 -0
- package/skills/iac-scan/references/EXAMPLE.md +40 -0
- package/skills/iac-scan/references/compliance_mapping.md +237 -0
- package/skills/iac-scan/references/custom_policies.md +460 -0
- package/skills/iac-scan/references/suppression_guide.md +431 -0
- package/skills/incident-briefing/SKILL.md +66 -0
- package/skills/incident-triage/SKILL.md +481 -0
- package/{LICENSE → skills/mcp-builder/LICENSE.txt} +15 -14
- package/skills/mcp-builder/SKILL.md +244 -0
- package/skills/mcp-builder/reference/evaluation.md +602 -0
- package/skills/mcp-builder/reference/mcp_best_practices.md +249 -0
- package/skills/mcp-builder/reference/node_mcp_server.md +970 -0
- package/skills/mcp-builder/reference/python_mcp_server.md +719 -0
- package/skills/mcp-builder/scripts/connections.py +151 -0
- package/skills/mcp-builder/scripts/evaluation.py +373 -0
- package/skills/mcp-builder/scripts/example_evaluation.xml +22 -0
- package/skills/mcp-builder/scripts/requirements.txt +2 -0
- package/skills/mobile-pairing/SKILL.md +52 -0
- package/skills/ops-sre/SKILL.md +297 -0
- package/skills/playwright-qa/LICENSE.txt +201 -0
- package/skills/playwright-qa/NOTICE.txt +14 -0
- package/skills/playwright-qa/SKILL.md +156 -0
- package/skills/playwright-qa/agents/openai.yaml +6 -0
- package/skills/playwright-qa/assets/playwright-small.svg +3 -0
- package/skills/playwright-qa/assets/playwright.png +0 -0
- package/skills/playwright-qa/references/cli.md +116 -0
- package/skills/playwright-qa/references/workflows.md +95 -0
- package/skills/playwright-qa/scripts/playwright_cli.sh +25 -0
- package/skills/release-publish/SKILL.md +85 -0
- package/skills/repo-bootstrap/SKILL.md +92 -0
- package/skills/repo-bootstrap/assets/example-workflows/validate-agents.yml +89 -0
- package/skills/repo-bootstrap/assets/root-thin.md +141 -0
- package/skills/repo-bootstrap/assets/root-verbose.md +149 -0
- package/skills/repo-bootstrap/assets/scoped/backend-go.md +107 -0
- package/skills/repo-bootstrap/assets/scoped/backend-php.md +94 -0
- package/skills/repo-bootstrap/assets/scoped/backend-python.md +84 -0
- package/skills/repo-bootstrap/assets/scoped/backend-typescript.md +89 -0
- package/skills/repo-bootstrap/assets/scoped/claude-code-skill.md +101 -0
- package/skills/repo-bootstrap/assets/scoped/cli.md +83 -0
- package/skills/repo-bootstrap/assets/scoped/concourse.md +196 -0
- package/skills/repo-bootstrap/assets/scoped/ddev.md +68 -0
- package/skills/repo-bootstrap/assets/scoped/docker.md +160 -0
- package/skills/repo-bootstrap/assets/scoped/documentation.md +98 -0
- package/skills/repo-bootstrap/assets/scoped/examples.md +96 -0
- package/skills/repo-bootstrap/assets/scoped/frontend-typescript.md +88 -0
- package/skills/repo-bootstrap/assets/scoped/github-actions.md +174 -0
- package/skills/repo-bootstrap/assets/scoped/gitlab-ci.md +174 -0
- package/skills/repo-bootstrap/assets/scoped/oro-bundle.md +209 -0
- package/skills/repo-bootstrap/assets/scoped/oro-project.md +170 -0
- package/skills/repo-bootstrap/assets/scoped/python-modern.md +170 -0
- package/skills/repo-bootstrap/assets/scoped/resources.md +96 -0
- package/skills/repo-bootstrap/assets/scoped/skill-repo.md +139 -0
- package/skills/repo-bootstrap/assets/scoped/symfony.md +168 -0
- package/skills/repo-bootstrap/assets/scoped/testing.md +87 -0
- package/skills/repo-bootstrap/assets/scoped/typo3-docs.md +103 -0
- package/skills/repo-bootstrap/assets/scoped/typo3-extension.md +133 -0
- package/skills/repo-bootstrap/assets/scoped/typo3-project.md +137 -0
- package/skills/repo-bootstrap/assets/scoped/typo3-testing.md +80 -0
- package/skills/repo-bootstrap/checkpoints.yaml +279 -0
- package/skills/repo-bootstrap/evals/evals.json +385 -0
- package/skills/repo-bootstrap/references/ai-contribution-guidelines.md +63 -0
- package/skills/repo-bootstrap/references/ai-tool-compatibility.md +223 -0
- package/skills/repo-bootstrap/references/directory-coverage.md +82 -0
- package/skills/repo-bootstrap/references/examples/coding-agent-cli/AGENTS.md +70 -0
- package/skills/repo-bootstrap/references/examples/coding-agent-cli/go.mod +3 -0
- package/skills/repo-bootstrap/references/examples/coding-agent-cli/scripts-AGENTS.md +389 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/.env.example +13 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/AGENTS.md +91 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/package.json +33 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/pnpm-lock.yaml +3 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/src/AGENTS.md +91 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/src/config.ts +28 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/src/controllers/userController.ts +74 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/src/index.ts +26 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/src/middleware/errorHandler.ts +45 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/src/middleware/requestLogger.ts +18 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/src/routes/health.ts +18 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/src/routes/users.ts +13 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/src/utils/errors.ts +40 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/src/utils/logger.ts +14 -0
- package/skills/repo-bootstrap/references/examples/express-api-ts/tsconfig.json +24 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/.env.example +19 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/AGENTS.md +92 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/pyproject.toml +88 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/AGENTS.md +85 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/__init__.py +3 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/config.py +49 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/main.py +66 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/models/__init__.py +13 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/models/item.py +43 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/models/user.py +40 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/routes/__init__.py +5 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/routes/health.py +20 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/routes/items.py +61 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/routes/users.py +55 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/services/__init__.py +6 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/services/item_service.py +77 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/src/services/user_service.py +69 -0
- package/skills/repo-bootstrap/references/examples/fastapi-app/uv.lock +4 -0
- package/skills/repo-bootstrap/references/examples/go-api-with-react-admin/.scopes +3 -0
- package/skills/repo-bootstrap/references/examples/go-api-with-react-admin/AGENTS.md +86 -0
- package/skills/repo-bootstrap/references/examples/go-api-with-react-admin/admin/package.json +20 -0
- package/skills/repo-bootstrap/references/examples/go-api-with-react-admin/admin/src/App.tsx +5 -0
- package/skills/repo-bootstrap/references/examples/go-api-with-react-admin/cmd/api/main.go +7 -0
- package/skills/repo-bootstrap/references/examples/go-api-with-react-admin/go.mod +2 -0
- package/skills/repo-bootstrap/references/examples/go-api-with-react-admin/main.go +7 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/.scopes +3 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/AGENTS.md +89 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/go.mod +2 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/internal/web/AGENTS.md +90 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/internal/web/package.json +17 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/internal/web/src/App.tsx +1 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/internal/web/src/Button.tsx +1 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/internal/web/src/Footer.tsx +1 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/internal/web/src/Header.tsx +1 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/internal/web/src/Sidebar.tsx +1 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/main.go +7 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/package-lock.json +0 -0
- package/skills/repo-bootstrap/references/examples/go-with-internal-web-tsx/package.json +12 -0
- package/skills/repo-bootstrap/references/examples/ldap-selfservice/AGENTS.md +70 -0
- package/skills/repo-bootstrap/references/examples/ldap-selfservice/go.mod +3 -0
- package/skills/repo-bootstrap/references/examples/ldap-selfservice/internal-AGENTS.md +371 -0
- package/skills/repo-bootstrap/references/examples/ldap-selfservice/internal-web-AGENTS.md +448 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/.scopes +3 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/AGENTS.md +91 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/composer.json +8 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/package.json +15 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/pnpm-lock.yaml +0 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/src/Controller.php +3 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/web/AGENTS.md +92 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/web/package.json +26 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/web/src/App.tsx +3 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/web/src/Button.tsx +10 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/web/src/Footer.tsx +9 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/web/src/Header.tsx +9 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/web/src/main.tsx +3 -0
- package/skills/repo-bootstrap/references/examples/php-with-frontend/web/tsconfig.json +13 -0
- package/skills/repo-bootstrap/references/examples/pnpm-workspace/AGENTS.md +75 -0
- package/skills/repo-bootstrap/references/examples/pnpm-workspace/package.json +7 -0
- package/skills/repo-bootstrap/references/examples/pnpm-workspace/packages/web/package.json +11 -0
- package/skills/repo-bootstrap/references/examples/pnpm-workspace/packages/web/src/index.ts +11 -0
- package/skills/repo-bootstrap/references/examples/pnpm-workspace/pnpm-lock.yaml +42 -0
- package/skills/repo-bootstrap/references/examples/pnpm-workspace/pnpm-workspace.yaml +2 -0
- package/skills/repo-bootstrap/references/examples/simple-ldap-go/AGENTS.md +70 -0
- package/skills/repo-bootstrap/references/examples/simple-ldap-go/examples-AGENTS.md +45 -0
- package/skills/repo-bootstrap/references/examples/simple-ldap-go/go.mod +3 -0
- package/skills/repo-bootstrap/references/examples/t3x-rte-ckeditor-image/AGENTS.md +70 -0
- package/skills/repo-bootstrap/references/examples/t3x-rte-ckeditor-image/Classes-AGENTS.md +392 -0
- package/skills/repo-bootstrap/references/examples/t3x-rte-ckeditor-image/composer.json +8 -0
- package/skills/repo-bootstrap/references/feedback-memory-schema.md +135 -0
- package/skills/repo-bootstrap/references/git-hooks-setup.md +79 -0
- package/skills/repo-bootstrap/references/output-structure.md +124 -0
- package/skills/repo-bootstrap/references/scripts-guide.md +175 -0
- package/skills/repo-bootstrap/references/verification-guide.md +137 -0
- package/skills/repo-bootstrap/scripts/analyze-git-history.sh +315 -0
- package/skills/repo-bootstrap/scripts/check-freshness.sh +230 -0
- package/skills/repo-bootstrap/scripts/detect-golden-samples.sh +161 -0
- package/skills/repo-bootstrap/scripts/detect-heuristics.sh +93 -0
- package/skills/repo-bootstrap/scripts/detect-project.sh +486 -0
- package/skills/repo-bootstrap/scripts/detect-scopes.sh +330 -0
- package/skills/repo-bootstrap/scripts/detect-utilities.sh +133 -0
- package/skills/repo-bootstrap/scripts/extract-adrs.sh +194 -0
- package/skills/repo-bootstrap/scripts/extract-agent-configs.sh +331 -0
- package/skills/repo-bootstrap/scripts/extract-architecture-rules.sh +522 -0
- package/skills/repo-bootstrap/scripts/extract-ci-commands.sh +385 -0
- package/skills/repo-bootstrap/scripts/extract-ci-rules.sh +384 -0
- package/skills/repo-bootstrap/scripts/extract-commands.sh +358 -0
- package/skills/repo-bootstrap/scripts/extract-documentation.sh +308 -0
- package/skills/repo-bootstrap/scripts/extract-github-rulesets.sh +96 -0
- package/skills/repo-bootstrap/scripts/extract-github-settings.sh +88 -0
- package/skills/repo-bootstrap/scripts/extract-ide-settings.sh +228 -0
- package/skills/repo-bootstrap/scripts/extract-platform-files.sh +290 -0
- package/skills/repo-bootstrap/scripts/extract-quality-configs.sh +442 -0
- package/skills/repo-bootstrap/scripts/generate-agents.sh +2424 -0
- package/skills/repo-bootstrap/scripts/generate-file-map.sh +153 -0
- package/skills/repo-bootstrap/scripts/lib/config-root.sh +211 -0
- package/skills/repo-bootstrap/scripts/lib/summary.sh +244 -0
- package/skills/repo-bootstrap/scripts/lib/template.sh +397 -0
- package/skills/repo-bootstrap/scripts/validate-structure.sh +324 -0
- package/skills/repo-bootstrap/scripts/verify-commands.sh +615 -0
- package/skills/repo-bootstrap/scripts/verify-content.sh +302 -0
- package/skills/schema-api-contracts/SKILL.md +56 -0
- package/skills/secret-hygiene/SKILL.md +511 -0
- package/skills/secret-hygiene/assets/.gitkeep +9 -0
- package/skills/secret-hygiene/assets/config-balanced.toml +81 -0
- package/skills/secret-hygiene/assets/config-custom.toml +178 -0
- package/skills/secret-hygiene/assets/config-strict.toml +48 -0
- package/skills/secret-hygiene/assets/github-action.yml +181 -0
- package/skills/secret-hygiene/assets/gitlab-ci.yml +257 -0
- package/skills/secret-hygiene/assets/precommit-config.yaml +70 -0
- package/skills/secret-hygiene/references/EXAMPLE.md +40 -0
- package/skills/secret-hygiene/references/compliance_mapping.md +538 -0
- package/skills/secret-hygiene/references/detection_rules.md +276 -0
- package/skills/secret-hygiene/references/false_positives.md +598 -0
- package/skills/secret-hygiene/references/remediation_guide.md +530 -0
- package/skills/stack-selector/SKILL.md +56 -0
- package/skills/telegram-control/SKILL.md +110 -0
- package/skills/telegram-control/references/architecture.md +184 -0
- package/skills/telegram-control/references/convex.md +173 -0
- package/skills/telegram-control/references/error_handling.md +212 -0
- package/skills/telegram-control/references/initial_setup.md +165 -0
- package/skills/telegram-control/references/telegram_api.md +156 -0
- package/skills/telegram-control/scripts/cancel_message.ts +53 -0
- package/skills/telegram-control/scripts/list_scheduled.ts +103 -0
- package/skills/telegram-control/scripts/logger.ts +121 -0
- package/skills/telegram-control/scripts/proxy-util.ts +11 -0
- package/skills/telegram-control/scripts/schedule_message.ts +216 -0
- package/skills/telegram-control/scripts/send_message.ts +115 -0
- package/skills/telegram-control/scripts/setup.ts +185 -0
- package/skills/telegram-control/scripts/types.ts +75 -0
- package/skills/telegram-control/scripts/view_history.ts +74 -0
- package/skills/test-strategy/SKILL.md +352 -0
- package/skills/threat-model/SKILL.md +303 -0
- package/skills/threat-model/examples/example-output.md +196 -0
- package/skills/threat-model/template.md +96 -0
- package/skills/ts-lint/SKILL.md +80 -0
- package/skills/ui-flow/SKILL.md +668 -0
- package/skills/voice-command-router/SKILL.md +51 -0
- package/skills/widget-live-activity-sync/SKILL.md +66 -0
|
@@ -0,0 +1,680 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: iac-scan
|
|
3
|
+
synapta_original_name: iac-checkov
|
|
4
|
+
triggers: [synapta iac scan, Terraform, Kubernetes, Checkov, IaC, CloudFormation]
|
|
5
|
+
network: off
|
|
6
|
+
source:
|
|
7
|
+
origin: https://github.com/AgentSecOps/SecOpsAgentKit
|
|
8
|
+
path: skills/devsecops/iac-checkov
|
|
9
|
+
commit: 6e25a4bc5743
|
|
10
|
+
license: see source repo
|
|
11
|
+
adapted: light-touch
|
|
12
|
+
description: >
|
|
13
|
+
Infrastructure as Code (IaC) security scanning using Checkov with 750+ built-in policies for Terraform,
|
|
14
|
+
CloudFormation, Kubernetes, Dockerfile, and ARM templates. Use when: (1) Scanning IaC files for security
|
|
15
|
+
misconfigurations and compliance violations, (2) Validating cloud infrastructure against CIS, PCI-DSS,
|
|
16
|
+
HIPAA, and SOC2 benchmarks, (3) Detecting secrets and hardcoded credentials in IaC, (4) Implementing
|
|
17
|
+
policy-as-code in CI/CD pipelines, (5) Generating compliance reports with remediation guidance for
|
|
18
|
+
cloud security posture management.
|
|
19
|
+
version: 0.1.0
|
|
20
|
+
maintainer: SirAppSec
|
|
21
|
+
category: devsecops
|
|
22
|
+
tags: [iac, checkov, terraform, kubernetes, cloudformation, compliance, policy-as-code, cloud-security]
|
|
23
|
+
frameworks: [PCI-DSS, HIPAA, SOC2, NIST, GDPR]
|
|
24
|
+
dependencies:
|
|
25
|
+
python: ">=3.8"
|
|
26
|
+
packages: [checkov]
|
|
27
|
+
references:
|
|
28
|
+
- https://www.checkov.io/
|
|
29
|
+
- https://github.com/bridgecrewio/checkov
|
|
30
|
+
- https://docs.paloaltonetworks.com/prisma/prisma-cloud
|
|
31
|
+
---
|
|
32
|
+
|
|
33
|
+
# Infrastructure as Code Security with Checkov
|
|
34
|
+
|
|
35
|
+
## Overview
|
|
36
|
+
|
|
37
|
+
Checkov is a static code analysis tool that scans Infrastructure as Code (IaC) files for security misconfigurations
|
|
38
|
+
and compliance violations before deployment. With 750+ built-in policies, Checkov helps prevent cloud security issues
|
|
39
|
+
by detecting problems in Terraform, CloudFormation, Kubernetes, Dockerfiles, Helm charts, and ARM templates.
|
|
40
|
+
|
|
41
|
+
Checkov performs graph-based scanning to understand resource relationships and detect complex misconfigurations that
|
|
42
|
+
span multiple resources, making it more powerful than simple pattern matching.
|
|
43
|
+
|
|
44
|
+
## Quick Start
|
|
45
|
+
|
|
46
|
+
### Install Checkov
|
|
47
|
+
|
|
48
|
+
```bash
|
|
49
|
+
# Via pip
|
|
50
|
+
pip install checkov
|
|
51
|
+
|
|
52
|
+
# Via Homebrew (macOS)
|
|
53
|
+
brew install checkov
|
|
54
|
+
|
|
55
|
+
# Via Docker
|
|
56
|
+
docker pull bridgecrew/checkov
|
|
57
|
+
```
|
|
58
|
+
|
|
59
|
+
### Scan Terraform Directory
|
|
60
|
+
|
|
61
|
+
```bash
|
|
62
|
+
# Scan all Terraform files in directory
|
|
63
|
+
checkov -d ./terraform
|
|
64
|
+
|
|
65
|
+
# Scan specific file
|
|
66
|
+
checkov -f ./terraform/main.tf
|
|
67
|
+
|
|
68
|
+
# Scan with specific framework
|
|
69
|
+
checkov -d ./infrastructure --framework terraform
|
|
70
|
+
```
|
|
71
|
+
|
|
72
|
+
### Scan Kubernetes Manifests
|
|
73
|
+
|
|
74
|
+
```bash
|
|
75
|
+
# Scan Kubernetes YAML files
|
|
76
|
+
checkov -d ./k8s --framework kubernetes
|
|
77
|
+
|
|
78
|
+
# Scan Helm chart
|
|
79
|
+
checkov -d ./helm-chart --framework helm
|
|
80
|
+
```
|
|
81
|
+
|
|
82
|
+
### Scan CloudFormation Template
|
|
83
|
+
|
|
84
|
+
```bash
|
|
85
|
+
# Scan CloudFormation template
|
|
86
|
+
checkov -f ./cloudformation/template.yaml --framework cloudformation
|
|
87
|
+
```
|
|
88
|
+
|
|
89
|
+
## Core Workflow
|
|
90
|
+
|
|
91
|
+
### Step 1: Understand Scan Scope
|
|
92
|
+
|
|
93
|
+
Identify IaC files and frameworks to scan:
|
|
94
|
+
|
|
95
|
+
```bash
|
|
96
|
+
# Supported frameworks
|
|
97
|
+
checkov --list-frameworks
|
|
98
|
+
|
|
99
|
+
# Output:
|
|
100
|
+
# terraform, cloudformation, kubernetes, dockerfile, helm,
|
|
101
|
+
# serverless, arm, secrets, ansible, github_actions, gitlab_ci
|
|
102
|
+
```
|
|
103
|
+
|
|
104
|
+
**Scope Considerations:**
|
|
105
|
+
- Scan entire infrastructure directory for comprehensive coverage
|
|
106
|
+
- Focus on specific frameworks during initial adoption
|
|
107
|
+
- Exclude generated or vendor files
|
|
108
|
+
- Include both production and non-production configurations
|
|
109
|
+
|
|
110
|
+
### Step 2: Run Basic Scan
|
|
111
|
+
|
|
112
|
+
Execute Checkov with appropriate output format:
|
|
113
|
+
|
|
114
|
+
```bash
|
|
115
|
+
# CLI output (human-readable)
|
|
116
|
+
checkov -d ./terraform
|
|
117
|
+
|
|
118
|
+
# JSON output (for automation)
|
|
119
|
+
checkov -d ./terraform -o json
|
|
120
|
+
|
|
121
|
+
# Multiple output formats
|
|
122
|
+
checkov -d ./terraform -o cli -o json -o sarif
|
|
123
|
+
|
|
124
|
+
# Save output to file
|
|
125
|
+
checkov -d ./terraform -o json --output-file-path ./reports
|
|
126
|
+
```
|
|
127
|
+
|
|
128
|
+
**What Checkov Detects:**
|
|
129
|
+
- Security misconfigurations (unencrypted resources, public access)
|
|
130
|
+
- Compliance violations (CIS benchmarks, industry standards)
|
|
131
|
+
- Secrets and hardcoded credentials
|
|
132
|
+
- Missing security controls (logging, monitoring, encryption)
|
|
133
|
+
- Insecure network configurations
|
|
134
|
+
- Resource relationship issues (via graph analysis)
|
|
135
|
+
|
|
136
|
+
### Step 3: Filter and Prioritize Findings
|
|
137
|
+
|
|
138
|
+
Focus on critical issues first:
|
|
139
|
+
|
|
140
|
+
```bash
|
|
141
|
+
# Show only high severity issues
|
|
142
|
+
checkov -d ./terraform --check CKV_AWS_*
|
|
143
|
+
|
|
144
|
+
# Skip specific checks (false positives)
|
|
145
|
+
checkov -d ./terraform --skip-check CKV_AWS_8,CKV_AWS_21
|
|
146
|
+
|
|
147
|
+
# Check against specific compliance framework
|
|
148
|
+
checkov -d ./terraform --compact --framework terraform \
|
|
149
|
+
--check CIS_AWS,CIS_AZURE
|
|
150
|
+
|
|
151
|
+
# Run only checks with specific severity
|
|
152
|
+
checkov -d ./terraform --check HIGH,CRITICAL
|
|
153
|
+
```
|
|
154
|
+
|
|
155
|
+
**Severity Levels:**
|
|
156
|
+
- **CRITICAL**: Immediate security risks (public S3 buckets, unencrypted databases)
|
|
157
|
+
- **HIGH**: Significant security concerns (missing MFA, weak encryption)
|
|
158
|
+
- **MEDIUM**: Important security best practices (missing tags, logging disabled)
|
|
159
|
+
- **LOW**: Recommendations and hardening (resource naming conventions)
|
|
160
|
+
|
|
161
|
+
### Step 4: Suppress False Positives
|
|
162
|
+
|
|
163
|
+
Use inline suppression for legitimate exceptions:
|
|
164
|
+
|
|
165
|
+
```hcl
|
|
166
|
+
# Terraform example
|
|
167
|
+
resource "aws_s3_bucket" "example" {
|
|
168
|
+
# checkov:skip=CKV_AWS_18:This bucket is intentionally public for static website
|
|
169
|
+
bucket = "my-public-website"
|
|
170
|
+
acl = "public-read"
|
|
171
|
+
}
|
|
172
|
+
```
|
|
173
|
+
|
|
174
|
+
```yaml
|
|
175
|
+
# Kubernetes example
|
|
176
|
+
apiVersion: v1
|
|
177
|
+
kind: Pod
|
|
178
|
+
metadata:
|
|
179
|
+
name: privileged-pod
|
|
180
|
+
annotations:
|
|
181
|
+
checkov.io/skip: CKV_K8S_16=Legacy application requires privileged mode
|
|
182
|
+
spec:
|
|
183
|
+
containers:
|
|
184
|
+
- name: app
|
|
185
|
+
securityContext:
|
|
186
|
+
privileged: true
|
|
187
|
+
```
|
|
188
|
+
|
|
189
|
+
See `references/suppression_guide.md` for comprehensive suppression strategies.
|
|
190
|
+
|
|
191
|
+
### Step 5: Create Custom Policies
|
|
192
|
+
|
|
193
|
+
Define organization-specific policies:
|
|
194
|
+
|
|
195
|
+
```python
|
|
196
|
+
# custom_checks/require_s3_versioning.py
|
|
197
|
+
from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
|
|
198
|
+
from checkov.common.models.enums import CheckResult, CheckCategories
|
|
199
|
+
|
|
200
|
+
class S3BucketVersioning(BaseResourceCheck):
|
|
201
|
+
def __init__(self):
|
|
202
|
+
name = "Ensure S3 bucket has versioning enabled"
|
|
203
|
+
id = "CKV_AWS_CUSTOM_001"
|
|
204
|
+
supported_resources = ['aws_s3_bucket']
|
|
205
|
+
categories = [CheckCategories.BACKUP_AND_RECOVERY]
|
|
206
|
+
super().__init__(name=name, id=id, categories=categories,
|
|
207
|
+
supported_resources=supported_resources)
|
|
208
|
+
|
|
209
|
+
def scan_resource_conf(self, conf):
|
|
210
|
+
if 'versioning' in conf:
|
|
211
|
+
if conf['versioning'][0].get('enabled') == [True]:
|
|
212
|
+
return CheckResult.PASSED
|
|
213
|
+
return CheckResult.FAILED
|
|
214
|
+
|
|
215
|
+
check = S3BucketVersioning()
|
|
216
|
+
```
|
|
217
|
+
|
|
218
|
+
Run with custom policies:
|
|
219
|
+
|
|
220
|
+
```bash
|
|
221
|
+
checkov -d ./terraform --external-checks-dir ./custom_checks
|
|
222
|
+
```
|
|
223
|
+
|
|
224
|
+
See `references/custom_policies.md` for advanced policy development.
|
|
225
|
+
|
|
226
|
+
### Step 6: Generate Compliance Reports
|
|
227
|
+
|
|
228
|
+
Create reports for audit and compliance:
|
|
229
|
+
|
|
230
|
+
```bash
|
|
231
|
+
# Generate comprehensive report
|
|
232
|
+
checkov -d ./terraform \
|
|
233
|
+
-o cli -o json -o junitxml \
|
|
234
|
+
--output-file-path ./compliance-reports \
|
|
235
|
+
--repo-id my-infrastructure \
|
|
236
|
+
--branch main
|
|
237
|
+
|
|
238
|
+
# CycloneDX SBOM for IaC
|
|
239
|
+
checkov -d ./terraform -o cyclonedx
|
|
240
|
+
|
|
241
|
+
# SARIF for GitHub Security
|
|
242
|
+
checkov -d ./terraform -o sarif --output-file-path ./sarif-report.json
|
|
243
|
+
```
|
|
244
|
+
|
|
245
|
+
**Report Types:**
|
|
246
|
+
- **CLI**: Human-readable console output
|
|
247
|
+
- **JSON**: Machine-readable for automation
|
|
248
|
+
- **JUnit XML**: CI/CD integration (Jenkins, GitLab)
|
|
249
|
+
- **SARIF**: GitHub/Azure DevOps Security tab
|
|
250
|
+
- **CycloneDX**: Software Bill of Materials for IaC
|
|
251
|
+
|
|
252
|
+
Map findings to compliance frameworks using `references/compliance_mapping.md`.
|
|
253
|
+
|
|
254
|
+
## CI/CD Integration
|
|
255
|
+
|
|
256
|
+
### GitHub Actions
|
|
257
|
+
|
|
258
|
+
Add Checkov scanning to pull request checks:
|
|
259
|
+
|
|
260
|
+
```yaml
|
|
261
|
+
# .github/workflows/checkov.yml
|
|
262
|
+
name: Checkov IaC Security Scan
|
|
263
|
+
on: [push, pull_request]
|
|
264
|
+
|
|
265
|
+
jobs:
|
|
266
|
+
checkov-scan:
|
|
267
|
+
runs-on: ubuntu-latest
|
|
268
|
+
steps:
|
|
269
|
+
- uses: actions/checkout@v3
|
|
270
|
+
|
|
271
|
+
- name: Run Checkov
|
|
272
|
+
uses: bridgecrewio/checkov-action@master
|
|
273
|
+
with:
|
|
274
|
+
directory: infrastructure/
|
|
275
|
+
framework: terraform
|
|
276
|
+
output_format: sarif
|
|
277
|
+
output_file_path: checkov-results.sarif
|
|
278
|
+
soft_fail: false
|
|
279
|
+
|
|
280
|
+
- name: Upload SARIF Report
|
|
281
|
+
if: always()
|
|
282
|
+
uses: github/codeql-action/upload-sarif@v2
|
|
283
|
+
with:
|
|
284
|
+
sarif_file: checkov-results.sarif
|
|
285
|
+
```
|
|
286
|
+
|
|
287
|
+
### Pre-Commit Hook
|
|
288
|
+
|
|
289
|
+
Prevent committing insecure IaC:
|
|
290
|
+
|
|
291
|
+
```yaml
|
|
292
|
+
# .pre-commit-config.yaml
|
|
293
|
+
repos:
|
|
294
|
+
- repo: https://github.com/bridgecrewio/checkov
|
|
295
|
+
rev: 2.5.0
|
|
296
|
+
hooks:
|
|
297
|
+
- id: checkov
|
|
298
|
+
args: [--soft-fail]
|
|
299
|
+
files: \.(tf|yaml|yml|json)$
|
|
300
|
+
```
|
|
301
|
+
|
|
302
|
+
Install pre-commit hooks:
|
|
303
|
+
|
|
304
|
+
```bash
|
|
305
|
+
pip install pre-commit
|
|
306
|
+
pre-commit install
|
|
307
|
+
```
|
|
308
|
+
|
|
309
|
+
### GitLab CI
|
|
310
|
+
|
|
311
|
+
```yaml
|
|
312
|
+
# .gitlab-ci.yml
|
|
313
|
+
checkov_scan:
|
|
314
|
+
image: bridgecrew/checkov:latest
|
|
315
|
+
stage: security
|
|
316
|
+
script:
|
|
317
|
+
- checkov -d ./terraform -o json -o junitxml
|
|
318
|
+
--output-file-path $CI_PROJECT_DIR/checkov-report
|
|
319
|
+
artifacts:
|
|
320
|
+
reports:
|
|
321
|
+
junit: checkov-report/results_junitxml.xml
|
|
322
|
+
paths:
|
|
323
|
+
- checkov-report/
|
|
324
|
+
when: always
|
|
325
|
+
```
|
|
326
|
+
|
|
327
|
+
### Jenkins Pipeline
|
|
328
|
+
|
|
329
|
+
```groovy
|
|
330
|
+
// Jenkinsfile
|
|
331
|
+
pipeline {
|
|
332
|
+
agent any
|
|
333
|
+
stages {
|
|
334
|
+
stage('Checkov Scan') {
|
|
335
|
+
steps {
|
|
336
|
+
sh 'pip install checkov'
|
|
337
|
+
sh '''
|
|
338
|
+
checkov -d ./terraform \
|
|
339
|
+
-o cli -o junitxml \
|
|
340
|
+
--output-file-path ./reports
|
|
341
|
+
'''
|
|
342
|
+
}
|
|
343
|
+
}
|
|
344
|
+
}
|
|
345
|
+
post {
|
|
346
|
+
always {
|
|
347
|
+
junit 'reports/results_junitxml.xml'
|
|
348
|
+
}
|
|
349
|
+
}
|
|
350
|
+
}
|
|
351
|
+
```
|
|
352
|
+
|
|
353
|
+
See `assets/` directory for complete CI/CD templates.
|
|
354
|
+
|
|
355
|
+
## Framework-Specific Workflows
|
|
356
|
+
|
|
357
|
+
### Terraform
|
|
358
|
+
|
|
359
|
+
**Scan Terraform with Variable Files:**
|
|
360
|
+
|
|
361
|
+
```bash
|
|
362
|
+
# Scan with tfvars
|
|
363
|
+
checkov -d ./terraform --var-file ./terraform.tfvars
|
|
364
|
+
|
|
365
|
+
# Download and scan external modules
|
|
366
|
+
checkov -d ./terraform --download-external-modules true
|
|
367
|
+
|
|
368
|
+
# Skip Terraform plan files
|
|
369
|
+
checkov -d ./terraform --skip-path terraform.tfstate
|
|
370
|
+
```
|
|
371
|
+
|
|
372
|
+
**Common Terraform Checks:**
|
|
373
|
+
- CKV_AWS_19: Ensure S3 bucket has server-side encryption
|
|
374
|
+
- CKV_AWS_21: Ensure S3 bucket has versioning enabled
|
|
375
|
+
- CKV_AWS_23: Ensure Security Group ingress is not open to 0.0.0.0/0
|
|
376
|
+
- CKV_AWS_40: Ensure IAM policies don't use wildcard actions
|
|
377
|
+
- CKV_AWS_61: Ensure RDS database has encryption at rest enabled
|
|
378
|
+
|
|
379
|
+
### Kubernetes
|
|
380
|
+
|
|
381
|
+
**Scan Kubernetes Manifests:**
|
|
382
|
+
|
|
383
|
+
```bash
|
|
384
|
+
# Scan all YAML manifests
|
|
385
|
+
checkov -d ./k8s --framework kubernetes
|
|
386
|
+
|
|
387
|
+
# Scan Helm chart
|
|
388
|
+
checkov -d ./helm-chart --framework helm
|
|
389
|
+
|
|
390
|
+
# Scan kustomize output
|
|
391
|
+
kustomize build ./overlay/prod | checkov -f - --framework kubernetes
|
|
392
|
+
```
|
|
393
|
+
|
|
394
|
+
**Common Kubernetes Checks:**
|
|
395
|
+
- CKV_K8S_8: Ensure Liveness Probe is configured
|
|
396
|
+
- CKV_K8S_10: Ensure CPU requests are set
|
|
397
|
+
- CKV_K8S_11: Ensure CPU limits are set
|
|
398
|
+
- CKV_K8S_14: Ensure container image is not latest
|
|
399
|
+
- CKV_K8S_16: Ensure container is not privileged
|
|
400
|
+
- CKV_K8S_22: Ensure read-only root filesystem
|
|
401
|
+
- CKV_K8S_28: Ensure container capabilities are minimized
|
|
402
|
+
|
|
403
|
+
### CloudFormation
|
|
404
|
+
|
|
405
|
+
**Scan CloudFormation Templates:**
|
|
406
|
+
|
|
407
|
+
```bash
|
|
408
|
+
# Scan CloudFormation template
|
|
409
|
+
checkov -f ./cloudformation/stack.yaml --framework cloudformation
|
|
410
|
+
|
|
411
|
+
# Scan AWS SAM template
|
|
412
|
+
checkov -f ./sam-template.yaml --framework serverless
|
|
413
|
+
```
|
|
414
|
+
|
|
415
|
+
### Dockerfile
|
|
416
|
+
|
|
417
|
+
**Scan Dockerfiles for Security Issues:**
|
|
418
|
+
|
|
419
|
+
```bash
|
|
420
|
+
# Scan Dockerfile
|
|
421
|
+
checkov -f ./Dockerfile --framework dockerfile
|
|
422
|
+
|
|
423
|
+
# Common issues detected:
|
|
424
|
+
# - Running as root user
|
|
425
|
+
# - Using :latest tag
|
|
426
|
+
# - Missing HEALTHCHECK
|
|
427
|
+
# - Exposing sensitive ports
|
|
428
|
+
```
|
|
429
|
+
|
|
430
|
+
## Baseline and Drift Detection
|
|
431
|
+
|
|
432
|
+
### Create Security Baseline
|
|
433
|
+
|
|
434
|
+
Establish baseline for existing infrastructure:
|
|
435
|
+
|
|
436
|
+
```bash
|
|
437
|
+
# Create baseline (first scan)
|
|
438
|
+
checkov -d ./terraform --create-baseline
|
|
439
|
+
|
|
440
|
+
# This creates .checkov.baseline file with current findings
|
|
441
|
+
```
|
|
442
|
+
|
|
443
|
+
### Detect New Issues (Drift)
|
|
444
|
+
|
|
445
|
+
Compare subsequent scans against baseline:
|
|
446
|
+
|
|
447
|
+
```bash
|
|
448
|
+
# Compare against baseline - only fail on NEW issues
|
|
449
|
+
checkov -d ./terraform --baseline .checkov.baseline
|
|
450
|
+
|
|
451
|
+
# This allows existing issues while preventing new ones
|
|
452
|
+
```
|
|
453
|
+
|
|
454
|
+
**Use Cases:**
|
|
455
|
+
- Gradual remediation of legacy infrastructure
|
|
456
|
+
- Focus on preventing new security debt
|
|
457
|
+
- Phased compliance adoption
|
|
458
|
+
|
|
459
|
+
## Secret Scanning
|
|
460
|
+
|
|
461
|
+
Detect hardcoded secrets in IaC:
|
|
462
|
+
|
|
463
|
+
```bash
|
|
464
|
+
# Enable secrets scanning
|
|
465
|
+
checkov -d ./terraform --framework secrets
|
|
466
|
+
|
|
467
|
+
# Common secrets detected:
|
|
468
|
+
# - AWS access keys
|
|
469
|
+
# - API tokens
|
|
470
|
+
# - Private keys
|
|
471
|
+
# - Database passwords
|
|
472
|
+
# - Generic secrets (high entropy strings)
|
|
473
|
+
```
|
|
474
|
+
|
|
475
|
+
## Security Considerations
|
|
476
|
+
|
|
477
|
+
- **Policy Suppression Governance**: Require security team approval for suppressing CRITICAL/HIGH findings
|
|
478
|
+
- **CI/CD Failure Thresholds**: Configure `--hard-fail-on` for severity levels that should block deployment
|
|
479
|
+
- **Custom Policy Management**: Version control custom policies and review changes
|
|
480
|
+
- **Compliance Alignment**: Map organizational requirements to Checkov policies
|
|
481
|
+
- **Secrets Management**: Never commit secrets; use secret managers and rotation policies
|
|
482
|
+
- **Audit Logging**: Log all scan results and policy suppressions for compliance audits
|
|
483
|
+
- **False Positive Review**: Regularly review suppressed findings to ensure they remain valid
|
|
484
|
+
- **Policy Updates**: Keep Checkov updated to receive new security policies
|
|
485
|
+
|
|
486
|
+
## Bundled Resources
|
|
487
|
+
|
|
488
|
+
### Scripts (`scripts/`)
|
|
489
|
+
|
|
490
|
+
- `checkov_scan.py` - Comprehensive scanning script with multiple frameworks and output formats
|
|
491
|
+
- `checkov_terraform_scan.sh` - Terraform-specific scanning with variable file support
|
|
492
|
+
- `checkov_k8s_scan.sh` - Kubernetes manifest scanning with cluster comparison
|
|
493
|
+
- `checkov_baseline_create.sh` - Baseline creation and drift detection workflow
|
|
494
|
+
- `checkov_compliance_report.py` - Generate compliance reports (CIS, PCI-DSS, HIPAA, SOC2)
|
|
495
|
+
- `ci_integration.sh` - CI/CD integration examples for multiple platforms
|
|
496
|
+
|
|
497
|
+
### References (`references/`)
|
|
498
|
+
|
|
499
|
+
- `compliance_mapping.md` - Mapping of Checkov checks to CIS, PCI-DSS, HIPAA, SOC2, NIST
|
|
500
|
+
- `custom_policies.md` - Guide for writing custom Python and YAML policies
|
|
501
|
+
- `suppression_guide.md` - Best practices for suppressing false positives
|
|
502
|
+
- `terraform_checks.md` - Comprehensive list of Terraform checks with remediation
|
|
503
|
+
- `kubernetes_checks.md` - Kubernetes security checks and pod security standards
|
|
504
|
+
- `cloudformation_checks.md` - CloudFormation security checks with examples
|
|
505
|
+
|
|
506
|
+
### Assets (`assets/`)
|
|
507
|
+
|
|
508
|
+
- `checkov_config.yaml` - Checkov configuration file template
|
|
509
|
+
- `github_actions.yml` - Complete GitHub Actions workflow
|
|
510
|
+
- `gitlab_ci.yml` - Complete GitLab CI pipeline
|
|
511
|
+
- `jenkins_pipeline.groovy` - Jenkins pipeline template
|
|
512
|
+
- `pre_commit_config.yaml` - Pre-commit hook configuration
|
|
513
|
+
- `custom_policy_template.py` - Template for custom Python policies
|
|
514
|
+
- `policy_metadata.yaml` - Policy metadata for organization-specific policies
|
|
515
|
+
|
|
516
|
+
## Common Patterns
|
|
517
|
+
|
|
518
|
+
### Pattern 1: Progressive Compliance Adoption
|
|
519
|
+
|
|
520
|
+
Gradually increase security posture:
|
|
521
|
+
|
|
522
|
+
```bash
|
|
523
|
+
# Phase 1: Scan without failing (awareness)
|
|
524
|
+
checkov -d ./terraform --soft-fail
|
|
525
|
+
|
|
526
|
+
# Phase 2: Fail only on CRITICAL issues
|
|
527
|
+
checkov -d ./terraform --hard-fail-on CRITICAL
|
|
528
|
+
|
|
529
|
+
# Phase 3: Fail on CRITICAL and HIGH
|
|
530
|
+
checkov -d ./terraform --hard-fail-on CRITICAL,HIGH
|
|
531
|
+
|
|
532
|
+
# Phase 4: Full enforcement with baseline
|
|
533
|
+
checkov -d ./terraform --baseline .checkov.baseline
|
|
534
|
+
```
|
|
535
|
+
|
|
536
|
+
### Pattern 2: Multi-Framework Infrastructure
|
|
537
|
+
|
|
538
|
+
Scan complete infrastructure stack:
|
|
539
|
+
|
|
540
|
+
```bash
|
|
541
|
+
# Use bundled script for comprehensive scanning
|
|
542
|
+
python3 scripts/checkov_scan.py \
|
|
543
|
+
--infrastructure-dir ./infrastructure \
|
|
544
|
+
--frameworks terraform,kubernetes,dockerfile \
|
|
545
|
+
--output-dir ./security-reports \
|
|
546
|
+
--compliance CIS,PCI-DSS
|
|
547
|
+
```
|
|
548
|
+
|
|
549
|
+
### Pattern 3: Policy-as-Code Repository
|
|
550
|
+
|
|
551
|
+
Maintain centralized policy repository:
|
|
552
|
+
|
|
553
|
+
```
|
|
554
|
+
policies/
|
|
555
|
+
├── custom_checks/
|
|
556
|
+
│ ├── aws/
|
|
557
|
+
│ │ ├── require_encryption.py
|
|
558
|
+
│ │ └── require_tags.py
|
|
559
|
+
│ ├── kubernetes/
|
|
560
|
+
│ │ └── require_psp.py
|
|
561
|
+
├── .checkov.yaml # Global config
|
|
562
|
+
└── suppression_list.txt # Approved suppressions
|
|
563
|
+
```
|
|
564
|
+
|
|
565
|
+
### Pattern 4: Compliance-Driven Scanning
|
|
566
|
+
|
|
567
|
+
Focus on specific compliance requirements:
|
|
568
|
+
|
|
569
|
+
```bash
|
|
570
|
+
# CIS AWS Foundations Benchmark
|
|
571
|
+
checkov -d ./terraform --check CIS_AWS
|
|
572
|
+
|
|
573
|
+
# PCI-DSS compliance
|
|
574
|
+
checkov -d ./terraform --framework terraform \
|
|
575
|
+
--check CKV_AWS_19,CKV_AWS_21,CKV_AWS_61 \
|
|
576
|
+
-o json --output-file-path ./pci-dss-report
|
|
577
|
+
|
|
578
|
+
# HIPAA compliance
|
|
579
|
+
checkov -d ./terraform --framework terraform \
|
|
580
|
+
--compact --check CKV_AWS_17,CKV_AWS_19,CKV_AWS_61,CKV_AWS_93
|
|
581
|
+
```
|
|
582
|
+
|
|
583
|
+
## Integration Points
|
|
584
|
+
|
|
585
|
+
- **CI/CD**: GitHub Actions, GitLab CI, Jenkins, Azure DevOps, CircleCI, Bitbucket Pipelines
|
|
586
|
+
- **Version Control**: Pre-commit hooks, pull request checks, branch protection rules
|
|
587
|
+
- **Cloud Platforms**: AWS, Azure, GCP, OCI, Alibaba Cloud
|
|
588
|
+
- **IaC Tools**: Terraform, Terragrunt, CloudFormation, ARM, Pulumi
|
|
589
|
+
- **Container Orchestration**: Kubernetes, OpenShift, EKS, GKE, AKS
|
|
590
|
+
- **Policy Engines**: OPA (Open Policy Agent), Sentinel
|
|
591
|
+
- **Security Platforms**: Prisma Cloud, Bridgecrew Platform
|
|
592
|
+
- **SIEM/Logging**: Export findings to Splunk, Elasticsearch, CloudWatch
|
|
593
|
+
|
|
594
|
+
## Troubleshooting
|
|
595
|
+
|
|
596
|
+
### Issue: Too Many Findings Overwhelming Team
|
|
597
|
+
|
|
598
|
+
**Solution**: Use progressive adoption with baselines:
|
|
599
|
+
|
|
600
|
+
```bash
|
|
601
|
+
# Create baseline with current state
|
|
602
|
+
checkov -d ./terraform --create-baseline
|
|
603
|
+
|
|
604
|
+
# Only fail on new issues
|
|
605
|
+
checkov -d ./terraform --baseline .checkov.baseline --soft-fail-on LOW,MEDIUM
|
|
606
|
+
```
|
|
607
|
+
|
|
608
|
+
### Issue: False Positives for Legitimate Use Cases
|
|
609
|
+
|
|
610
|
+
**Solution**: Use inline suppressions with justification:
|
|
611
|
+
|
|
612
|
+
```hcl
|
|
613
|
+
# Provide clear business justification
|
|
614
|
+
resource "aws_security_group" "allow_office" {
|
|
615
|
+
# checkov:skip=CKV_AWS_23:Office IP range needs SSH access for developers
|
|
616
|
+
ingress {
|
|
617
|
+
from_port = 22
|
|
618
|
+
to_port = 22
|
|
619
|
+
protocol = "tcp"
|
|
620
|
+
cidr_blocks = ["203.0.113.0/24"] # Office IP range
|
|
621
|
+
}
|
|
622
|
+
}
|
|
623
|
+
```
|
|
624
|
+
|
|
625
|
+
### Issue: Scan Takes Too Long
|
|
626
|
+
|
|
627
|
+
**Solution**: Optimize scan scope:
|
|
628
|
+
|
|
629
|
+
```bash
|
|
630
|
+
# Skip unnecessary paths
|
|
631
|
+
checkov -d ./terraform \
|
|
632
|
+
--skip-path .terraform/ \
|
|
633
|
+
--skip-path modules/vendor/ \
|
|
634
|
+
--skip-framework secrets
|
|
635
|
+
|
|
636
|
+
# Use compact output
|
|
637
|
+
checkov -d ./terraform --compact --quiet
|
|
638
|
+
```
|
|
639
|
+
|
|
640
|
+
### Issue: Custom Policies Not Loading
|
|
641
|
+
|
|
642
|
+
**Solution**: Verify policy structure and loading:
|
|
643
|
+
|
|
644
|
+
```bash
|
|
645
|
+
# Check policy syntax
|
|
646
|
+
python3 custom_checks/my_policy.py
|
|
647
|
+
|
|
648
|
+
# Ensure proper directory structure
|
|
649
|
+
checkov -d ./terraform \
|
|
650
|
+
--external-checks-dir ./custom_checks \
|
|
651
|
+
--list
|
|
652
|
+
|
|
653
|
+
# Debug with verbose output
|
|
654
|
+
checkov -d ./terraform --external-checks-dir ./custom_checks -v
|
|
655
|
+
```
|
|
656
|
+
|
|
657
|
+
### Issue: Integration with Private Terraform Modules
|
|
658
|
+
|
|
659
|
+
**Solution**: Configure module access:
|
|
660
|
+
|
|
661
|
+
```bash
|
|
662
|
+
# Set up Terraform credentials
|
|
663
|
+
export TF_TOKEN_app_terraform_io="your-token"
|
|
664
|
+
|
|
665
|
+
# Download external modules
|
|
666
|
+
checkov -d ./terraform --download-external-modules true
|
|
667
|
+
|
|
668
|
+
# Or scan after terraform init
|
|
669
|
+
cd ./terraform && terraform init
|
|
670
|
+
checkov -d .
|
|
671
|
+
```
|
|
672
|
+
|
|
673
|
+
## References
|
|
674
|
+
|
|
675
|
+
- [Checkov Documentation](https://www.checkov.io/)
|
|
676
|
+
- [Checkov GitHub Repository](https://github.com/bridgecrewio/checkov)
|
|
677
|
+
- [CIS Benchmarks](https://www.cisecurity.org/cis-benchmarks/)
|
|
678
|
+
- [Terraform Security Best Practices](https://www.terraform.io/docs/cloud/guides/recommended-practices/index.html)
|
|
679
|
+
- [Kubernetes Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/)
|
|
680
|
+
- [AWS Security Best Practices](https://aws.amazon.com/security/security-resources/)
|