npm - @synapta/skills - Versions diffs - 0.1.1 → 0.2.0 - Mend

@synapta/skills 0.1.1 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (354) hide show

package/skills/iac-scan/assets/checkov_config.yaml ADDED Viewed

@@ -0,0 +1,94 @@
+# Checkov Configuration File
+# Place this file as .checkov.yaml in your project root
+# Framework selection
+framework:
+  - terraform
+  - kubernetes
+  - dockerfile
+  - helm
+# Checks to skip globally
+skip-check:
+  # Development environment exceptions
+  - CKV_AWS_17   # RDS backup retention (dev envs)
+  - CKV_AWS_8    # CloudWatch log encryption (cost optimization)
+  # Low severity informational checks
+  - CKV_AWS_50   # Lambda tracing
+  - CKV_K8S_35   # Prefer secrets as files
+# Paths to exclude from scanning
+skip-path:
+  - .terraform/
+  - .terragrunt-cache/
+  - node_modules/
+  - vendor/
+  - "**/.git"
+  - "**/test/"
+  - "**/examples/"
+# Severity-based configuration
+soft-fail-on:
+  - LOW
+  - MEDIUM
+hard-fail-on:
+  - CRITICAL
+  - HIGH
+# Compact output mode
+compact: true
+# Quiet mode (only show failures)
+quiet: false
+# Download external Terraform modules
+download-external-modules: true
+# Output configuration
+output:
+  - cli
+  - json
+  - sarif
+# Output file path
+output-file-path: ./checkov-reports
+# Repository identification
+repo-id: my-infrastructure
+branch: main
+# External checks directory
+external-checks-dir:
+  - ./custom_checks
+# Baseline file for drift detection
+# baseline: .checkov.baseline
+# Enable secrets scanning
+# framework:
+#   - secrets
+# Prisma Cloud/Bridgecrew integration (optional)
+# bc-api-key: ${PRISMA_API_KEY}
+# prisma-api-url: https://api.prismacloud.io
+# Skip specific resources by regex
+# skip-resources-without-violations: true
+# CKV check configuration
+# check:
+#   - CIS_AWS
+#   - CIS_AZURE
+#   - CIS_KUBERNETES
+# Enable/disable specific frameworks
+# skip-framework:
+#   - ansible
+#   - github_actions
+# Custom policies metadata filter
+# policy-metadata-filter:
+#   severity: HIGH,CRITICAL
+#   category: IAM,ENCRYPTION

package/skills/iac-scan/assets/github_actions.yml ADDED Viewed

@@ -0,0 +1,199 @@
+# GitHub Actions Workflow for Checkov IaC Security Scanning
+# Place this file in .github/workflows/checkov.yml
+name: Checkov IaC Security Scan
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main]
+    paths:
+      - '**.tf'
+      - '**.yaml'
+      - '**.yml'
+      - '**.json'
+  schedule:
+    # Run weekly security scans on Sunday at 2 AM
+    - cron: '0 2 * * 0'
+  workflow_dispatch:
+permissions:
+  contents: read
+  security-events: write
+  pull-requests: write
+jobs:
+  checkov-terraform:
+    name: Terraform Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Run Checkov on Terraform
+        uses: bridgecrewio/checkov-action@master
+        with:
+          directory: terraform/
+          framework: terraform
+          output_format: sarif
+          output_file_path: checkov-terraform.sarif
+          soft_fail: false
+          download_external_modules: true
+      - name: Upload SARIF Report
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: checkov-terraform.sarif
+          category: terraform
+  checkov-kubernetes:
+    name: Kubernetes Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Run Checkov on Kubernetes
+        uses: bridgecrewio/checkov-action@master
+        with:
+          directory: k8s/
+          framework: kubernetes
+          output_format: sarif
+          output_file_path: checkov-k8s.sarif
+          soft_fail: false
+      - name: Upload SARIF Report
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: checkov-k8s.sarif
+          category: kubernetes
+  checkov-dockerfile:
+    name: Dockerfile Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Run Checkov on Dockerfiles
+        uses: bridgecrewio/checkov-action@master
+        with:
+          directory: ./
+          framework: dockerfile
+          output_format: sarif
+          output_file_path: checkov-docker.sarif
+          soft_fail: false
+      - name: Upload SARIF Report
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: checkov-docker.sarif
+          category: dockerfile
+  checkov-compliance:
+    name: Compliance Scan (CIS, PCI-DSS)
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' || github.event_name == 'schedule'
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+      - name: Install Checkov
+        run: pip install checkov
+      - name: Run CIS Compliance Scan
+        run: |
+          checkov -d terraform/ \
+            --framework terraform \
+            --check CIS_AWS,CIS_AZURE \
+            -o json -o cli \
+            --output-file-path ./compliance-reports
+      - name: Upload Compliance Reports
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: compliance-reports
+          path: compliance-reports/
+          retention-days: 90
+  security-gate:
+    name: Security Gate Check
+    runs-on: ubuntu-latest
+    needs: [checkov-terraform, checkov-kubernetes]
+    if: always()
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+      - name: Install Dependencies
+        run: pip install checkov
+      - name: Run Checkov with Threshold
+        run: |
+          # Fail on CRITICAL and HIGH severity issues
+          checkov -d terraform/ \
+            --framework terraform \
+            --hard-fail-on CRITICAL,HIGH \
+            -o json --output-file-path ./gate-report || EXIT_CODE=$?
+          # Parse results
+          if [ -f "gate-report/results_json.json" ]; then
+            CRITICAL=$(jq '[.results.failed_checks[] | select(.severity == "CRITICAL")] | length' gate-report/results_json.json)
+            HIGH=$(jq '[.results.failed_checks[] | select(.severity == "HIGH")] | length' gate-report/results_json.json)
+            echo "Critical findings: $CRITICAL"
+            echo "High findings: $HIGH"
+            if [ "$CRITICAL" -gt 0 ] || [ "$HIGH" -gt 0 ]; then
+              echo "❌ Security gate failed"
+              exit 1
+            fi
+          fi
+          echo "✅ Security gate passed"
+      - name: Comment on PR
+        if: github.event_name == 'pull_request'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const report = JSON.parse(fs.readFileSync('gate-report/results_json.json', 'utf8'));
+            const summary = report.summary || {};
+            const passed = summary.passed || 0;
+            const failed = summary.failed || 0;
+            const skipped = summary.skipped || 0;
+            const body = `## Checkov IaC Security Scan Results
+            | Status | Count |
+            |--------|-------|
+            | ✅ Passed | ${passed} |
+            | ❌ Failed | ${failed} |
+            | ⏭️  Skipped | ${skipped} |
+            ${failed > 0 ? '⚠️ Please review and fix the security findings before merging.' : '✅ No security issues detected!'}
+            `;
+            github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              body: body
+            });

package/skills/iac-scan/assets/gitlab_ci.yml ADDED Viewed

@@ -0,0 +1,218 @@
+# GitLab CI/CD Pipeline for Checkov IaC Security Scanning
+# Add this to your .gitlab-ci.yml file
+stages:
+  - security
+  - compliance
+  - report
+variables:
+  CHECKOV_IMAGE: "bridgecrew/checkov:latest"
+  REPORTS_DIR: "checkov-reports"
+# Terraform Security Scan
+checkov_terraform:
+  stage: security
+  image: $CHECKOV_IMAGE
+  script:
+    - mkdir -p $REPORTS_DIR
+    - |
+      checkov -d terraform/ \
+        --framework terraform \
+        -o json -o junitxml -o sarif \
+        --output-file-path $REPORTS_DIR \
+        --compact || EXIT_CODE=$?
+    - echo "Exit code: ${EXIT_CODE:-0}"
+  artifacts:
+    reports:
+      junit: $REPORTS_DIR/results_junitxml.xml
+      sast: $REPORTS_DIR/results_sarif.sarif
+    paths:
+      - $REPORTS_DIR/
+    when: always
+    expire_in: 30 days
+  only:
+    changes:
+      - terraform/**/*
+      - "*.tf"
+  tags:
+    - docker
+# Kubernetes Security Scan
+checkov_kubernetes:
+  stage: security
+  image: $CHECKOV_IMAGE
+  script:
+    - mkdir -p $REPORTS_DIR
+    - |
+      checkov -d k8s/ \
+        --framework kubernetes \
+        -o json -o junitxml \
+        --output-file-path $REPORTS_DIR \
+        --compact
+  artifacts:
+    reports:
+      junit: $REPORTS_DIR/results_junitxml.xml
+    paths:
+      - $REPORTS_DIR/
+    when: always
+    expire_in: 30 days
+  only:
+    changes:
+      - k8s/**/*
+      - "*.yaml"
+      - "*.yml"
+  tags:
+    - docker
+# CloudFormation Security Scan
+checkov_cloudformation:
+  stage: security
+  image: $CHECKOV_IMAGE
+  script:
+    - mkdir -p $REPORTS_DIR
+    - |
+      checkov -d cloudformation/ \
+        --framework cloudformation \
+        -o json -o junitxml \
+        --output-file-path $REPORTS_DIR \
+        --compact
+  artifacts:
+    reports:
+      junit: $REPORTS_DIR/results_junitxml.xml
+    paths:
+      - $REPORTS_DIR/
+    when: always
+    expire_in: 30 days
+  only:
+    changes:
+      - cloudformation/**/*
+  allow_failure: true
+  tags:
+    - docker
+# Compliance Scan (CIS Benchmarks)
+checkov_compliance:
+  stage: compliance
+  image: $CHECKOV_IMAGE
+  script:
+    - mkdir -p $REPORTS_DIR/compliance
+    - |
+      # CIS AWS Benchmark
+      checkov -d terraform/ \
+        --framework terraform \
+        --check CIS_AWS \
+        -o json -o cli \
+        --output-file-path $REPORTS_DIR/compliance \
+        --compact || true
+      # Parse results
+      if [ -f "$REPORTS_DIR/compliance/results_json.json" ]; then
+        FAILED=$(jq '.summary.failed' $REPORTS_DIR/compliance/results_json.json)
+        echo "CIS compliance failures: $FAILED"
+      fi
+  artifacts:
+    paths:
+      - $REPORTS_DIR/compliance/
+    when: always
+    expire_in: 90 days
+  only:
+    - main
+    - develop
+  tags:
+    - docker
+# Security Gate - Fail on Critical/High
+security_gate:
+  stage: compliance
+  image: $CHECKOV_IMAGE
+  script:
+    - mkdir -p $REPORTS_DIR/gate
+    - |
+      # Run scan with severity filtering
+      checkov -d terraform/ \
+        --framework terraform \
+        --hard-fail-on CRITICAL,HIGH \
+        -o json \
+        --output-file-path $REPORTS_DIR/gate \
+        --compact || EXIT_CODE=$?
+      # Check results
+      if [ -f "$REPORTS_DIR/gate/results_json.json" ]; then
+        CRITICAL=$(jq '[.results.failed_checks[] | select(.severity == "CRITICAL")] | length' $REPORTS_DIR/gate/results_json.json)
+        HIGH=$(jq '[.results.failed_checks[] | select(.severity == "HIGH")] | length' $REPORTS_DIR/gate/results_json.json)
+        echo "Critical findings: $CRITICAL"
+        echo "High findings: $HIGH"
+        if [ "$CRITICAL" -gt 0 ] || [ "$HIGH" -gt 0 ]; then
+          echo "❌ Security gate failed: Critical or High severity issues found"
+          exit 1
+        fi
+        echo "✅ Security gate passed"
+      fi
+      exit ${EXIT_CODE:-0}
+  artifacts:
+    paths:
+      - $REPORTS_DIR/gate/
+    when: always
+    expire_in: 30 days
+  dependencies:
+    - checkov_terraform
+    - checkov_kubernetes
+  only:
+    - merge_requests
+    - main
+  allow_failure: false
+  tags:
+    - docker
+# Generate Summary Report
+generate_report:
+  stage: report
+  image: alpine:latest
+  before_script:
+    - apk add --no-cache jq curl
+  script:
+    - |
+      # Generate markdown summary
+      cat > $REPORTS_DIR/summary.md <<EOF
+      # Checkov IaC Security Scan Summary
+      **Pipeline:** $CI_PIPELINE_ID
+      **Branch:** $CI_COMMIT_REF_NAME
+      **Commit:** $CI_COMMIT_SHORT_SHA
+      **Date:** $(date)
+      ## Scan Results
+      EOF
+      # Parse Terraform scan results
+      if [ -f "$REPORTS_DIR/results_json.json" ]; then
+        echo "### Terraform Scan" >> $REPORTS_DIR/summary.md
+        echo "" >> $REPORTS_DIR/summary.md
+        echo "| Metric | Count |" >> $REPORTS_DIR/summary.md
+        echo "|--------|-------|" >> $REPORTS_DIR/summary.md
+        jq -r '.summary | "| Passed | \(.passed) |\n| Failed | \(.failed) |\n| Skipped | \(.skipped) |"' \
+          $REPORTS_DIR/results_json.json >> $REPORTS_DIR/summary.md
+        echo "" >> $REPORTS_DIR/summary.md
+      fi
+      cat $REPORTS_DIR/summary.md
+  artifacts:
+    paths:
+      - $REPORTS_DIR/summary.md
+    when: always
+    expire_in: 90 days
+  dependencies:
+    - checkov_terraform
+    - checkov_kubernetes
+  only:
+    - merge_requests
+    - main
+    - develop
+  tags:
+    - docker

package/skills/iac-scan/assets/pre_commit_config.yaml ADDED Viewed

@@ -0,0 +1,92 @@
+# Pre-commit Hook Configuration for Checkov
+# Place this file as .pre-commit-config.yaml in your project root
+#
+# Install: pip install pre-commit
+# Setup:   pre-commit install
+repos:
+  # Checkov IaC Security Scanning
+  - repo: https://github.com/bridgecrewio/checkov
+    rev: 2.5.0
+    hooks:
+      - id: checkov
+        name: Checkov IaC Security Scan
+        args:
+          - --soft-fail                 # Don't block commits (warning only)
+          - --compact                   # Concise output
+          - --framework=terraform       # Scan Terraform files
+          - --framework=kubernetes      # Scan Kubernetes files
+          - --framework=dockerfile      # Scan Dockerfiles
+        files: \.(tf|yaml|yml|json|Dockerfile)$
+        exclude: |
+          (?x)^(
+            .terraform/|
+            .terragrunt-cache/|
+            vendor/|
+            node_modules/
+          )
+  # Strict mode (fail on Critical/High) - optional
+  - repo: https://github.com/bridgecrewio/checkov
+    rev: 2.5.0
+    hooks:
+      - id: checkov
+        name: Checkov Strict Mode (Critical/High)
+        args:
+          - --hard-fail-on=CRITICAL,HIGH
+          - --compact
+          - --quiet
+        files: \.(tf|yaml|yml)$
+        exclude: |
+          (?x)^(
+            .terraform/|
+            test/|
+            examples/
+          )
+        # Only run on specific branches
+        stages: [push]
+  # Terraform-specific scanning with external modules
+  - repo: https://github.com/bridgecrewio/checkov
+    rev: 2.5.0
+    hooks:
+      - id: checkov
+        name: Checkov Terraform (with external modules)
+        args:
+          - --download-external-modules=true
+          - --framework=terraform
+          - --soft-fail
+        files: \.tf$
+        exclude: .terraform/
+  # Additional code quality hooks
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.5.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+        args: [--allow-multiple-documents]
+      - id: check-json
+      - id: check-merge-conflict
+      - id: detect-private-key
+        name: Detect Private Keys (Secrets)
+  # Terraform formatting
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.86.0
+    hooks:
+      - id: terraform_fmt
+      - id: terraform_validate
+      - id: terraform_docs
+        args:
+          - --hook-config=--add-to-existing-file=true
+          - --hook-config=--create-file-if-not-exist=true
+  # YAML linting
+  - repo: https://github.com/adrienverge/yamllint
+    rev: v1.33.0
+    hooks:
+      - id: yamllint
+        args: [-c=.yamllint.yaml]
+        files: \.(yaml|yml)$

package/skills/iac-scan/references/EXAMPLE.md ADDED Viewed

@@ -0,0 +1,40 @@
+# Reference Document Template
+This file contains detailed reference material that Claude should load only when needed.
+## Table of Contents
+- [Section 1](#section-1)
+- [Section 2](#section-2)
+- [Security Standards](#security-standards)
+## Section 1
+Detailed information, schemas, or examples that are too large for SKILL.md.
+## Section 2
+Additional reference material.
+## Security Standards
+### OWASP Top 10
+Reference relevant OWASP categories:
+- A01: Broken Access Control
+- A02: Cryptographic Failures
+- etc.
+### CWE Mappings
+Map to relevant Common Weakness Enumeration categories:
+- CWE-79: Cross-site Scripting
+- CWE-89: SQL Injection
+- etc.
+### MITRE ATT&CK
+Reference relevant tactics and techniques if applicable:
+- TA0001: Initial Access
+- T1190: Exploit Public-Facing Application
+- etc.