@trendai-crem/claude-skills 1.5.2 → 1.6.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@trendai-crem/claude-skills",
-  "version": "1.5.2",
+  "version": "1.6.0",
   "description": "Claude Code skills installer for the trendai-crem team",
   "license": "UNLICENSED",
   "repository": {

package/skills/upgrade-blackduck-scan/SKILL.md

@@ -0,0 +1,139 @@
+---
+name: upgrade-blackduck-scan
+description: Use when upgrading BlackDuck scan action in GitHub Actions workflows. Triggers on requests to fix broken BlackDuck scans, upgrade blackduck-scan-actions version, or migrate from v1.x to v2.x.
+---
+
+# Upgrade BlackDuck Scan Action
+
+Interactive workflow for upgrading `actions/blackduck-scan-actions` in GitHub Actions workflows on `adc.github.trendmicro.com`.
+
+## Step 1: Gather Information
+
+Ask the user ALL of the following before making any changes:
+
+```
+AskUserQuestion([
+  { question: "Which repo(s) to upgrade? (e.g., CoreTech-SASEDL/ZTRIServer)", header: "Repo" },
+  { question: "What is the scan workflow filename?", header: "Workflow", options: [
+    { label: "Scan.yaml", description: ".github/workflows/Scan.yaml" },
+    { label: "scanning.yml", description: ".github/workflows/scanning.yml" },
+    { label: "Other", description: "I'll specify the path" }
+  ]},
+  { question: "Which base branch to create the feature branch from?", header: "Base branch", options: [
+    { label: "develop", description: "Standard SDLC flow" },
+    { label: "master", description: "Repos without develop branch" }
+  ]},
+  { question: "Cherry-pick to longterm branch?", header: "Longterm", options: [
+    { label: "Yes", description: "Create separate LT branch + PR" },
+    { label: "No", description: "No longterm branch in this repo" }
+  ]}
+])
+```
+
+## Step 2: Fetch Valid Versions
+
+Query the action repo for available versions:
+
+```bash
+GH_HOST=adc.github.trendmicro.com gh api repos/actions/blackduck-scan-actions/tags \
+  --jq '.[] | .name' | grep -E '^v[0-9]' | grep -v test | sort -V
+```
+
+Present the list and ask which version to use. Recommend the latest `v2.x` tag.
+
+**IMPORTANT**: Any `v1.x` version is broken because `detect.synopsys.com` is dead. Only `v2.x` versions work.
+
+## Step 3: Read Current Workflow
+
+Read the scan workflow file and identify:
+
+1. Current action version (`@v1.2`, `@v1`, etc.)
+2. Whether "Check BlackDuck Scan Results" custom step exists
+3. `block` boolean casing (`True` vs `true`)
+4. Existing `with:` parameters
+
+Show the user what will change before editing.
+
+## Step 4: Apply Changes
+
+### 4a: Upgrade action version
+```yaml
+# BEFORE
+uses: actions/blackduck-scan-actions@v1.2
+
+# AFTER
+uses: actions/blackduck-scan-actions@v2.3.8  # or user-selected version
+```
+
+### 4b: Add migration comment
+```yaml
+# v2 required: detect.synopsys.com (v1) is dead; Synopsys Detect 7 EOL March 2024
+- name: Blackduck Scan
+```
+
+### 4c: Add v2 parameters after `repo_path`
+```yaml
+          blackduck_version: '8'
+          msg_receiver: ${{ secrets.TEAMS_WEBHOOK }}
+          enable_iac_scan: 'true'
+```
+
+### 4d: Fix boolean casing
+Change `block: True` to `block: true` in the `env:` block.
+
+### 4e: Remove "Check BlackDuck Scan Results" step
+Delete the entire step containing `sleep 60` + `curl --insecure` + hardcoded project UUID. v2 handles exit codes natively.
+
+### 4f: Do NOT touch
+- `fortify-scan` job
+- `secrets-scan` job
+- `notify` job
+- Any other unrelated steps
+
+## Step 5: Commit and PR
+
+Branch name: `RIDL-17983/upgrade-blackduck-scan-v2` (or user's JIRA ticket)
+
+```bash
+git add <workflow-file>
+git commit -m "<JIRA>: fix: upgrade BlackDuck scan action from v1.x to v2
+
+detect.synopsys.com domain is dead. Upgrade to v2.x which uses
+detect.blackduck.com and Detect 8. Remove hardcoded results check
+step as v2 handles exit codes natively."
+```
+
+Create PR to the base branch. If longterm cherry-pick requested, create `-LT` branch and separate PR.
+
+## Step 6: Verify (Guide for User)
+
+After merging, guide the user through verification:
+
+### 6a: Trigger scan
+- Manually trigger via `workflow_dispatch` on the merged branch, OR
+- The scan runs automatically on PR to `master`
+
+### 6b: Check workflow logs
+Verify in GitHub Actions:
+- `actions/blackduck-scan-actions@v2.x` appears in "Set up job"
+- Detect 8/9 banner is displayed
+- Scan duration is 1-5 minutes (not 46ms)
+- `[info] blackduck result: success` or `fail` at the end
+
+### 6c: Check BlackDuck portal
+- Go to https://blackduck.trendmicro.com
+- Search for the project name
+- Verify "Last Scan" date matches today
+- Or check the dashboard API: `https://blackduck.trendmicro.com/api/risk-profile-dashboard?limit=25&offset=0`
+
+### 6d: Understand the result
+- `blackduck result: success` = scan completed, no MAJOR policy violations
+- `blackduck result: fail` = MAJOR severity policy violations found
+- Note: `block: true` only checks MAJOR severity. CRITICAL/BLOCKER violations are reported to the portal but do NOT block the build by default
+- To also block on CRITICAL/BLOCKER, add: `properties: '--detect.policy.check.fail.on.severities=MAJOR,CRITICAL,BLOCKER'`
+
+## Reference
+
+- Action repo: https://adc.github.trendmicro.com/actions/blackduck-scan-actions
+- Wiki: https://trendmicro.atlassian.net/wiki/spaces/CN/pages/2397209007
+- JIRA: https://trendmicro.atlassian.net/browse/RIDL-17983

package/skills/upgrade-blackduck-scan/TEST_PLAN.md

@@ -0,0 +1,345 @@
+# Upgrade BlackDuck Scan Skill Test Plan
+
+**Skill Version**: v1.0
+**Date**: 2026-04-09
+
+---
+
+## 1. Test Strategy
+
+The skill is a prompt-driven interactive workflow (not executable code), so testing validates **behavioral correctness** across 4 categories:
+
+| Category | What | How |
+|----------|------|-----|
+| **Information Gathering** | All required inputs collected before changes | Verify AskUserQuestion prompts |
+| **Version Handling** | Correct version fetching and recommendation | Test against real action repo tags |
+| **Workflow Modification** | Correct YAML changes applied | Validate diffs on sample workflows |
+| **Git & PR Operations** | Branch, commit, and PR created correctly | Verify git commands and PR format |
+
+---
+
+## 2. Test Cases
+
+### 2.1 Information Gathering (Step 1)
+
+#### TC-INFO-01: All four questions asked before any changes
+- **Setup**: Invoke skill with "upgrade blackduck scan for CoreTech-SASEDL/ZTRIServer"
+- **Expected**: Skill asks ALL 4 questions (repo, workflow filename, base branch, longterm) via AskUserQuestion BEFORE reading or modifying any files
+- **Validates**: No premature file access
+
+#### TC-INFO-02: Custom workflow filename accepted
+- **Setup**: Answer workflow filename question with "Other" and provide `.github/workflows/ci-scan.yml`
+- **Expected**: Skill uses custom filename for subsequent file reads
+- **Validates**: Non-standard workflow path handling
+
+#### TC-INFO-03: Multiple repos accepted
+- **Setup**: Provide 2 repos: `CoreTech-SASEDL/ZTRIServer, CoreTech-SASEDL/RIDLServer`
+- **Expected**: Skill processes each repo sequentially with same upgrade parameters
+- **Validates**: Multi-repo support
+
+---
+
+### 2.2 Version Fetching (Step 2)
+
+#### TC-VER-01: Tags fetched from correct GH_HOST
+- **Setup**: Run version fetch step
+- **Expected**: Command uses `GH_HOST=adc.github.trendmicro.com` and queries `repos/actions/blackduck-scan-actions/tags`
+- **Validates**: Correct enterprise GitHub host
+
+#### TC-VER-02: v1.x versions flagged as broken
+- **Setup**: Tags list includes v1.2, v1.3, v2.3.8
+- **Expected**: Skill recommends latest v2.x, warns that v1.x is broken (detect.synopsys.com dead)
+- **Validates**: v1 deprecation warning
+
+#### TC-VER-03: No v2.x tags available
+- **Setup**: Simulate tag list with only v1.x versions
+- **Expected**: Skill warns user that no working version is available, does NOT proceed with v1.x
+- **Validates**: Fail-safe on missing v2 tags
+
+#### TC-VER-04: Test/pre-release tags excluded
+- **Setup**: Tags include `v2.4.0-test`, `v2.4.0-rc1`
+- **Expected**: Filtered out by `grep -v test`; only stable versions presented
+- **Validates**: Tag filtering
+
+---
+
+### 2.3 Workflow Analysis (Step 3)
+
+#### TC-ANALYSIS-01: Detect current v1.x version
+- **Setup**: Workflow contains `uses: actions/blackduck-scan-actions@v1.2`
+- **Expected**: Reports current version as v1.2
+- **Validates**: Version extraction from YAML
+
+#### TC-ANALYSIS-02: Detect "Check BlackDuck Scan Results" step
+- **Setup**: Workflow contains step with `sleep 60` + `curl --insecure` + hardcoded UUID
+- **Expected**: Skill identifies this step and marks it for removal
+- **Validates**: Legacy step detection
+
+#### TC-ANALYSIS-03: No legacy check step present
+- **Setup**: Workflow has blackduck-scan-actions but no "Check BlackDuck Scan Results" step
+- **Expected**: Skill proceeds without attempting removal, no error
+- **Validates**: Graceful handling of already-clean workflows
+
+#### TC-ANALYSIS-04: Detect boolean casing issue
+- **Setup**: Workflow `env:` block contains `block: True` (capital T)
+- **Expected**: Identified and flagged for fix to lowercase `true`
+- **Validates**: Boolean casing detection
+
+#### TC-ANALYSIS-05: Show diff preview before applying
+- **Setup**: Any workflow file
+- **Expected**: Skill presents a summary of planned changes to user BEFORE editing
+- **Validates**: User confirmation before destructive changes
+
+---
+
+### 2.4 Workflow Modification (Step 4)
+
+#### TC-MOD-01: Action version upgraded
+- **Setup**: Workflow with `@v1.2`
+- **Expected**: Changed to `@v2.3.8` (or user-selected version)
+- **Validates**: Version string replacement
+
+#### TC-MOD-02: Migration comment added
+- **Setup**: Workflow without migration comment
+- **Expected**: Comment `# v2 required: detect.synopsys.com (v1) is dead; Synopsys Detect 7 EOL March 2024` added above the scan step
+- **Validates**: Migration documentation
+
+#### TC-MOD-03: v2 parameters added
+- **Setup**: Workflow with only `repo_path` in `with:` block
+- **Expected**: Three new parameters added after `repo_path`:
+  ```yaml
+  blackduck_version: '8'
+  msg_receiver: ${{ secrets.TEAMS_WEBHOOK }}
+  enable_iac_scan: 'true'
+  ```
+- **Validates**: v2-specific parameter injection
+
+#### TC-MOD-04: v2 parameters NOT duplicated
+- **Setup**: Workflow already has `blackduck_version: '8'` from a partial previous upgrade
+- **Expected**: Skill detects existing parameter and does NOT add duplicate
+- **Validates**: Idempotency
+
+#### TC-MOD-05: Boolean casing fixed
+- **Setup**: `env:` block has `block: True`
+- **Expected**: Changed to `block: true`
+- **Validates**: YAML boolean normalization
+
+#### TC-MOD-06: Legacy check step removed
+- **Setup**: Workflow with "Check BlackDuck Scan Results" step (sleep + curl + UUID)
+- **Expected**: Entire step removed cleanly, no orphaned YAML
+- **Validates**: Step deletion
+
+#### TC-MOD-07: Unrelated jobs untouched
+- **Setup**: Workflow with `fortify-scan`, `secrets-scan`, `notify` jobs
+- **Expected**: These jobs remain exactly as-is, byte-for-byte identical
+- **Validates**: Blast radius control
+
+#### TC-MOD-08: YAML structure preserved
+- **Setup**: Workflow with specific indentation (2-space or 4-space)
+- **Expected**: Modified YAML preserves original indentation style
+- **Validates**: No formatting drift
+
+---
+
+### 2.5 Git & PR Operations (Step 5)
+
+#### TC-GIT-01: Feature branch created from correct base
+- **Setup**: User selects `develop` as base branch
+- **Expected**: Branch created from `develop`, not `master` or `main`
+- **Validates**: Base branch selection
+
+#### TC-GIT-02: Branch naming convention
+- **Setup**: JIRA ticket is RIDL-17983
+- **Expected**: Branch name follows pattern `RIDL-17983/upgrade-blackduck-scan-v2`
+- **Validates**: Naming convention
+
+#### TC-GIT-03: Commit message format
+- **Setup**: Standard upgrade
+- **Expected**: Commit message includes JIRA prefix, `fix:` type, explains why (detect.synopsys.com dead), mentions v2
+- **Validates**: Commit convention compliance
+
+#### TC-GIT-04: PR created to correct base branch
+- **Setup**: User selected `develop` as base
+- **Expected**: PR targets `develop`, not `master`
+- **Validates**: PR target branch
+
+#### TC-GIT-05: Longterm cherry-pick creates separate PR
+- **Setup**: User selects "Yes" for longterm cherry-pick
+- **Expected**: Separate `-LT` branch created, second PR opened targeting longterm branch
+- **Validates**: Longterm workflow
+
+#### TC-GIT-06: Only workflow file committed
+- **Setup**: Standard upgrade
+- **Expected**: `git add` only includes the scan workflow file, no other files staged
+- **Validates**: No accidental file inclusion
+
+---
+
+### 2.6 Verification Guidance (Step 6)
+
+#### TC-VERIFY-01: Post-merge verification checklist provided
+- **Setup**: Complete upgrade flow
+- **Expected**: Skill provides actionable checklist: trigger scan, check logs for Detect 8/9 banner, check BlackDuck portal, understand success/fail meanings
+- **Validates**: User guidance completeness
+
+#### TC-VERIFY-02: Success/fail interpretation explained
+- **Setup**: Complete upgrade flow
+- **Expected**: Explains that `success` = no MAJOR violations, `fail` = MAJOR violations found, and that CRITICAL/BLOCKER are reported but don't block by default
+- **Validates**: Correct result interpretation
+
+---
+
+### 2.7 Edge Cases
+
+#### TC-EDGE-01: Repo not accessible
+- **Setup**: Provide a repo the user doesn't have access to
+- **Expected**: Skill reports access error clearly, does not proceed
+- **Validates**: Permission error handling
+
+#### TC-EDGE-02: Workflow file not found
+- **Setup**: Specify a workflow filename that doesn't exist in the repo
+- **Expected**: Skill reports file not found, asks user to verify path
+- **Validates**: Missing file handling
+
+#### TC-EDGE-03: Already on v2.x
+- **Setup**: Workflow already uses `@v2.3.8`
+- **Expected**: Skill detects no upgrade needed, reports current version, asks user if they still want to proceed
+- **Validates**: No-op detection
+
+#### TC-EDGE-04: Non-standard YAML structure
+- **Setup**: Workflow with unusual structure (e.g., anchors, multi-document, complex matrix)
+- **Expected**: Skill modifies only the blackduck-scan step, does not corrupt YAML anchors or matrix definitions
+- **Validates**: YAML compatibility
+
+---
+
+## 3. Test Fixtures
+
+### Fixture A: `standard-scan.yml` (Typical v1 workflow)
+```yaml
+name: Scan
+on:
+  workflow_dispatch:
+  pull_request:
+    branches: [master]
+
+jobs:
+  blackduck-scan:
+    runs-on: [self-hosted, linux]
+    steps:
+      - uses: actions/checkout@v3
+      - name: Blackduck Scan
+        uses: actions/blackduck-scan-actions@v1.2
+        with:
+          repo_path: ${{ github.workspace }}
+        env:
+          BLACKDUCK_URL: ${{ secrets.BLACKDUCK_URL }}
+          BLACKDUCK_TOKEN: ${{ secrets.BLACKDUCK_TOKEN }}
+          block: True
+
+      - name: Check BlackDuck Scan Results
+        run: |
+          sleep 60
+          curl --insecure -X GET "https://blackduck.trendmicro.com/api/projects/abc-123/versions" \
+            -H "Authorization: Bearer ${{ secrets.BLACKDUCK_TOKEN }}"
+
+  fortify-scan:
+    runs-on: [self-hosted, linux]
+    steps:
+      - uses: actions/checkout@v3
+      - name: Fortify Scan
+        uses: actions/fortify-scan@v1
+```
+
+### Fixture B: `clean-v2-scan.yml` (Already upgraded)
+```yaml
+name: Scan
+on:
+  workflow_dispatch:
+
+jobs:
+  blackduck-scan:
+    runs-on: [self-hosted, linux]
+    steps:
+      - uses: actions/checkout@v3
+      - name: Blackduck Scan
+        uses: actions/blackduck-scan-actions@v2.3.8
+        with:
+          repo_path: ${{ github.workspace }}
+          blackduck_version: '8'
+          msg_receiver: ${{ secrets.TEAMS_WEBHOOK }}
+          enable_iac_scan: 'true'
+        env:
+          BLACKDUCK_URL: ${{ secrets.BLACKDUCK_URL }}
+          BLACKDUCK_TOKEN: ${{ secrets.BLACKDUCK_TOKEN }}
+          block: true
+```
+
+### Fixture C: `minimal-scan.yml` (No legacy check step)
+```yaml
+name: Scan
+on:
+  push:
+    branches: [develop]
+
+jobs:
+  blackduck-scan:
+    runs-on: [self-hosted, linux]
+    steps:
+      - uses: actions/checkout@v3
+      - name: Blackduck Scan
+        uses: actions/blackduck-scan-actions@v1
+        with:
+          repo_path: ${{ github.workspace }}
+        env:
+          BLACKDUCK_URL: ${{ secrets.BLACKDUCK_URL }}
+          BLACKDUCK_TOKEN: ${{ secrets.BLACKDUCK_TOKEN }}
+          block: true
+```
+
+---
+
+## 4. Execution Protocol
+
+### Phase 1: Smoke Test
+Run the skill against Fixture A with standard inputs (single repo, Scan.yaml, develop, no longterm). Verify:
+- All 4 questions asked upfront
+- Version list fetched successfully
+- Diff preview shown before changes
+- All modifications applied correctly
+- PR created successfully
+
+### Phase 2: Modification Tests
+Run TC-MOD-01 through TC-MOD-08 using Fixture A. These validate the core transformation logic.
+
+### Phase 3: Edge Case Tests
+Run TC-EDGE-01 through TC-EDGE-04 to verify error handling and boundary conditions.
+
+### Phase 4: Multi-Repo and Longterm
+Run TC-INFO-03 and TC-GIT-05 to verify multi-repo and longterm cherry-pick workflows.
+
+---
+
+## 5. Pass/Fail Criteria
+
+| Category | Tests | Required Pass Rate |
+|----------|-------|--------------------|
+| Information Gathering (TC-INFO-*) | 3 | 3/3 (100%) |
+| Version Fetching (TC-VER-*) | 4 | 4/4 (100%) |
+| Workflow Analysis (TC-ANALYSIS-*) | 5 | 5/5 (100%) |
+| Workflow Modification (TC-MOD-*) | 8 | 7/8 (allow 1 edge case) |
+| Git & PR (TC-GIT-*) | 6 | 6/6 (100%) |
+| Verification (TC-VERIFY-*) | 2 | 2/2 (100%) |
+| Edge Cases (TC-EDGE-*) | 4 | 3/4 (allow 1 edge case) |
+
+**Overall**: Information Gathering, Version Fetching, Analysis, Git & PR, and Verification categories are non-negotiable (100% pass required). Modification and Edge Case categories allow 1 failure.
+
+---
+
+## 6. Known Limitations (Not Tested)
+
+- **Enterprise GitHub auth**: Assumes `GH_HOST` and `gh` CLI are pre-configured with valid credentials
+- **YAML parser edge cases**: Complex YAML features (anchors, merge keys) may not be handled by all edit approaches
+- **BlackDuck portal verification**: Step 6 verification is manual; no automated portal API validation
+- **Rate limiting**: No test for GitHub API rate limits when fetching tags
+- **Concurrent upgrades**: No test for upgrading the same repo simultaneously from multiple sessions