npm - blockmine - Versions diffs - 1.20.0 → 1.22.0 - Mend

blockmine 1.20.0 → 1.22.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (434) hide show

package/.claude/skills/devsecops/resources/vulnerability-management.md ADDED Viewed

@@ -0,0 +1,481 @@
+# Vulnerability Management
+CVE tracking, patching strategies, vulnerability databases, remediation workflows, and continuous vulnerability assessment.
+## Table of Contents
+- [Overview](#overview)
+- [CVE Tracking](#cve-tracking)
+- [Vulnerability Databases](#vulnerability-databases)
+- [Patching Strategies](#patching-strategies)
+- [Remediation Workflows](#remediation-workflows)
+- [Metrics and Reporting](#metrics-and-reporting)
+- [Best Practices](#best-practices)
+## Overview
+**Vulnerability Management Lifecycle:**
+```
+Discover → Prioritize → Remediate → Verify → Report
+    ↑                                           ↓
+    └───────────────────────────────────────────┘
+              Continuous Monitoring
+```
+## CVE Tracking
+### Vulnerability Severity
+**CVSS Scoring:**
+```
+CRITICAL (9.0-10.0): Immediate action required (< 24 hours)
+HIGH     (7.0-8.9):  Fix within 7 days
+MEDIUM   (4.0-6.9):  Fix within 30 days
+LOW      (0.1-3.9):  Fix when convenient
+```
+### Automated Scanning
+```yaml
+# .github/workflows/vuln-scan.yml
+name: Vulnerability Scanning
+on:
+  schedule:
+    - cron: '0 0 * * *'  # Daily
+  push:
+    branches: [main]
+jobs:
+  scan-dependencies:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Scan with Trivy
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          format: 'json'
+          output: 'trivy-results.json'
+      - name: Parse and Create Issues
+        run: |
+          jq -r '.Results[] | select(.Vulnerabilities) |
+            .Vulnerabilities[] |
+            select(.Severity == "CRITICAL" or .Severity == "HIGH") |
+            "[\(.Severity)] \(.VulnerabilityID): \(.PkgName) \(.InstalledVersion)"' \
+            trivy-results.json
+```
+## Vulnerability Databases
+### National Vulnerability Database (NVD)
+```python
+import requests
+def get_cve_details(cve_id):
+    url = f"https://services.nvd.nist.gov/rest/json/cves/2.0?cveId={cve_id}"
+    response = requests.get(url)
+    data = response.json()
+    cve = data['vulnerabilities'][0]['cve']
+    return {
+        'id': cve_id,
+        'description': cve['descriptions'][0]['value'],
+        'cvss_score': cve['metrics']['cvssMetricV31'][0]['cvssData']['baseScore'],
+        'severity': cve['metrics']['cvssMetricV31'][0]['cvssData']['baseSeverity'],
+        'published': cve['published'],
+        'last_modified': cve['lastModified']
+    }
+# Usage
+cve_info = get_cve_details('CVE-2023-12345')
+```
+### GitHub Security Advisories
+```bash
+# Query GitHub API for advisories
+curl -H "Authorization: token $GITHUB_TOKEN" \
+  https://api.github.com/advisories?ecosystem=npm
+# Get specific advisory
+curl -H "Authorization: token $GITHUB_TOKEN" \
+  https://api.github.com/advisories/GHSA-xxxx-yyyy-zzzz
+```
+## Patching Strategies
+### Automated Dependency Updates
+**Dependabot Configuration:**
+```yaml
+# .github/dependabot.yml
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 10
+    # Auto-merge patch updates
+    target-branch: "main"
+    # Group updates
+    groups:
+      dev-dependencies:
+        patterns:
+          - "@types/*"
+          - "eslint*"
+        update-types:
+          - "patch"
+          - "minor"
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+```
+**Renovate Configuration:**
+```json
+{
+  "extends": ["config:base"],
+  "schedule": ["after 10pm every weekday", "before 5am every weekday"],
+  "timezone": "America/New_York",
+  "vulnerabilityAlerts": {
+    "labels": ["security"],
+    "assignees": ["@security-team"]
+  },
+  "packageRules": [
+    {
+      "matchUpdateTypes": ["patch"],
+      "automerge": true
+    },
+    {
+      "matchPackagePatterns": ["^@types/"],
+      "automerge": true
+    },
+    {
+      "matchDepTypes": ["devDependencies"],
+      "automerge": true,
+      "matchUpdateTypes": ["minor", "patch"]
+    }
+  ]
+}
+```
+### Patch Testing
+```yaml
+# .github/workflows/patch-test.yml
+name: Test Security Patches
+on:
+  pull_request:
+    paths:
+      - 'package*.json'
+      - 'requirements.txt'
+      - 'go.mod'
+jobs:
+  test-patch:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Install dependencies
+        run: npm ci
+      - name: Run tests
+        run: npm test
+      - name: Run security scan
+        run: npm audit --audit-level=moderate
+      - name: Check for breaking changes
+        run: npm run test:integration
+      - name: Auto-approve if patch
+        if: contains(github.event.pull_request.title, '[PATCH]')
+        run: gh pr review --approve
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+```
+## Remediation Workflows
+### Vulnerability Triage
+```yaml
+# vulnerability-triage.yaml
+workflow:
+  1_discovery:
+    - Automated scanning (daily)
+    - Manual security research
+    - Third-party advisories
+  2_assessment:
+    - CVSS score
+    - Exploitability
+    - Attack surface
+    - Data sensitivity
+    - Business impact
+  3_prioritization:
+    critical:
+      sla: 24 hours
+      process: Emergency patch
+    high:
+      sla: 7 days
+      process: Scheduled patch
+    medium:
+      sla: 30 days
+      process: Regular maintenance
+    low:
+      sla: 90 days
+      process: Backlog
+  4_remediation:
+    - Update dependency
+    - Apply patch
+    - Implement workaround
+    - Accept risk (with approval)
+  5_verification:
+    - Rescan
+    - Test functionality
+    - Validate fix
+  6_closure:
+    - Document resolution
+    - Update tracking
+    - Close ticket
+```
+### Issue Template
+```yaml
+# .github/ISSUE_TEMPLATE/security-vulnerability.yml
+name: Security Vulnerability
+description: Report a security vulnerability
+labels: ["security", "vulnerability"]
+assignees: ["security-team"]
+body:
+  - type: input
+    id: cve
+    attributes:
+      label: CVE ID
+      description: CVE identifier if available
+      placeholder: CVE-2023-12345
+  - type: dropdown
+    id: severity
+    attributes:
+      label: Severity
+      options:
+        - Critical
+        - High
+        - Medium
+        - Low
+  - type: input
+    id: package
+    attributes:
+      label: Affected Package
+      placeholder: lodash@4.17.20
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: Vulnerability details
+  - type: textarea
+    id: remediation
+    attributes:
+      label: Remediation
+      description: Proposed fix
+      placeholder: Update to lodash@4.17.21
+  - type: dropdown
+    id: exploitable
+    attributes:
+      label: Exploitability
+      options:
+        - Publicly exploited
+        - Proof of concept available
+        - Theoretical
+        - Unknown
+```
+### Automated Remediation
+```typescript
+// auto-remediate.ts
+import { Octokit } from '@octokit/rest';
+import { exec } from 'child_process';
+import { promisify } from 'util';
+const execAsync = promisify(exec);
+async function autoRemediate(vulnerability: Vulnerability) {
+  const { package, currentVersion, fixedVersion, severity } = vulnerability;
+  // Only auto-remediate patch updates
+  if (severity === 'LOW' && isPatchUpdate(currentVersion, fixedVersion)) {
+    // Create branch
+    await execAsync(`git checkout -b auto-fix/${package}-${fixedVersion}`);
+    // Update dependency
+    await execAsync(`npm install ${package}@${fixedVersion}`);
+    // Run tests
+    const { stdout: testOutput } = await execAsync('npm test');
+    if (testOutput.includes('PASS')) {
+      // Create PR
+      const octokit = new Octokit({ auth: process.env.GITHUB_TOKEN });
+      await octokit.pulls.create({
+        owner: 'myorg',
+        repo: 'myrepo',
+        title: `[AUTO] Update ${package} to ${fixedVersion}`,
+        head: `auto-fix/${package}-${fixedVersion}`,
+        base: 'main',
+        body: `Automated security patch for ${package}\n\nFixes: ${vulnerability.cve}`,
+        labels: ['security', 'automated']
+      });
+    }
+  }
+}
+```
+## Metrics and Reporting
+### KPIs
+```typescript
+// security-metrics.ts
+interface SecurityMetrics {
+  // Vulnerability metrics
+  totalVulnerabilities: number;
+  bySeverity: {
+    critical: number;
+    high: number;
+    medium: number;
+    low: number;
+  };
+  // Remediation metrics
+  meanTimeToRemediate: {
+    critical: number;  // hours
+    high: number;      // days
+    medium: number;
+    low: number;
+  };
+  // SLA compliance
+  slaCompliance: {
+    critical: number;  // percentage
+    high: number;
+    medium: number;
+    low: number;
+  };
+  // Trends
+  newVulnerabilities: number;  // this week
+  remediatedVulnerabilities: number;
+  openVulnerabilities: number;
+  // Coverage
+  scanCoverage: number;  // percentage of projects scanned
+  lastScanTime: Date;
+}
+```
+### Dashboard
+```yaml
+# Grafana dashboard config
+dashboard:
+  title: Vulnerability Management
+  panels:
+    - title: Open Vulnerabilities by Severity
+      type: graph
+      metrics:
+        - critical_vulns
+        - high_vulns
+        - medium_vulns
+        - low_vulns
+    - title: Mean Time to Remediate
+      type: stat
+      metrics:
+        - avg(remediation_time_hours) by severity
+    - title: SLA Compliance
+      type: gauge
+      metrics:
+        - sla_compliance_percentage
+    - title: Vulnerability Trend
+      type: graph
+      metrics:
+        - new_vulns_weekly
+        - remediated_vulns_weekly
+```
+## Best Practices
+### 1. Continuous Scanning
+```bash
+# Scan on every commit
+# Scan daily for new vulnerabilities
+# Scan on dependency changes
+```
+### 2. Risk-Based Prioritization
+```yaml
+priority_matrix:
+  critical_severity + internet_exposed: P0 (immediate)
+  high_severity + production: P1 (24h)
+  medium_severity + production: P2 (7d)
+  low_severity: P3 (30d)
+```
+### 3. Defense in Depth
+```
+Layer 1: Prevent (automated updates)
+Layer 2: Detect (scanning)
+Layer 3: Respond (remediation)
+Layer 4: Monitor (runtime protection)
+```
+### 4. Document Exceptions
+```yaml
+# vulnerability-exceptions.yaml
+exceptions:
+  - cve: CVE-2023-12345
+    package: old-library@1.0.0
+    reason: No fix available, mitigated by network policy
+    mitigation: Network policy blocks external access
+    approved_by: security-team
+    expires: 2024-12-31
+```
+---
+**Related Resources:**
+- [security-scanning.md](security-scanning.md) - Scanning tools and techniques
+- [supply-chain-security.md](supply-chain-security.md) - Dependency security

package/.claude/skills/devsecops/resources/zero-trust-architecture.md ADDED Viewed

@@ -0,0 +1,177 @@
+# Zero Trust Architecture
+Service-to-service authentication with mTLS, network policies, identity-based access control, and zero-trust security model implementation.
+## Table of Contents
+- [Overview](#overview)
+- [Service-to-Service Authentication](#service-to-service-authentication)
+- [Network Policies](#network-policies)
+- [Identity-Based Access](#identity-based-access)
+- [Implementation](#implementation)
+## Overview
+**Zero Trust Principles:**
+```
+1. Never trust, always verify
+2. Assume breach
+3. Verify explicitly
+4. Least privilege access
+5. Microsegmentation
+```
+## Service-to-Service Authentication
+### mTLS with Istio
+```yaml
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+  name: default
+  namespace: production
+spec:
+  mtls:
+    mode: STRICT
+```
+### Certificate Management
+```yaml
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: service-cert
+spec:
+  secretName: service-tls
+  issuerRef:
+    name: internal-ca
+    kind: ClusterIssuer
+  dnsNames:
+  - service.production.svc.cluster.local
+```
+## Network Policies
+**Default Deny:**
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-all
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress
+```
+**Allow Specific Traffic:**
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: api-allow
+spec:
+  podSelector:
+    matchLabels:
+      app: api
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app: frontend
+    ports:
+    - protocol: TCP
+      port: 8080
+```
+## Identity-Based Access
+### Workload Identity
+**GKE:**
+```yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: myapp
+  annotations:
+    iam.gke.io/gcp-service-account: myapp@project.iam.gserviceaccount.com
+```
+**EKS:**
+```yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: myapp
+  annotations:
+    eks.amazonaws.com/role-arn: arn:aws:iam::123456789:role/myapp
+```
+### SPIFFE/SPIRE
+```bash
+# Install SPIRE
+kubectl apply -f https://spiffe.io/docs/latest/try/getting-started-k8s.yaml
+# Create registration entry
+spire-server entry create \
+  -parentID spiffe://example.org/k8s-workload-registrar/node \
+  -spiffeID spiffe://example.org/myapp \
+  -selector k8s:ns:production \
+  -selector k8s:pod-label:app:myapp
+```
+## Implementation
+**Complete Zero Trust Setup:**
+```yaml
+# 1. Default deny network policy
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny
+spec:
+  podSelector: {}
+  policyTypes: [Ingress, Egress]
+---
+# 2. mTLS enforcement
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+  name: strict-mtls
+spec:
+  mtls:
+    mode: STRICT
+---
+# 3. Authorization policy
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: require-jwt
+spec:
+  selector:
+    matchLabels:
+      app: api
+  rules:
+  - from:
+    - source:
+        requestPrincipals: ["*"]
+    when:
+    - key: request.auth.claims[iss]
+      values: ["https://auth.example.com"]
+```
+---
+**Related Resources:**
+- [container-security.md](container-security.md)
+- [policy-enforcement.md](policy-enforcement.md)