cortexhawk 3.1.0

package/skills/security/container-security/SKILL.md

@@ -0,0 +1,128 @@
+---
+name: container-security
+description: Docker and Kubernetes security — image hardening, pod security, network policies, secrets in containers, and runtime monitoring.
+detect: Dockerfile docker-compose.yml docker-compose.yaml
+requires: devops/docker
+---
+
+# Container Security
+
+## Docker Image Rules
+```
+1. Use minimal base images (distroless, Alpine, scratch)
+2. Pin base image digests, not just tags
+3. Multi-stage builds — tools in build stage, only runtime in final
+4. Run as non-root: USER 1001:1001 (numeric IDs)
+5. No secrets in Dockerfile or build args
+6. Remove package managers/shells from production images
+7. Read-only filesystem where possible
+8. Use COPY, not ADD (ADD auto-extracts, security risk)
+9. Set explicit HEALTHCHECK
+```
+
+### Dockerfile Template
+```dockerfile
+# Build stage
+FROM node:20-alpine@sha256:<pinned> AS builder
+WORKDIR /app
+COPY package*.json ./
+RUN npm ci --only=production
+COPY . .
+RUN npm run build
+
+# Production stage
+FROM gcr.io/distroless/nodejs20-debian12
+WORKDIR /app
+COPY --from=builder /app/dist ./dist
+COPY --from=builder /app/node_modules ./node_modules
+USER 1001:1001
+EXPOSE 3000
+CMD ["dist/server.js"]
+```
+
+### Image Scanning
+```
+Tools: Trivy, Grype, Snyk Container, Docker Scout
+
+Scan: On build (CI), on push to registry, daily (new CVEs)
+Block: CRITICAL/HIGH CVEs
+Sign: cosign/Notary, verify before deploy
+```
+
+## Kubernetes Hardening
+
+### Pod Security Context
+```yaml
+securityContext:
+  runAsNonRoot: true
+  runAsUser: 1001
+  runAsGroup: 1001
+  readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop: ["ALL"]
+  seccompProfile:
+    type: RuntimeDefault
+```
+
+### Network Policies
+```yaml
+# Default: deny all, then allow explicitly
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-all
+spec:
+  podSelector: {}
+  policyTypes: [Ingress, Egress]
+```
+
+### RBAC Rules
+- No cluster-admin for workloads
+- Service accounts per workload (not default SA)
+- Namespace-scoped Roles, not ClusterRoles
+- `automountServiceAccountToken: false` when not needed
+- Review RBAC quarterly
+
+### Admission Control
+```
+Enforce via OPA Gatekeeper / Kyverno:
+- No privileged/root containers
+- Required resource limits (CPU/memory)
+- Approved image registries only
+- No hostPath/hostNetwork
+- Required security context and labels
+```
+
+## Secrets in Containers
+```
+NEVER: env vars (docker inspect), build args (cached), baked in image
+
+APPROVED:
+- K8s Secrets (encrypted at rest) + volume mount
+- External Secrets Operator + Vault/AWS SM
+- CSI Secrets Store Driver
+- Vault Agent Sidecar Injector
+
+Pattern: Store in Vault -> ExternalSecret CR -> K8s Secret -> Pod volume mount (tmpfs)
+```
+
+## Runtime Monitoring
+```
+Tools: Falco, Sysdig, Aqua
+
+Detect: shell spawned in container, unexpected processes, writes to read-only FS,
+unexpected network connections, privilege escalation, sensitive file access
+```
+
+## Checklist
+- [ ] Base images pinned by digest
+- [ ] Images scanned in CI (block CRITICAL/HIGH)
+- [ ] Containers run as non-root with dropped capabilities
+- [ ] Read-only root filesystem
+- [ ] Network policies enforced (default deny)
+- [ ] Secrets mounted as volumes (not env vars)
+- [ ] Admission controllers enforce policies
+- [ ] Runtime monitoring active
+- [ ] Images signed and verified
+- [ ] Resource limits on all containers

package/skills/security/dependency-auditor/SKILL.md

@@ -0,0 +1,100 @@
+---
+name: dependency-auditor
+description: Audit dependencies for CVEs, supply chain threats, license issues — with CI/CD integration and automated updates.
+detect: base
+---
+
+# Dependency Auditor
+
+## Scanning Tools
+| Ecosystem | Built-in | Third-party |
+|---|---|---|
+| npm/yarn/pnpm | `npm audit` | Snyk, Socket.dev, Renovate |
+| Python (pip) | `pip-audit`, `safety` | Snyk, Dependabot |
+| Go | `govulncheck` | Snyk, Dependabot |
+| Rust | `cargo audit` | Snyk, Dependabot |
+| Java/Maven | OWASP Dep-Check | Snyk, Dependabot |
+| Ruby | `bundler-audit` | Snyk, Dependabot |
+| Multi-language | — | Trivy, Grype, Snyk |
+
+## Risk Assessment
+| Severity | Action | Timeline |
+|---|---|---|
+| Critical (CVSS ≥9) | Patch immediately | Same day |
+| High (CVSS 7-8.9) | Patch in next release | This week |
+| Medium (CVSS 4-6.9) | Schedule patch | This sprint |
+| Low (CVSS <4) | Track, patch when convenient | Next quarter |
+
+## CI/CD Integration
+```
+Pipeline: dependency-scan
+  Trigger: Every PR + daily on main
+
+  1. Install from lockfile (npm ci, not npm install)
+  2. Run ecosystem scanner (npm audit, pip-audit, etc.)
+  3. Run cross-ecosystem scanner (Trivy or Snyk)
+  4. Parse results:
+     CRITICAL → Block merge/deploy
+     HIGH     → Block merge, create ticket
+     MEDIUM   → Warn, SLA 30 days
+     LOW      → Log, review quarterly
+  5. Post results as PR comment
+```
+
+## Supply Chain Security
+```
+Threats:
+- Typosquatting (similar package names)
+- Dependency confusion (private vs public name collision)
+- Compromised maintainer accounts
+- Malicious post-install scripts
+
+Mitigations:
+1. Use scoped packages for internal (@company/pkg)
+2. Configure private registry priority (.npmrc, pip.conf)
+3. Disable post-install scripts for untrusted packages
+4. Pin by hash when possible (pip: --require-hashes)
+5. Review new deps before adding (maintainers, downloads, last update)
+6. Minimize dependency count — fewer deps = smaller surface
+```
+
+## Lockfile Rules
+- ALWAYS commit lockfiles (package-lock.json, poetry.lock, Cargo.lock, go.sum)
+- Use lockfile-only in CI (`npm ci`, not `npm install`)
+- Review lockfile changes in PRs for unexpected additions
+- Pin exact versions in production
+
+## Automated Updates
+```
+Dependabot/Renovate:
+- Auto-create PRs for security patches
+- Group minor updates weekly
+- Require CI pass before auto-merge
+- Never auto-merge major versions
+- Label PRs by severity
+```
+
+## License Compatibility
+| License | Commercial | Copyleft risk |
+|---|---|---|
+| MIT, BSD, Apache 2.0 | Safe | None |
+| LGPL | With conditions | Dynamic linking OK |
+| GPL | Restricted | Viral — code becomes GPL |
+| AGPL | Restricted | Viral even for SaaS |
+| SSPL, BSL | Check terms | Often restrictive |
+
+## Output
+```markdown
+## Dependency Audit — [date]
+### Critical/High CVEs
+| Package | Version | CVE | Severity | Fix |
+|---|---|---|---|---|
+
+### Outdated (major version behind)
+| Package | Current | Latest | Risk |
+|---|---|---|---|
+
+### License Flags
+| Package | License | Risk |
+|---|---|---|
+```

package/skills/security/encryption/SKILL.md

@@ -0,0 +1,94 @@
+---
+name: encryption
+description: Encryption best practices — algorithms, data at rest/in transit, key management, key rotation, and TLS configuration.
+---
+
+# Encryption
+
+## Approved Algorithms
+| Purpose | Algorithm | Key Size |
+|---|---|---|
+| Symmetric encryption | AES-256-GCM | 256-bit |
+| Symmetric (mobile/embedded) | ChaCha20-Poly1305 | 256-bit |
+| Asymmetric encryption | RSA-OAEP | 4096-bit |
+| Key agreement | ECDH (P-256/P-384) | 256/384-bit |
+| Digital signatures | Ed25519 | 256-bit |
+| Hashing | SHA-256 / SHA-384 | — |
+| Password hashing | Argon2id | — |
+| Password hashing (fallback) | bcrypt (cost >= 12) | — |
+| Key derivation | HKDF-SHA256 | — |
+
+## Banned Algorithms
+- MD5, SHA-1 (broken)
+- DES, 3DES, RC4, Blowfish (weak)
+- AES-ECB (pattern leakage)
+- RSA with PKCS#1 v1.5 (padding oracle)
+- Any custom/homegrown crypto
+
+## Data at Rest — Envelope Encryption
+```
+1. Generate DEK (Data Encryption Key) per record/file — AES-256-GCM
+2. Encrypt data with DEK
+3. Encrypt DEK with KEK (Key Encryption Key) from KMS
+4. Store encrypted DEK alongside encrypted data
+5. Store KEK only in KMS (AWS KMS, GCP CMEK, Vault Transit)
+6. Never store plaintext DEK on disk
+```
+
+### What to Encrypt
+```
+Encrypt: PII, financial data, health records, auth credentials
+Don't encrypt: Primary/foreign keys (breaks joins), WHERE clause fields
+Use deterministic encryption or blind indexes for searchable encrypted fields
+```
+
+## Data in Transit — TLS
+```
+Minimum: TLS 1.2 (prefer TLS 1.3)
+Cipher suites (TLS 1.3):
+  - TLS_AES_256_GCM_SHA384
+  - TLS_CHACHA20_POLY1305_SHA256
+  - TLS_AES_128_GCM_SHA256
+
+Disable: TLS 1.0/1.1, SSL 2.0/3.0, weak ciphers (RC4, DES, NULL, EXPORT)
+
+Certificate management:
+  - Automated renewal (Let's Encrypt + certbot, or cloud-native)
+  - Pin certs in mobile apps (with backup pins)
+  - Monitor expiry (alert 30 days before)
+  - Private keys: chmod 600, never in git
+```
+
+## Key Lifecycle
+```
+Generation -> Storage -> Distribution -> Usage -> Rotation -> Revocation -> Destruction
+
+1. Generation: CSPRNG only. Never from predictable sources.
+2. Storage: HSM or KMS only. Never on app servers.
+3. Distribution: Encrypted channels only.
+4. Usage: Access via API. Log all usage.
+5. Rotation: Automated per schedule.
+6. Revocation: Immediate on compromise.
+7. Destruction: Cryptographic erasure. Verify.
+```
+
+## Rotation Schedule
+| Key Type | Period | Method |
+|---|---|---|
+| KEK (master) | 365 days | Re-encrypt DEKs with new KEK |
+| DEK (data) | 90 days | Re-encrypt data |
+| TLS certificates | 90 days | Auto-renew (Let's Encrypt) |
+| API signing keys | 90 days | Publish new, deprecate old |
+| SSH keys | 180 days | Distribute new, revoke old |
+
+## Checklist
+- [ ] All sensitive data encrypted at rest (AES-256-GCM)
+- [ ] All data in transit uses TLS 1.2+
+- [ ] No banned algorithms in use
+- [ ] Keys managed via KMS/HSM (not filesystem)
+- [ ] Key rotation automated
+- [ ] Envelope encryption for data at rest
+- [ ] Password hashing uses Argon2id or bcrypt (cost >= 12)
+- [ ] No hardcoded encryption keys
+- [ ] IVs/nonces unique per operation (never reused)
+- [ ] Authenticated encryption used (GCM/Poly1305)

package/skills/security/incident-response/SKILL.md

@@ -0,0 +1,127 @@
+---
+name: incident-response
+description: Incident response planning — 6-phase IR process, severity classification, containment, backup strategy, and runbooks.
+---
+
+# Incident Response
+
+## Response Phases
+```
+1. PREPARATION    — Before any incident
+2. DETECTION      — Identify and classify
+3. CONTAINMENT    — Limit damage
+4. ERADICATION    — Remove the threat
+5. RECOVERY       — Restore operations
+6. LESSONS LEARNED — Improve defenses
+```
+
+## Severity Classification
+| Level | Examples | Response | SLA |
+|---|---|---|---|
+| SEV-1 (Critical) | Active breach, ransomware, prod creds compromised | Immediate, all-hands | Contain in 1h |
+| SEV-2 (High) | Unauthorized access, critical vuln exploited | 30 min, core team | Contain in 4h |
+| SEV-3 (Medium) | Suspicious activity, non-critical system compromised | 2h, assigned team | Contain in 24h |
+| SEV-4 (Low) | Policy violation, blocked phishing | Next business day | Resolve in 1 week |
+
+## Preparation
+- [ ] IR team defined (roles, contacts, escalation path)
+- [ ] Communication templates ready (internal, customer, regulatory)
+- [ ] Runbooks for common scenarios
+- [ ] Access to forensic tools
+- [ ] Tabletop exercises quarterly
+- [ ] Regulatory notification requirements documented (GDPR: 72h)
+
+## Containment (First 30 Minutes)
+```
+1. Activate IR team, open incident channel
+2. Begin timestamped incident log
+3. Assess scope: systems, data, users affected
+4. Contain the threat:
+   - Isolate affected systems
+   - Revoke compromised credentials (ALL)
+   - Block malicious IPs/domains
+   - Preserve evidence BEFORE changes (snapshots, log exports)
+
+Decision tree:
+  Credential compromise -> Rotate ALL secrets, revoke sessions
+  Malware/ransomware    -> Isolate, DO NOT pay, engage forensics
+  Data breach           -> Identify scope, preserve logs, notify legal
+  DDoS                  -> Enable protection, scale, block patterns
+  Insider threat        -> Revoke access, preserve audit trail, HR/legal
+```
+
+## Eradication & Recovery
+```
+Eradication:
+1. Identify root cause
+2. Remove attacker access (patch vuln, remove backdoors, rotate creds)
+3. Verify clean state (scan for IOCs, review logs)
+
+Recovery:
+1. Restore from verified clean backups
+2. Deploy patches BEFORE reconnecting
+3. Monitor intensely 24-72 hours
+4. Staged restore (not all at once)
+5. Verify data integrity
+```
+
+## Backup Strategy (3-2-1 Rule)
+```
+3 copies, 2 different media, 1 offsite
++ 1 immutable copy (WORM storage)
+```
+
+| Type | Frequency | Retention |
+|---|---|---|
+| Full backup | Weekly | 90 days |
+| Incremental | Daily | 30 days |
+| Transaction logs | Continuous | 7 days |
+| Snapshots | Every 4h | 7 days |
+| Config backups | On change | 1 year |
+
+### RTO/RPO Targets
+```
+Tier 1 (critical): RTO 1h, RPO 0 (zero data loss)
+Tier 2 (important): RTO 4h, RPO 1h
+Tier 3 (standard):  RTO 24h, RPO 24h
+```
+
+## Runbooks
+
+### Credential Leak
+```
+1. Identify scope (which credentials, where exposed)
+2. Revoke/rotate immediately
+3. Search logs for unauthorized usage
+4. If used: escalate to full incident
+5. Scan git history for additional leaks
+6. Add pre-commit hooks to prevent recurrence
+```
+
+### Ransomware
+```
+1. Isolate affected systems (disconnect network)
+2. DO NOT pay ransom
+3. Preserve evidence (disk images)
+4. Identify variant (nomoreransom.org)
+5. Restore from clean backups
+6. Rebuild affected systems from scratch
+7. Patch entry vector before reconnecting
+```
+
+## Lessons Learned (Within 5 Business Days)
+1. Timeline reconstruction
+2. Root cause analysis (5 Whys)
+3. What worked / what to improve
+4. Action items with owners and deadlines
+5. Share sanitized findings with team
+
+## Checklist
+- [ ] IR plan documented and accessible
+- [ ] Team roles and escalation defined
+- [ ] Runbooks ready for common scenarios
+- [ ] 3-2-1 backup strategy implemented
+- [ ] Backups encrypted and immutable
+- [ ] Restoration tested monthly
+- [ ] RTO/RPO defined per service tier
+- [ ] Post-incident review process established

package/skills/security/secrets/SKILL.md

@@ -0,0 +1,93 @@
+---
+name: secrets
+description: Secret management — secure storage, rotation, detection, and emergency response for API keys, passwords, certificates, and tokens.
+detect: base
+---
+
+# Secret Management
+
+## Core Rules
+1. **Never hardcode secrets** — not in code, configs, comments, or git history
+2. **Never log secrets** — sanitize all log outputs
+3. **Never transmit in URLs** — use headers or request body
+4. **Encrypt at rest** — all secret storage must be encrypted
+5. **Audit all access** — every secret read/write must be logged
+6. **Rotate regularly** — automated rotation on schedule + on compromise
+
+## Storage Hierarchy
+| Priority | Solution | Use Case |
+|---|---|---|
+| 1 | Secret Manager (Vault, AWS SM, GCP SM, Azure KV) | Production |
+| 2 | CI/CD platform secrets (GitHub Actions, GitLab CI) | Pipelines |
+| 3 | Encrypted `.env` with key from secret manager | Local dev |
+| 4 | OS keychain (macOS Keychain, Linux Secret Service) | Dev machines |
+| Never | Plain `.env`, config files, code, git history | — |
+
+## Vault Pattern
+```
+1. Enable AppRole or Kubernetes auth backend
+2. Create policy with least-privilege paths
+3. Issue short-lived tokens (max TTL 1h)
+4. Enable audit logging
+5. Authenticate on startup, fetch secrets into memory (never disk)
+6. Set up lease renewal for dynamic secrets
+7. Watch for rotation events, re-fetch on signal
+```
+
+## AWS Secrets Manager Pattern
+```
+1. Create secret with automatic rotation enabled
+2. Use IAM roles (not access keys) for access
+3. Configure rotation lambda (30-90 day cycle)
+4. Use resource policies for cross-account access
+5. Enable CloudTrail for all GetSecretValue calls
+6. Cache secrets client-side with TTL
+```
+
+## Environment Variables
+- [ ] `.env` in `.gitignore` (verify with pre-commit hook)
+- [ ] `.env.example` contains key names only, never values
+- [ ] Production secrets never as plain env vars on disk
+- [ ] Container secrets mounted as tmpfs, not env vars
+- [ ] CI/CD secrets marked as masked/protected
+- [ ] No secrets in `docker inspect`, `ps aux`, or `/proc/*/environ`
+
+## Pre-commit Secret Detection
+```
+Tools: git-secrets, truffleHog, detect-secrets, gitleaks
+
+Hook should:
+1. Scan staged files for high-entropy strings
+2. Check against known patterns (AWS keys, private keys, tokens)
+3. Block commit if secret detected
+4. Allow .allowlist for false positives (review quarterly)
+```
+
+## Rotation Schedule
+| Secret Type | Period | Method |
+|---|---|---|
+| Database passwords | 90 days | Automated via secret manager |
+| API keys | 90 days | Generate new, deprecate old |
+| TLS certificates | Auto-renew 30d before expiry | Let's Encrypt / cloud-native |
+| SSH keys | 180 days | Distribute new, revoke old |
+| Service account tokens | 30 days | Automated rotation |
+
+## Emergency Response
+```
+If a secret is compromised:
+1. Immediately revoke/rotate the compromised secret
+2. Issue new secret via secret manager
+3. Deploy updated secret to all consumers
+4. Audit access logs for unauthorized usage
+5. If in git history: rewrite history + rotate ALL secrets in the repo
+6. Document incident
+```
+
+## Checklist
+- [ ] No hardcoded secrets in codebase
+- [ ] All secrets stored in dedicated secret manager
+- [ ] Pre-commit hooks scan for secrets
+- [ ] Rotation automated for all secret types
+- [ ] Access to secrets audited and logged
+- [ ] Emergency rotation procedure documented
+- [ ] .env files excluded from version control

package/skills/security/security-headers/SKILL.md

@@ -0,0 +1,83 @@
+---
+name: security-headers
+description: HTTP security headers, CSP, CORS, CSRF protection — configuration and validation for web applications.
+detect: package.json:express package.json:fastify requirements.txt:fastapi pyproject.toml:fastapi
+---
+
+# Security Headers
+
+## Required Headers
+| Header | Value | Purpose |
+|---|---|---|
+| `Strict-Transport-Security` | `max-age=31536000; includeSubDomains; preload` | Force HTTPS |
+| `Content-Security-Policy` | App-specific (see below) | Prevent XSS, injection |
+| `X-Content-Type-Options` | `nosniff` | Prevent MIME sniffing |
+| `X-Frame-Options` | `DENY` or `SAMEORIGIN` | Prevent clickjacking |
+| `Referrer-Policy` | `strict-origin-when-cross-origin` | Control referrer leakage |
+| `Permissions-Policy` | `camera=(), microphone=(), geolocation=()` | Restrict browser APIs |
+| `Cross-Origin-Opener-Policy` | `same-origin` | Isolate browsing context |
+| `Cross-Origin-Resource-Policy` | `same-origin` | Prevent cross-origin reads |
+
+Remove: `X-Powered-By`, `Server` (or set generic value)
+
+## CSP Template
+```
+default-src 'self';
+script-src 'self' 'nonce-{random}';
+style-src 'self' 'unsafe-inline';
+img-src 'self' data: https:;
+font-src 'self';
+connect-src 'self' https://api.yourdomain.com;
+frame-ancestors 'none';
+base-uri 'self';
+form-action 'self';
+```
+
+## CORS Checklist
+- Never `Access-Control-Allow-Origin: *` with credentials
+- Whitelist specific origins — never reflect Origin blindly
+- Limit `Allow-Methods` to what's needed
+- Set `Access-Control-Max-Age: 86400` to cache preflight
+
+## CSRF Protection
+| App Type | Method |
+|---|---|
+| Server-rendered (MPA) | Synchronizer token (hidden form field) |
+| SPA + API | SameSite cookies + custom header |
+| API-only | Require custom header (`X-Requested-With`) |
+
+### CSRF Rules
+1. `SameSite=Strict` on all auth cookies (Lax minimum)
+2. Forms: CSRF token per session, validate server-side
+3. SPAs: Double Submit Cookie or custom header
+4. Reject requests without valid CSRF token
+5. Never rely on Referer/Origin alone
+6. Regenerate CSRF token on login
+
+## Framework Examples
+
+### Express.js
+```javascript
+const helmet = require('helmet');
+app.use(helmet());
+app.use(helmet.contentSecurityPolicy({
+  directives: { defaultSrc: ["'self'"], scriptSrc: ["'self'"] }
+}));
+```
+
+### FastAPI
+```python
+@app.middleware("http")
+async def security_headers(request, call_next):
+    response = await call_next(request)
+    response.headers["X-Content-Type-Options"] = "nosniff"
+    response.headers["X-Frame-Options"] = "DENY"
+    response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains"
+    response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
+    response.headers["Permissions-Policy"] = "camera=(), microphone=(), geolocation=()"
+    return response
+```
+
+## Validation
+Test: `curl -I https://yourdomain.com`
+Online: securityheaders.com, observatory.mozilla.org