npm - ma-agents - Versions diffs - 2.8.0 → 2.9.0 - Mend

ma-agents 2.8.0 → 2.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/README.md CHANGED Viewed

@@ -86,6 +86,8 @@ skills/code-review/
 | `vercel-react-best-practices` | Web | 57 Performance rules for React and Next.js |
 | `git-workflow-skill` | Git | Worktree-based feature branch workflow |
 | `self-signed-cert` | Security | Automated Root CA and self-signed certificate generation |
+| `docker-image-signing` | Security | Automated cryptographic signing for Docker images |
+| `docker-hardening-verification` | Security | Audits images for least-privilege and OpenShift compatibility |
 ## Automated Skill Discovery

package/lib/bmad-customizations/cyber.customize.yaml CHANGED Viewed

@@ -25,6 +25,10 @@ menu_items:
     command: "/bmad-bmm-run-workflow {project-root}/_bmad/bmm/workflows/cyber/vault-secrets.md"
   - title: "Generate Secure Certificates"
     command: "/bmad-bmm-run-workflow {project-root}/_bmad/bmm/workflows/cyber/generate-certs.md"
+  - title: "Verify Image Signature"
+    command: "/bmad-bmm-run-workflow {project-root}/_bmad/bmm/workflows/cyber/verify-image-signature.md"
+  - title: "Verify Docker User Hardening"
+    command: "/bmad-bmm-run-workflow {project-root}/_bmad/bmm/workflows/cyber/verify-docker-users.md"
 memories:
   - "OWASP Top 10 2025 security patterns."

package/lib/bmad-customizations/cyber.md CHANGED Viewed

@@ -48,6 +48,8 @@ You must fully embody this agent's persona and follow all activation instruction
     <item cmd="VM" workflow="{project-root}/_bmad/bmm/workflows/cyber/vault-secrets.md">[VM] Manage Vault Secrets</item>
     <item cmd="GC" workflow="{project-root}/_bmad/bmm/workflows/cyber/generate-certs.md">[GC] Generate Secure Certificates</item>
     <item cmd="SA" workflow="{project-root}/_bmad/bmm/workflows/cyber/security-audit.md">[SA] Run Comprehensive Security Audit</item>
+    <item cmd="VI" workflow="{project-root}/_bmad/bmm/workflows/cyber/verify-image-signature.md">[VI] Verify Image Signature</item>
+    <item cmd="VU" workflow="{project-root}/_bmad/bmm/workflows/cyber/verify-docker-users.md">[VU] Verify Docker User Hardening</item>
     <item cmd="DA">[DA] Dismiss Agent</item>
 </menu>
 </agent>

package/lib/bmad-customizations/devops.customize.yaml CHANGED Viewed

@@ -23,6 +23,8 @@ menu_items:
     command: "/bmad-bmm-run-workflow {project-root}/_bmad/bmm/workflows/devops/docker-compose-setup.md"
   - title: "Deploy to Disconnected Environment"
     command: "/bmad-bmm-run-workflow {project-root}/_bmad/bmm/workflows/devops/disconnected-deployment.md"
+  - title: "Sign Docker Image"
+    command: "/bmad-bmm-run-workflow {project-root}/_bmad/bmm/workflows/devops/sign-docker-image.md"
 memories:
   - "Helm dependency vendorization patterns."

package/lib/bmad-customizations/devops.md CHANGED Viewed

@@ -47,6 +47,7 @@ You must fully embody this agent's persona and follow all activation instruction
     <item cmd="CI" workflow="{project-root}/_bmad/bmm/workflows/devops/configure-infrastructure.md">[CI] Configure Infrastructure (PV/PVC/LB)</item>
     <item cmd="DC" workflow="{project-root}/_bmad/bmm/workflows/devops/docker-compose-setup.md">[DC] Setup Docker Compose</item>
     <item cmd="DD" workflow="{project-root}/_bmad/bmm/workflows/devops/disconnected-deployment.md">[DD] Disconnected Deployment Strategy</item>
+    <item cmd="SI" workflow="{project-root}/_bmad/bmm/workflows/devops/sign-docker-image.md">[SI] Sign Docker Image</item>
     <item cmd="DA">[DA] Dismiss Agent</item>
 </menu>
 </agent>

package/lib/bmad-workflows/cyber/generate-certs.md CHANGED Viewed

@@ -7,9 +7,12 @@ Automated workflow for generating self-signed certificates using the `self-signe
 1.  **Load Skill**: Activate the `self-signed-cert` skill instructions.
 2.  **Requirement Analysis**: Determine common name (CN) and Subject Alternative Names (SANs).
 3.  **Execution**:
-    - Use the `generate-cert.sh` script from the skill's scripts directory.
-    - Choice A: `bash scripts/generate-cert.sh root my-internal-ca`
-    - Choice B: `bash scripts/generate-cert.sh cert my-service localhost`
+    - **Linux/macOS**:
+        - `bash scripts/generate-cert.sh root my-internal-ca`
+        - `bash scripts/generate-cert.sh cert my-service localhost`
+    - **Windows**:
+        - `.\scripts\generate-cert.ps1 -Type root -Name my-internal-ca`
+        - `.\scripts\generate-cert.ps1 -Type cert -Name my-service -Dns localhost`
 4.  **Packaging**: Provide instructions for importing the cert into trust stores (OS, Browsers) or mounting in Kubernetes secrets.
 5.  **Security**: Ensure private keys are stored with restricted permissions (600).
 6.  **Rotation**: Offer a schedule for certificate renewal.

package/lib/bmad-workflows/cyber/verify-docker-users.md ADDED Viewed

@@ -0,0 +1,14 @@
+# verify-docker-users.md
+# Docker User & Hardening Verification Workflow
+This workflow guides the Cyber agent through auditing Docker images for proper user management and least privilege.
+## Instructions
+1.  **Inspect Metadata**:
+    - Use the `docker-hardening-verification` skill.
+    - Run: `bash skills/docker-hardening-verification/scripts/verify-hardening.sh {image_name}`.
+2.  **Audit Result Analysis**:
+    - **UID Check**: Confirm the defined user is non-zero.
+    - **Permissive Files**: Scan for world-writable files in common paths (/tmp, /etc, /var).
+3.  **Governance Check**: Ensure the image follows OpenShift/hardened cluster requirements (no root, arbitrary UID support).
+4.  **Reporting**: provide a high-level summary of hardening quality and mandatory fixes.

package/lib/bmad-workflows/cyber/verify-image-signature.md ADDED Viewed

@@ -0,0 +1,13 @@
+# verify-image-signature.md
+# Docker Image Signature Verification Workflow
+This workflow guides the Cyber agent through verifying that a Docker image has been properly signed.
+## Instructions
+1.  **Identify Image**: Get the image name and digest.
+2.  **Locate Public Key**: Obtain the public key or certificate used for signing.
+3.  **Execute Verification**:
+    - Use `cosign verify --key {public_key} {image_digest}`.
+    - Check the output for valid signatures.
+4.  **Policy Compliance**: Verify if the signing entity (certificate CN) matches the expected trusted authorities.
+5.  **Report**: Alert the user if the image is unsigned or the signature is invalid.

package/lib/bmad-workflows/devops/sign-docker-image.md ADDED Viewed

@@ -0,0 +1,15 @@
+# sign-docker-image.md
+# Docker Image Signing Workflow
+This workflow guides the DevOps agent through the process of cryptographically signing a Docker image.
+## Instructions
+1.  **Select Image**: Identify the image to sign.
+2.  **Get Digest**: Retrieve the immutable digest: `docker inspect --format='{{index .RepoDigests 0}}' {image_name}`.
+3.  **Prepare Certificate**: Locate the certificate file provided by the user.
+4.  **Execute Signing**:
+    - Use the `docker-image-signing` skill.
+    - Path: `skills/docker-image-signing/scripts/sign-image.sh`
+    - Run: `bash skills/docker-image-signing/scripts/sign-image.sh {image_digest} {cert_file} {key_file}`
+5.  **Verify**: Confirm the signature using `cosign verify`.
+6.  **Report**: provide the signed image reference to the user.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "ma-agents",
-  "version": "2.8.0",
+  "version": "2.9.0",
   "description": "NPX tool to install skills for AI coding agents (Claude Code, Gemini, Copilot, Kilocode, Cline, Cursor)",
   "main": "index.js",
   "bin": {

package/skills/docker-hardening-verification/SKILL.md ADDED Viewed

@@ -0,0 +1,24 @@
+# Docker Hardening Verification
+## Purpose
+Audit Docker images to ensure they follow security best practices, specifically focusing on non-root execution and least privilege principles required for hardened clusters like OpenShift.
+## Instructions
+1.  **Inspect Image**: Use `docker inspect` or `podman inspect` to check metadata.
+2.  **Verify User**:
+    - Ensure `USER` is defined and is NOT `root` or `0`.
+    - Recommended: Use a high-numbered UID (e.g., `1001`).
+3.  **Check Permissions**:
+    - Ensure sensitive directories are not world-writable.
+    - Check for `setuid`/`setgid` bits on binaries.
+4.  **OpenShift Compliance**:
+    - Verify that the image doesn't require specific UIDs if it's meant to run with an arbitrary assigned UID (OpenShift's default).
+    - Check if the `/etc/passwd` entry handles arbitrary UIDs (e.g., by using `nss_wrapper` or similar).
+## Rules
+- Fail the audit if `USER root` is detected.
+- Flag a warning if many unnecessary packages/tools are present.
+- Ensure only necessary ports are exposed.
+## Usage
+Run `scripts/verify-hardening.sh <image_name>`

package/skills/docker-hardening-verification/scripts/verify-hardening.sh ADDED Viewed

@@ -0,0 +1,39 @@
+#!/bin/bash
+# verify-hardening.sh - Part of ma-agents docker-hardening-verification skill
+IMAGE=$1
+if [ -z "$IMAGE" ]; then
+    echo "Usage: $0 <image_name>"
+    exit 1
+fi
+echo "Auditing image: $IMAGE"
+# 1. Check User
+USER_VAL=$(docker inspect --format='{{.Config.User}}' "$IMAGE")
+if [ -z "$USER_VAL" ] || [ "$USER_VAL" == "root" ] || [ "$USER_VAL" == "0" ]; then
+    echo "[FAIL] Image runs as root! Definining a non-root USER is mandatory for hardened clusters."
+else
+    echo "[PASS] Image runs as user: $USER_VAL"
+fi
+# 2. Check for sensitive capabilities (simplified check)
+CAPS=$(docker inspect --format='{{.Config.CapAdd}}' "$IMAGE")
+if [ "$CAPS" != "<nil>" ] && [ -n "$CAPS" ]; then
+    echo "[WARNING] Image has explicitly added capabilities: $CAPS"
+fi
+# 3. Check for exposed ports
+PORTS=$(docker inspect --format='{{range $p, $conf := .Config.ExposedPorts}}{{$p}} {{end}}' "$IMAGE")
+echo "[INFO] Exposed ports: ${PORTS:-none}"
+# 4. OpenShift specific check (arbitrary UID support)
+# This is a heuristic check looking for common entrypoint patterns
+ENTRYPOINT=$(docker inspect --format='{{.Config.Entrypoint}}' "$IMAGE")
+if [[ "$ENTRYPOINT" == *"bash"* ]]; then
+    echo "[INFO] Entrypoint uses bash, manual check for UID mapping recommended."
+fi
+echo "Summary: Audit complete for $IMAGE"

package/skills/docker-hardening-verification/skill.json ADDED Viewed

@@ -0,0 +1,13 @@
+{
+    "name": "Docker Hardening Verification",
+    "description": "Audits Docker images for security best practices, least privilege, and OpenShift compliance.",
+    "version": "1.0.0",
+    "author": "ma-agents",
+    "tags": [
+        "docker",
+        "security",
+        "hardening",
+        "openshift",
+        "least-privilege"
+    ]
+}

package/skills/docker-image-signing/SKILL.md ADDED Viewed

@@ -0,0 +1,24 @@
+# Docker Image Signing
+## Purpose
+Ensure the integrity and authenticity of Docker images by signing them with a cryptographic key/certificate. This prevents unauthorized image substitution and ensures only trusted images are deployed.
+## Instructions
+1.  **Tool Selection**: Use `cosign` (recommended) or `notary`.
+2.  **Environment Check**: Verify that the signing tool and Docker/Podman are installed.
+3.  **Signing Process**:
+    - Load the provided certificate/key.
+    - Run the signing command against the target image (using its SHA256 digest for immutability).
+4.  **Verification**: Always run a verification check immediately after signing.
+## Rules
+- NEVER sign images by tag alone; use the immutable digest (e.g., `image@sha256:...`).
+- Private keys must be handled as secrets and never stored in the clear.
+- Ensure the certificate provided is valid and not expired.
+## Usage
+Run the provided script in `scripts/sign-image.sh` with:
+- `IMAGE`: The image reference with digest.
+- `CERT`: Path to the certificate file.
+- `KEY`: Path to the private key file.
+- `PASSPHRASE`: (Optional) Key passphrase.

package/skills/docker-image-signing/scripts/sign-image.sh ADDED Viewed

@@ -0,0 +1,33 @@
+#!/bin/bash
+# sign-image.sh - Part of ma-agents docker-image-signing skill
+IMAGE=$1
+CERT=$2
+KEY=$3
+PASSPHRASE=$4
+if [ -z "$IMAGE" ] || [ -z "$CERT" ] || [ -z "$KEY" ]; then
+    echo "Usage: $0 <image_digest> <cert_file> <key_file> [passphrase]"
+    exit 1
+fi
+echo "Signing image: $IMAGE"
+# Check for cosign
+if command -v cosign &> /dev/null; then
+    echo "Using Cosign for signing..."
+    if [ -n "$PASSPHRASE" ]; then
+        export COSIGN_PASSWORD=$PASSPHRASE
+    fi
+    cosign sign --key "$KEY" --cert "$CERT" "$IMAGE"
+else
+    echo "Error: cosign not found. Please install cosign to use this skill."
+    exit 1
+fi
+if [ $? -eq 0 ]; then
+    echo "Successfully signed $IMAGE"
+else
+    echo "Failed to sign $IMAGE"
+    exit 1
+fi

package/skills/docker-image-signing/skill.json ADDED Viewed

@@ -0,0 +1,13 @@
+{
+    "name": "Docker Image Signing",
+    "description": "Automates the signing of Docker images using certificates and Cosign/Notary.",
+    "version": "1.0.0",
+    "author": "ma-agents",
+    "tags": [
+        "docker",
+        "security",
+        "signing",
+        "cosign",
+        "notary"
+    ]
+}