security-mcp 1.1.3 → 1.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (133) hide show
  1. package/README.md +164 -185
  2. package/defaults/checklists/ai.json +20 -1
  3. package/defaults/checklists/api.json +35 -1
  4. package/defaults/checklists/infra.json +34 -1
  5. package/defaults/checklists/mobile.json +23 -1
  6. package/defaults/checklists/payments.json +15 -1
  7. package/defaults/checklists/web.json +11 -1
  8. package/defaults/control-catalog.json +200 -0
  9. package/defaults/security-policy.json +2 -2
  10. package/dist/cli/index.js +82 -5
  11. package/dist/cli/install.js +36 -6
  12. package/dist/cli/onboarding.js +6 -0
  13. package/dist/gate/baseline.js +82 -7
  14. package/dist/gate/catalog.js +10 -2
  15. package/dist/gate/checks/ai.js +757 -39
  16. package/dist/gate/checks/auth-deep.js +935 -0
  17. package/dist/gate/checks/business-logic.js +751 -0
  18. package/dist/gate/checks/ci-pipeline.js +399 -4
  19. package/dist/gate/checks/crypto.js +423 -2
  20. package/dist/gate/checks/dependencies.js +571 -15
  21. package/dist/gate/checks/graphql.js +201 -19
  22. package/dist/gate/checks/infra.js +246 -1
  23. package/dist/gate/checks/injection-deep.js +848 -0
  24. package/dist/gate/checks/k8s.js +114 -1
  25. package/dist/gate/checks/mobile-android.js +917 -3
  26. package/dist/gate/checks/mobile-ios.js +797 -5
  27. package/dist/gate/checks/required-artifacts.js +194 -0
  28. package/dist/gate/checks/runtime.js +178 -0
  29. package/dist/gate/checks/secrets.js +244 -13
  30. package/dist/gate/checks/supply-chain-deep.js +787 -0
  31. package/dist/gate/checks/web-nextjs.js +572 -48
  32. package/dist/gate/diff.js +17 -5
  33. package/dist/gate/evidence.js +8 -1
  34. package/dist/gate/exceptions.js +131 -9
  35. package/dist/gate/policy.js +282 -129
  36. package/dist/mcp/audit-chain.js +122 -28
  37. package/dist/mcp/auth.js +169 -0
  38. package/dist/mcp/learning.js +129 -4
  39. package/dist/mcp/model-router.js +158 -21
  40. package/dist/mcp/orchestration.js +186 -51
  41. package/dist/mcp/server.js +608 -94
  42. package/dist/repo/fs.js +24 -1
  43. package/dist/repo/search.js +31 -6
  44. package/dist/review/store.js +52 -1
  45. package/package.json +7 -7
  46. package/prompts/SECURITY_PROMPT.md +73 -0
  47. package/skills/_TEMPLATE/SKILL.md +99 -0
  48. package/skills/advanced-dos-tester/SKILL.md +109 -0
  49. package/skills/agentic-loop-exploiter/SKILL.md +368 -0
  50. package/skills/ai-llm-redteam/SKILL.md +104 -0
  51. package/skills/ai-model-supply-chain-agent/SKILL.md +103 -0
  52. package/skills/algorithm-implementation-reviewer/SKILL.md +98 -0
  53. package/skills/android-penetration-tester/SKILL.md +455 -46
  54. package/skills/anti-replay-tester/SKILL.md +106 -0
  55. package/skills/appsec-code-auditor/SKILL.md +120 -0
  56. package/skills/artifact-integrity-analyst/SKILL.md +441 -0
  57. package/skills/attack-navigator/SKILL.md +467 -8
  58. package/skills/auth-session-hacker/SKILL.md +128 -0
  59. package/skills/aws-penetration-tester/SKILL.md +456 -0
  60. package/skills/azure-penetration-tester/SKILL.md +490 -3
  61. package/skills/binary-auth-validator/SKILL.md +111 -0
  62. package/skills/bot-detection-specialist/SKILL.md +109 -0
  63. package/skills/business-logic-attacker/SKILL.md +231 -0
  64. package/skills/capec-code-mapper/SKILL.md +84 -0
  65. package/skills/cert-pin-rotation-specialist/SKILL.md +112 -0
  66. package/skills/cicd-pipeline-hijacker/SKILL.md +405 -0
  67. package/skills/ciso-orchestrator/SKILL.md +454 -43
  68. package/skills/cloud-infra-specialist/SKILL.md +118 -0
  69. package/skills/compliance-gap-analyst/SKILL.md +422 -0
  70. package/skills/compliance-grc/SKILL.md +85 -0
  71. package/skills/compliance-lifecycle-tracker/SKILL.md +84 -0
  72. package/skills/credential-stuffing-specialist/SKILL.md +102 -0
  73. package/skills/crypto-pki-specialist/SKILL.md +87 -0
  74. package/skills/csa-ccm-mapper/SKILL.md +84 -0
  75. package/skills/csf2-governance-mapper/SKILL.md +84 -0
  76. package/skills/deep-link-fuzzer/SKILL.md +109 -0
  77. package/skills/dependency-confusion-attacker/SKILL.md +415 -0
  78. package/skills/device-integrity-aggregator/SKILL.md +108 -0
  79. package/skills/dos-resilience-tester/SKILL.md +97 -0
  80. package/skills/dread-scorer/SKILL.md +84 -0
  81. package/skills/egress-policy-enforcer/SKILL.md +99 -0
  82. package/skills/evidence-collector/SKILL.md +98 -0
  83. package/skills/file-upload-attacker/SKILL.md +109 -0
  84. package/skills/gcp-penetration-tester/SKILL.md +459 -2
  85. package/skills/git-history-secret-scanner/SKILL.md +106 -0
  86. package/skills/iam-privesc-graph-builder/SKILL.md +152 -0
  87. package/skills/incident-responder/SKILL.md +111 -0
  88. package/skills/injection-specialist/SKILL.md +131 -0
  89. package/skills/ios-security-auditor/SKILL.md +282 -0
  90. package/skills/json-ambiguity-tester/SKILL.md +0 -0
  91. package/skills/k8s-container-escaper/SKILL.md +384 -0
  92. package/skills/key-management-lifecycle-analyst/SKILL.md +98 -0
  93. package/skills/kill-switch-engineer/SKILL.md +102 -0
  94. package/skills/linddun-privacy-analyst/SKILL.md +102 -0
  95. package/skills/logic-race-fuzzer/SKILL.md +443 -0
  96. package/skills/mobile-api-network-attacker/SKILL.md +421 -0
  97. package/skills/mobile-binary-hardener/SKILL.md +102 -0
  98. package/skills/mobile-security-specialist/SKILL.md +85 -0
  99. package/skills/mobile-webview-auditor/SKILL.md +96 -0
  100. package/skills/model-extraction-attacker/SKILL.md +219 -0
  101. package/skills/multipart-abuse-tester/SKILL.md +84 -0
  102. package/skills/oauth-pkce-specialist/SKILL.md +104 -0
  103. package/skills/parser-exhaustion-tester/SKILL.md +142 -0
  104. package/skills/pentest-infra/SKILL.md +141 -0
  105. package/skills/pentest-social/SKILL.md +201 -0
  106. package/skills/pentest-team/SKILL.md +134 -0
  107. package/skills/pentest-web-api/SKILL.md +151 -0
  108. package/skills/privacy-flow-analyst/SKILL.md +234 -0
  109. package/skills/prompt-injection-specialist/SKILL.md +394 -0
  110. package/skills/quantum-migration-planner/SKILL.md +96 -0
  111. package/skills/rag-poisoning-specialist/SKILL.md +358 -0
  112. package/skills/registry-mirror-enforcer/SKILL.md +84 -0
  113. package/skills/rotation-validation-agent/SKILL.md +112 -0
  114. package/skills/samm-assessor/SKILL.md +85 -0
  115. package/skills/secrets-mask-bypass-tester/SKILL.md +100 -0
  116. package/skills/senior-security-engineer/SKILL.md +370 -2
  117. package/skills/serialization-memory-attacker/SKILL.md +332 -0
  118. package/skills/session-timeout-tester/SKILL.md +161 -0
  119. package/skills/slsa-level3-enforcer/SKILL.md +112 -0
  120. package/skills/slsa-provenance-enforcer/SKILL.md +102 -0
  121. package/skills/ssrf-detection-validator/SKILL.md +108 -0
  122. package/skills/step-up-auth-enforcer/SKILL.md +84 -0
  123. package/skills/stride-pasta-analyst/SKILL.md +420 -0
  124. package/skills/supply-chain-devsecops/SKILL.md +98 -0
  125. package/skills/threat-infrastructure-analyst/SKILL.md +84 -0
  126. package/skills/threat-modeler/SKILL.md +85 -0
  127. package/skills/tls-certificate-auditor/SKILL.md +573 -18
  128. package/skills/token-reuse-detector/SKILL.md +95 -0
  129. package/skills/trike-risk-modeler/SKILL.md +84 -0
  130. package/skills/unicode-homograph-tester/SKILL.md +84 -0
  131. package/skills/waf-rule-lifecycle-agent/SKILL.md +97 -0
  132. package/skills/webhook-security-tester/SKILL.md +102 -0
  133. package/skills/zero-trust-architect/SKILL.md +109 -0
@@ -66,3 +66,444 @@ and provenance. Covers §5 Supply Chain Security fully.
66
66
  - Missing signing, provenance, or SBOM controls
67
67
  - CI workflow additions to implement the missing control
68
68
  - §5 SLSA control reference per finding
69
+
70
+ Every findings JSON MUST include `intelligenceForOtherAgents`:
71
+ ```json
72
+ {
73
+ "intelligenceForOtherAgents": {
74
+ "forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
75
+ "forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
76
+ "forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
77
+ "forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
78
+ }
79
+ }
80
+ ```
81
+
82
+ ---
83
+
84
+ ## BEYOND SKILL.MD — MANDATORY EXPANSIONS
85
+
86
+ ### 1. Typosquatting & Dependency Confusion (CVE-class: supply chain namespace collision)
87
+
88
+ **Attack:** An attacker publishes a malicious package to a public registry (npm, PyPI) with a
89
+ name that matches an internal private package. When the build system resolves dependencies, it
90
+ preferentially pulls the public (malicious) version if the public version number exceeds the
91
+ private registry's version — the dependency confusion attack (Alex Birsan, 2021, HackerOne).
92
+
93
+ **Detection method:**
94
+ ```bash
95
+ # List all package names in package.json / requirements.txt
96
+ # Check whether each name exists in the public registry
97
+ npm info <internal-package-name> --json 2>/dev/null | jq '.name'
98
+ # If a result is returned for an internal-only name, this is a confirmed dependency confusion risk
99
+ # Also check: .npmrc / pip.conf — is `--index-url` or `registry` scoped to private registry ONLY?
100
+ grep -r "registry" .npmrc .yarnrc .yarnrc.yml pip.conf pyproject.toml 2>/dev/null
101
+ ```
102
+
103
+ **Finding:** Any internal package name resolvable from the public registry without explicit
104
+ `@scope` namespace enforcement or a registry-precedence lock constitutes a HIGH finding.
105
+
106
+ ---
107
+
108
+ ### 2. Build-Time Code Injection via Malicious CI Action (SLSA Build Integrity)
109
+
110
+ **Attack:** A referenced GitHub Actions action (`uses: org/action@v2`) resolves to a mutable
111
+ tag. If the action maintainer's account is compromised, a malicious commit can be pushed to
112
+ the same `v2` tag, causing every downstream build to execute attacker-controlled code inside
113
+ the trusted CI environment — identical to the SolarWinds build-time injection pattern.
114
+
115
+ **Detection method:**
116
+ ```bash
117
+ # Find all GitHub Actions workflow files
118
+ find . -path "./.github/workflows/*.yml" -o -path "./.github/workflows/*.yaml" | \
119
+ xargs grep -n "uses:" | grep -v "@[0-9a-f]\{40\}"
120
+ # Any 'uses:' line not pinned to a full 40-character SHA is a finding
121
+ # Example of finding: uses: actions/checkout@v4 (mutable)
122
+ # Expected: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 (pinned)
123
+ ```
124
+
125
+ **Finding:** Any `uses:` reference not pinned to a full commit SHA is HIGH.
126
+ Reference: SLSA L2+ requires pinned, versioned action references.
127
+
128
+ ---
129
+
130
+ ### 3. Rekor Transparency Log Tampering Detection
131
+
132
+ **Attack:** An adversary with access to a CI signing key signs a backdoored artifact and
133
+ publishes the signature to Sigstore's Rekor transparency log. Because the artifact is signed,
134
+ admission controllers approve it. The key compromise may go undetected if the log is not
135
+ monitored for unexpected entries against a known-good policy.
136
+
137
+ **Detection method:**
138
+ ```bash
139
+ # Verify a container image's Rekor log entry matches expected workflow
140
+ cosign verify \
141
+ --certificate-identity-regexp="https://github.com/<org>/<repo>/.github/workflows/release.yml" \
142
+ --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
143
+ <image>@<digest>
144
+
145
+ # Enumerate all Rekor entries for a given artifact hash
146
+ rekor-cli search --sha "$(sha256sum artifact.tar.gz | cut -d' ' -f1)"
147
+ # Unexpected entries from a non-CI identity = compromised signing key
148
+ ```
149
+
150
+ **Finding:** Cosign identity mismatch between expected workflow URL and actual certificate
151
+ subject is a CRITICAL finding. Trigger §PROJECT-ESCALATION immediately.
152
+
153
+ ---
154
+
155
+ ### 4. AI-Assisted Malicious Package Detection (Emerging Threat — 2025+)
156
+
157
+ **Attack:** LLM-assisted adversaries generate syntactically legitimate but semantically
158
+ malicious packages that evade keyword-based scanners. Packages contain delayed-execution
159
+ payloads (e.g., triggered after 30 days or after N installs), encrypted C2 channels inside
160
+ seemingly benign HTTP requests, or steganographic payloads in bundled assets. This technique
161
+ was observed in the `xz-utils` backdoor (CVE-2024-3094) — a years-long social-engineering
162
+ and code-poisoning campaign.
163
+
164
+ **Detection method:**
165
+ ```bash
166
+ # Static entropy analysis of bundled files — high entropy = potential encrypted payload
167
+ python3 -c "
168
+ import math, sys
169
+ data = open(sys.argv[1],'rb').read()
170
+ freq = {}
171
+ for b in data: freq[b] = freq.get(b,0)+1
172
+ entropy = -sum((c/len(data))*math.log2(c/len(data)) for c in freq.values())
173
+ print(f'Entropy: {entropy:.3f}')
174
+ " <file>
175
+ # Entropy > 7.5 bits/byte on a non-compressed file is suspicious
176
+
177
+ # Behavioral analysis: install in isolated sandbox, trace syscalls
178
+ strace -e trace=network,file npm install <suspicious-package> 2>&1 | grep -E "(connect|open)"
179
+ ```
180
+
181
+ **Finding:** Packages with unexplained high-entropy bundled assets, network syscalls during
182
+ install scripts, or `postinstall` hooks that download external resources are HIGH findings.
183
+
184
+ ---
185
+
186
+ ### 5. Post-Quantum Signature Downgrade (Emerging Threat — FIPS 204/205 transition)
187
+
188
+ **Attack:** As NIST finalises ML-DSA (FIPS 204) and SLH-DSA (FIPS 205) for code signing,
189
+ systems that advertise support for hybrid classical/post-quantum signatures but fall back to
190
+ ECDSA-only when the PQ algorithm is unavailable are vulnerable to active downgrade attacks.
191
+ An adversary performing a MitM on artifact delivery can strip the PQ signature layer,
192
+ leaving only the classical ECDSA signature — which will be breakable by a CRQC.
193
+
194
+ **Detection method:**
195
+ ```bash
196
+ # Check if Cosign or in-house signing supports ML-DSA or hybrid PQ schemes
197
+ cosign version # Look for PQ-capable release >= 2.4 (experimental)
198
+ # Check signing policy for downgrade enforcement
199
+ grep -r "algorithm\|key-type\|signing-algorithm" cosign.yaml policy.yaml 2>/dev/null
200
+ # If no policy enforces PQ-only or hybrid-minimum, flag as MEDIUM (escalates to HIGH by 2027)
201
+ ```
202
+
203
+ **Finding:** No post-quantum signing capability, no PQ migration roadmap, or policies that
204
+ allow silent downgrade to classical-only signing is a MEDIUM finding today, escalating
205
+ timeline to HIGH by 2027 per NIST PQC migration guidance.
206
+
207
+ ---
208
+
209
+ ### 6. SBOM Completeness Evasion via Indirect Dependency Omission
210
+
211
+ **Attack:** SBOMs generated by shallow tools (e.g., `npm ls --depth=0`) omit transitive
212
+ dependencies. A compromised transitive dependency (e.g., the `event-stream` npm incident,
213
+ 2018) is invisible to the SBOM consumer, who believes the SBOM is complete. The US Executive
214
+ Order 14028 and the EU Cyber Resilience Act both require *complete* SBOMs including all
215
+ transitive dependencies.
216
+
217
+ **Detection method:**
218
+ ```bash
219
+ # Generate full-depth SBOM and compare node count against shallow SBOM
220
+ syft <image> -o cyclonedx-json > sbom-full.json
221
+ jq '.components | length' sbom-full.json
222
+
223
+ # Compare against any checked-in SBOM
224
+ jq '.components | length' sbom-checked-in.json
225
+
226
+ # Diff: if full SBOM has significantly more components, shallow SBOM is incomplete
227
+ # Also verify: every component in the full SBOM has a valid PURL
228
+ jq '[.components[] | select(.purl == null or .purl == "")] | length' sbom-full.json
229
+ # Non-zero = components without PURL = SBOM non-compliant with CycloneDX spec
230
+ ```
231
+
232
+ **Finding:** SBOM missing transitive dependencies, or components lacking valid PURLs, is a
233
+ HIGH finding under US EO 14028 §4(e) and EU CRA Article 13.
234
+
235
+ ---
236
+
237
+ ### 7. Immutable Tag Bypass via Registry API (Container Supply Chain)
238
+
239
+ **Attack:** Even when a container registry is configured with `imageTagMutability: IMMUTABLE`
240
+ (ECR) or equivalent, some registry APIs expose administrative endpoints that allow tag
241
+ reassignment under specific IAM conditions. An over-permissioned CI role or a compromised
242
+ registry admin credential can silently reassign an immutable tag to a different digest without
243
+ triggering standard audit logs, breaking the deployment assumption that the tag points to a
244
+ known-good image.
245
+
246
+ **Detection method:**
247
+ ```bash
248
+ # ECR: verify current tag -> digest mapping and compare to build-time expected digest
249
+ aws ecr describe-images --repository-name <repo> \
250
+ --image-ids imageTag=latest \
251
+ --query 'imageDetails[0].imageDigest' --output text
252
+
253
+ # Cross-reference against the digest recorded in the deployment manifest or SBOM
254
+ grep "sha256:" deployment.yaml | head -5
255
+
256
+ # Also: check ECR repository policy for any principal with ecr:PutImage on production repos
257
+ aws ecr get-repository-policy --repository-name <repo> | \
258
+ jq '.policyText | fromjson | .Statement[] | select(.Effect=="Allow") | .Action'
259
+ ```
260
+
261
+ **Finding:** Any IAM principal other than the designated CI role with `ecr:PutImage` or
262
+ `ecr:BatchDeleteImage` on a production repository is a HIGH finding. Tag digest mismatch
263
+ between deployment manifest and live registry is a CRITICAL finding.
264
+
265
+ ---
266
+
267
+ ## §ARTIFACT_INTEGRITY_ANALYST-CHECKLIST
268
+
269
+ 1. **Mutable action references in CI:** Scan all `.github/workflows/*.yml` for `uses:` lines
270
+ not pinned to a 40-character commit SHA. Grep: `uses:.*@` then filter out 40-char hashes.
271
+ Finding: any mutable tag reference (`@v1`, `@main`, `@latest`).
272
+
273
+ 2. **SLSA level determination:** Read CI pipeline definitions; identify whether a hosted build
274
+ service is used (L2) and whether the build platform is hardened + isolated (L3). Grep for
275
+ `slsa-framework/slsa-github-generator` or equivalent. Finding: L1 or L2 for production
276
+ release artifacts.
277
+
278
+ 3. **Cosign signing step present:** Grep CI files for `cosign sign`. Verify signing occurs
279
+ *after* build, *before* push. Finding: no signing step, or signing occurs after push
280
+ (signature may not be associated with the correct digest).
281
+
282
+ 4. **Admission controller enforcement:** Check Kubernetes policy files for Kyverno
283
+ `ImageVerification` or Gatekeeper constraints. Grep: `imageVerification`, `cosign.dev`.
284
+ Finding: no admission policy enforcing signature verification at deploy time.
285
+
286
+ 5. **SBOM generation and publication:** Verify a `syft` or `cdxgen` step in CI that outputs
287
+ CycloneDX JSON. Verify SBOM is signed (`cosign attest --type cyclonedx`). Verify SBOM is
288
+ uploaded to Dependency-Track or equivalent. Finding: missing generation, missing signature,
289
+ or missing publication.
290
+
291
+ 6. **Base image digest pinning:** Grep all Dockerfiles for `FROM` lines. Any `FROM` without
292
+ `@sha256:` is a finding. Grep: `^FROM` then check for `@sha256:`.
293
+ Finding: any base image pinned only by tag.
294
+
295
+ 7. **Transitive SBOM completeness:** Run `syft` at full depth and compare component count to
296
+ any checked-in SBOM. Grep generated SBOM for components with null PURLs.
297
+ Finding: component count mismatch > 10% or any null PURL.
298
+
299
+ 8. **Registry tag mutability:** For ECR, run `aws ecr describe-repositories` and check
300
+ `imageTagMutability`. For GCR/GAR, check IAM for `artifactregistry.tags.update`.
301
+ Finding: `imageTagMutability: MUTABLE` on any production registry.
302
+
303
+ 9. **Provenance attestation in Rekor:** Run `cosign verify-attestation --type slsaprovenance`
304
+ against the production artifact. Verify the certificate subject matches the expected
305
+ GitHub Actions workflow URL. Finding: no attestation, or subject mismatch.
306
+
307
+ 10. **Dependency confusion namespace collision:** For each internal package name, query the
308
+ public registry. Grep `.npmrc` / `pip.conf` for scoped private-registry-only enforcement.
309
+ Finding: internal package name resolvable from public registry without scope enforcement.
310
+
311
+ 11. **Build reproducibility:** Attempt to reproduce the build from source using the recorded
312
+ provenance. Compare resulting artifact digest to the published digest.
313
+ Finding: digest mismatch = non-reproducible build = provenance cannot be trusted.
314
+
315
+ 12. **Over-permissioned CI IAM role:** Review the IAM role or service account used by CI.
316
+ Check for write permissions beyond the designated artifact repository. Grep Terraform/IaC
317
+ for `ecr:*`, `artifactregistry.repositories.*`, `storage.objects.*` with wildcard actions.
318
+ Finding: CI role with write access to registries, buckets, or repos beyond its build scope.
319
+
320
+ ---
321
+
322
+ ## §POC-REQUIREMENT
323
+
324
+ For every CRITICAL or HIGH finding in the artifact integrity domain, the following sequence is
325
+ MANDATORY before the finding is recorded:
326
+
327
+ 1. **Write the working PoC FIRST.** For each finding class, examples include:
328
+
329
+ - *Mutable action reference exploit:*
330
+ ```bash
331
+ # Simulate tag reassignment: verify that changing the action tag resolves different code
332
+ git ls-remote https://github.com/actions/checkout refs/tags/v4
333
+ # Record the current SHA, then show what a malicious reassignment would look like
334
+ # (do not execute against real repos — document the mechanism and reference real incidents)
335
+ ```
336
+
337
+ - *Dependency confusion exploit:*
338
+ ```bash
339
+ # Create a dummy package with a higher version number than the internal package
340
+ mkdir /tmp/confusion-poc && cd /tmp/confusion-poc
341
+ echo '{"name":"<internal-pkg-name>","version":"9999.0.0","main":"index.js"}' > package.json
342
+ echo 'console.log("DEPENDENCY CONFUSION EXECUTED");' > index.js
343
+ # Install in a test environment without registry scoping — confirm the public package wins
344
+ npm install <internal-pkg-name> --registry https://registry.npmjs.org
345
+ ```
346
+
347
+ - *Mutable tag image substitution:*
348
+ ```bash
349
+ # Record current digest for a mutable tag
350
+ docker pull <registry>/<image>:latest
351
+ docker inspect <registry>/<image>:latest --format='{{.Id}}'
352
+ # Demonstrate that a re-push with a different payload under the same tag is undetected
353
+ # by deployments that reference the tag rather than the digest
354
+ ```
355
+
356
+ 2. **Confirm the PoC reproduces the issue** in an isolated test environment. Record observed
357
+ impact (code execution, artifact substitution, build poisoning).
358
+
359
+ 3. **Write the fix** (digest pinning, scope enforcement, registry policy, etc.).
360
+
361
+ 4. **Verify the PoC fails against the fix.** Re-run the PoC steps and confirm the attack path
362
+ is closed.
363
+
364
+ 5. **Record in findings JSON:**
365
+ ```json
366
+ {
367
+ "findingId": "AIA-001",
368
+ "severity": "HIGH",
369
+ "exploitPoC": {
370
+ "steps": ["step 1 command", "step 2 command"],
371
+ "observedImpact": "description of what happened",
372
+ "pocVerified": true,
373
+ "fixVerified": true
374
+ }
375
+ }
376
+ ```
377
+
378
+ **PoC skipping = finding severity automatically downgraded to MEDIUM.**
379
+
380
+ ---
381
+
382
+ ## §PROJECT-ESCALATION
383
+
384
+ Immediately call `orchestration.update_agent_status` with `"CRITICAL_ESCALATION"` and halt
385
+ normal execution flow when ANY of the following conditions are detected:
386
+
387
+ 1. **Active signing key compromise:** Rekor log contains a valid signature for a production
388
+ artifact from a certificate identity that does not match any known CI workflow URL. This
389
+ indicates either a key leak or an unauthorized signing event — the entire artifact fleet
390
+ may be compromised.
391
+
392
+ 2. **Backdoored dependency already deployed to production:** A dependency in the production
393
+ SBOM matches a known-malicious package hash (e.g., cross-referenced against OSS-Fuzz or
394
+ the OSV database) and the artifact is currently running in production. Immediate incident
395
+ response, not a scheduled fix.
396
+
397
+ 3. **Non-reproducible build with provenance mismatch:** The signed provenance claims a
398
+ specific source commit and build configuration, but a reproducibility attempt produces a
399
+ different artifact digest. This indicates the build was tampered between source and
400
+ publish — a SolarWinds-class event.
401
+
402
+ 4. **Registry tag reassignment detected:** The digest currently pointed to by a production
403
+ tag differs from the digest recorded at deployment time in the deployment manifest or
404
+ GitOps repo. An image has been silently swapped in production.
405
+
406
+ 5. **CI pipeline exfiltrating secrets to external endpoint:** Build logs or CI network traces
407
+ show outbound connections to non-whitelisted external IPs or domains during the signing or
408
+ build step. This indicates a compromised action or poisoned build environment.
409
+
410
+ 6. **Transitive dependency with RCE vulnerability (CVSS >= 9.0) in production SBOM:** The
411
+ SBOM cross-reference against OSV/NVD returns a critical RCE CVE for a component that is
412
+ loaded in the production artifact's runtime execution path (not dev-only).
413
+
414
+ 7. **SLSA provenance for a production release is entirely absent:** A production artifact
415
+ that customers receive has no provenance attestation of any kind. In regulated environments
416
+ (FedRAMP, PCI DSS 4.0), this alone is a compliance blocker that may require a release
417
+ recall or emergency patch.
418
+
419
+ 8. **Over-permissioned CI role with production write access AND recent credential rotation
420
+ failure:** The CI service account has not rotated credentials in over 90 days AND has write
421
+ access to production registries. Combined with any other finding, this represents an
422
+ unacceptably wide blast radius for a single compromised CI run.
423
+
424
+ ---
425
+
426
+ ## §EDGE-CASE-MATRIX
427
+
428
+ The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
429
+
430
+ | # | Edge Case | Why Scanners Miss It | Concrete Test |
431
+ |---|-----------|----------------------|---------------|
432
+ | 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
433
+ | 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
434
+ | 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
435
+ | 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
436
+ | 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
437
+
438
+ ---
439
+
440
+ ## §TEMPORAL-THREATS
441
+
442
+ Threats materialising in the 2025–2030 window that defences designed today must account for.
443
+
444
+ | Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
445
+ |--------|--------------|--------------------------|----------------|
446
+ | Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
447
+ | AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10× more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
448
+ | EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
449
+ | Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
450
+ | Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
451
+
452
+ ---
453
+
454
+ ## §DETECTION-GAP
455
+
456
+ What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
457
+
458
+ **Standard gaps that MUST be checked:**
459
+
460
+ - **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
461
+ - **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
462
+ - **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
463
+ - **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3× their 30-day baseline within 24 hours.
464
+ - **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
465
+
466
+ **Artifact-integrity-specific gaps:**
467
+
468
+ - **Silent tag reassignment in registries**: Standard CloudTrail/Audit Logs capture `PutImage` events but do not diff tag-to-digest mappings. Need: a scheduled Lambda/Cloud Function that polls each production tag's digest and alerts on any change not initiated by a known CI run.
469
+ - **SBOM drift between release and runtime**: The signed SBOM reflects the artifact at build time; packages installed post-deployment (e.g., via entrypoint scripts) are invisible. Need: runtime SBOM diffing using Falco or Tetragon to detect new file writes to dependency directories after container start.
470
+ - **Compromised transparency log entry**: Rekor is append-only but its consistency proof requires active monitoring. A client that never checks the inclusion proof can be served a forged log by a MitM. Need: automated `rekor-monitor` deployment that continuously verifies the log's consistency tree.
471
+
472
+ ---
473
+
474
+ ## §ZERO-MISS-MANDATE
475
+
476
+ This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
477
+ - `CHECKED: [N files] | [patterns used] | CLEAN`
478
+ - `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
479
+ - `SKIPPED: [reason — must be "not applicable: [evidence]"]`
480
+
481
+ **Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
482
+
483
+ The output findings JSON MUST include a `coverageManifest` key:
484
+ ```json
485
+ {
486
+ "coverageManifest": {
487
+ "attackClassesCovered": [{ "class": "Mutable Action Reference", "filesReviewed": 12, "patterns": ["uses:.*@(?![0-9a-f]{40})"], "result": "CLEAN" }],
488
+ "filesReviewed": 47,
489
+ "negativeAssertions": ["Mutable action references: searched 12 workflow files — 0 unpinned references"],
490
+ "uncoveredReason": {}
491
+ }
492
+ }
493
+ ```
494
+
495
+ ---
496
+
497
+ ## LEARNING SIGNAL
498
+
499
+ On every finding resolved, emit:
500
+ ```json
501
+ {
502
+ "findingId": "FINDING_ID",
503
+ "agentName": "artifact-integrity-analyst",
504
+ "resolved": true,
505
+ "remediationTemplate": "one-line description of what was done",
506
+ "falsePositive": false
507
+ }
508
+ ```
509
+ Call `security.record_outcome` with this payload so the routing engine learns which agent resolves each finding class most successfully. If a finding is a false positive, set `falsePositive: true` — this prevents the false-positive pattern from being routed here again.