security-mcp 1.1.4 → 1.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (158) hide show
  1. package/README.md +341 -1018
  2. package/defaults/checklists/ai.json +20 -1
  3. package/defaults/checklists/api.json +35 -1
  4. package/defaults/checklists/infra.json +34 -1
  5. package/defaults/checklists/mobile.json +23 -1
  6. package/defaults/checklists/payments.json +15 -1
  7. package/defaults/checklists/web.json +11 -1
  8. package/defaults/cloud-controls/aws.json +10712 -0
  9. package/defaults/cloud-controls/azure.json +7201 -0
  10. package/defaults/cloud-controls/gcp.json +4061 -0
  11. package/defaults/control-catalog.json +24 -0
  12. package/defaults/security-policy.json +2 -2
  13. package/dist/ci/pr-gate.js +22 -5
  14. package/dist/cli/index.js +73 -2
  15. package/dist/cli/install.js +4 -55
  16. package/dist/cli/onboarding.js +18 -10
  17. package/dist/gate/baseline.js +82 -7
  18. package/dist/gate/catalog.js +10 -2
  19. package/dist/gate/checks/agentic-instructions.js +515 -0
  20. package/dist/gate/checks/ai-governance.js +132 -0
  21. package/dist/gate/checks/ai.js +757 -39
  22. package/dist/gate/checks/auth-deep.js +920 -216
  23. package/dist/gate/checks/business-logic.js +751 -0
  24. package/dist/gate/checks/ci-pipeline.js +399 -4
  25. package/dist/gate/checks/cloud-controls.js +69 -0
  26. package/dist/gate/checks/crypto.js +423 -2
  27. package/dist/gate/checks/data-platform.js +954 -0
  28. package/dist/gate/checks/dependencies.js +582 -15
  29. package/dist/gate/checks/docker-deep.js +1236 -0
  30. package/dist/gate/checks/gitops.js +724 -0
  31. package/dist/gate/checks/graphql.js +201 -19
  32. package/dist/gate/checks/iac.js +1230 -0
  33. package/dist/gate/checks/infra.js +246 -1
  34. package/dist/gate/checks/injection-deep.js +827 -184
  35. package/dist/gate/checks/k8s.js +955 -2
  36. package/dist/gate/checks/mobile-android.js +917 -3
  37. package/dist/gate/checks/mobile-ios.js +797 -5
  38. package/dist/gate/checks/required-artifacts.js +194 -0
  39. package/dist/gate/checks/runtime.js +178 -0
  40. package/dist/gate/checks/secrets.js +256 -13
  41. package/dist/gate/checks/supply-chain-deep.js +787 -0
  42. package/dist/gate/checks/web-nextjs.js +572 -48
  43. package/dist/gate/cloud-controls/apply.js +115 -0
  44. package/dist/gate/cloud-controls/bicep.js +36 -0
  45. package/dist/gate/cloud-controls/cfn.js +125 -0
  46. package/dist/gate/cloud-controls/detect.js +104 -0
  47. package/dist/gate/cloud-controls/hcl.js +140 -0
  48. package/dist/gate/cloud-controls/types.js +87 -0
  49. package/dist/gate/diff.js +17 -5
  50. package/dist/gate/evidence.js +8 -1
  51. package/dist/gate/exceptions.js +202 -9
  52. package/dist/gate/findings.js +15 -2
  53. package/dist/gate/policy.js +316 -130
  54. package/dist/gate/threat-intel.js +6 -0
  55. package/dist/mcp/audit-chain.js +131 -28
  56. package/dist/mcp/auth.js +169 -0
  57. package/dist/mcp/learning.js +129 -4
  58. package/dist/mcp/model-router.js +161 -24
  59. package/dist/mcp/orchestration.js +377 -89
  60. package/dist/mcp/server.js +460 -69
  61. package/dist/mcp/tool-audit.js +193 -0
  62. package/dist/repo/fs.js +37 -1
  63. package/dist/repo/search.js +31 -6
  64. package/dist/review/store.js +56 -3
  65. package/dist/tests/run.js +124 -1
  66. package/package.json +9 -9
  67. package/skills/_TEMPLATE/SKILL.md +99 -0
  68. package/skills/advanced-dos-tester/SKILL.md +118 -0
  69. package/skills/agentic-instruction-auditor/SKILL.md +111 -0
  70. package/skills/agentic-loop-exploiter/SKILL.md +377 -0
  71. package/skills/ai-llm-redteam/SKILL.md +113 -0
  72. package/skills/ai-model-supply-chain-agent/SKILL.md +112 -0
  73. package/skills/algorithm-implementation-reviewer/SKILL.md +107 -0
  74. package/skills/android-penetration-tester/SKILL.md +464 -46
  75. package/skills/anti-replay-tester/SKILL.md +115 -0
  76. package/skills/appsec-code-auditor/SKILL.md +94 -0
  77. package/skills/artifact-integrity-analyst/SKILL.md +450 -0
  78. package/skills/attack-navigator/SKILL.md +476 -8
  79. package/skills/auth-session-hacker/SKILL.md +111 -0
  80. package/skills/aws-penetration-tester/SKILL.md +510 -0
  81. package/skills/azure-penetration-tester/SKILL.md +542 -3
  82. package/skills/binary-auth-validator/SKILL.md +120 -0
  83. package/skills/bot-detection-specialist/SKILL.md +118 -0
  84. package/skills/business-logic-attacker/SKILL.md +240 -0
  85. package/skills/capec-code-mapper/SKILL.md +93 -0
  86. package/skills/cert-pin-rotation-specialist/SKILL.md +121 -0
  87. package/skills/cicd-pipeline-hijacker/SKILL.md +414 -0
  88. package/skills/ciso-orchestrator/SKILL.md +465 -43
  89. package/skills/cloud-infra-specialist/SKILL.md +127 -0
  90. package/skills/compliance-gap-analyst/SKILL.md +431 -0
  91. package/skills/compliance-grc/SKILL.md +94 -0
  92. package/skills/compliance-lifecycle-tracker/SKILL.md +93 -0
  93. package/skills/container-hardening-auditor/SKILL.md +125 -0
  94. package/skills/credential-stuffing-specialist/SKILL.md +111 -0
  95. package/skills/crypto-pki-specialist/SKILL.md +96 -0
  96. package/skills/csa-ccm-mapper/SKILL.md +93 -0
  97. package/skills/csf2-governance-mapper/SKILL.md +93 -0
  98. package/skills/data-platform-auditor/SKILL.md +125 -0
  99. package/skills/deep-link-fuzzer/SKILL.md +118 -0
  100. package/skills/dependency-confusion-attacker/SKILL.md +424 -0
  101. package/skills/device-integrity-aggregator/SKILL.md +117 -0
  102. package/skills/dos-resilience-tester/SKILL.md +106 -0
  103. package/skills/dread-scorer/SKILL.md +93 -0
  104. package/skills/egress-policy-enforcer/SKILL.md +108 -0
  105. package/skills/evidence-collector/SKILL.md +107 -0
  106. package/skills/file-upload-attacker/SKILL.md +118 -0
  107. package/skills/gcp-penetration-tester/SKILL.md +510 -2
  108. package/skills/git-history-secret-scanner/SKILL.md +115 -0
  109. package/skills/gitops-delivery-auditor/SKILL.md +120 -0
  110. package/skills/iac-security-auditor/SKILL.md +125 -0
  111. package/skills/iam-privesc-graph-builder/SKILL.md +161 -0
  112. package/skills/incident-responder/SKILL.md +120 -0
  113. package/skills/injection-specialist/SKILL.md +111 -0
  114. package/skills/ios-security-auditor/SKILL.md +291 -0
  115. package/skills/json-ambiguity-tester/SKILL.md +145 -0
  116. package/skills/k8s-container-escaper/SKILL.md +406 -0
  117. package/skills/key-management-lifecycle-analyst/SKILL.md +107 -0
  118. package/skills/kill-switch-engineer/SKILL.md +111 -0
  119. package/skills/linddun-privacy-analyst/SKILL.md +111 -0
  120. package/skills/logic-race-fuzzer/SKILL.md +452 -0
  121. package/skills/mobile-api-network-attacker/SKILL.md +430 -0
  122. package/skills/mobile-binary-hardener/SKILL.md +111 -0
  123. package/skills/mobile-security-specialist/SKILL.md +94 -0
  124. package/skills/mobile-webview-auditor/SKILL.md +105 -0
  125. package/skills/model-extraction-attacker/SKILL.md +228 -0
  126. package/skills/multipart-abuse-tester/SKILL.md +93 -0
  127. package/skills/oauth-pkce-specialist/SKILL.md +113 -0
  128. package/skills/parser-exhaustion-tester/SKILL.md +151 -0
  129. package/skills/pentest-infra/SKILL.md +107 -0
  130. package/skills/pentest-social/SKILL.md +210 -0
  131. package/skills/pentest-team/SKILL.md +96 -0
  132. package/skills/pentest-web-api/SKILL.md +107 -0
  133. package/skills/privacy-flow-analyst/SKILL.md +243 -0
  134. package/skills/prompt-injection-specialist/SKILL.md +403 -0
  135. package/skills/quantum-migration-planner/SKILL.md +105 -0
  136. package/skills/rag-poisoning-specialist/SKILL.md +367 -0
  137. package/skills/registry-mirror-enforcer/SKILL.md +93 -0
  138. package/skills/rotation-validation-agent/SKILL.md +121 -0
  139. package/skills/samm-assessor/SKILL.md +94 -0
  140. package/skills/secrets-mask-bypass-tester/SKILL.md +109 -0
  141. package/skills/senior-security-engineer/SKILL.md +178 -0
  142. package/skills/serialization-memory-attacker/SKILL.md +341 -0
  143. package/skills/session-timeout-tester/SKILL.md +170 -0
  144. package/skills/slsa-level3-enforcer/SKILL.md +121 -0
  145. package/skills/slsa-provenance-enforcer/SKILL.md +111 -0
  146. package/skills/ssrf-detection-validator/SKILL.md +117 -0
  147. package/skills/step-up-auth-enforcer/SKILL.md +93 -0
  148. package/skills/stride-pasta-analyst/SKILL.md +429 -0
  149. package/skills/supply-chain-devsecops/SKILL.md +107 -0
  150. package/skills/threat-infrastructure-analyst/SKILL.md +93 -0
  151. package/skills/threat-modeler/SKILL.md +94 -0
  152. package/skills/tls-certificate-auditor/SKILL.md +582 -18
  153. package/skills/token-reuse-detector/SKILL.md +104 -0
  154. package/skills/trike-risk-modeler/SKILL.md +93 -0
  155. package/skills/unicode-homograph-tester/SKILL.md +93 -0
  156. package/skills/waf-rule-lifecycle-agent/SKILL.md +106 -0
  157. package/skills/webhook-security-tester/SKILL.md +111 -0
  158. package/skills/zero-trust-architect/SKILL.md +118 -0
@@ -21,6 +21,15 @@ optional — it's the minimum bar for a trustworthy software supply chain.
21
21
  Assess and implement artifact integrity controls: SLSA compliance level, signing, SBOM,
22
22
  and provenance. Covers §5 Supply Chain Security fully.
23
23
 
24
+ ## BEYOND THE CHECKS — AUTONOMOUS DETECT & FIX
25
+
26
+ The `supply-chain-deep` and `sbom` detection modules (`src/gate/checks/supply-chain-deep.ts`, `src/gate/checks/sbom.ts`) are your deterministic floor, not your ceiling. Treat their finding IDs as the minimum, then reason past what single-line/single-file pattern matching can see — and APPLY the fix (Edit the workflow/Dockerfile/policy/registry config), not just advise:
27
+
28
+ - **Cross-file / data-flow reasoning the regex can't do:** a `uses:` action pinned by SHA in the build job but a Cosign sign step that runs *after* push, plus a deployment manifest referencing a mutable tag rather than the signed digest, breaks the integrity chain across workflow + manifest + registry policy — no single grep for `@<sha>` sees that the signed artifact and the deployed artifact diverge.
29
+ - **Semantic / effective-state analysis:** reconcile the tag→digest mapping live in the registry against the digest recorded at deploy time (silent reassignment), verify the Cosign certificate identity actually matches the expected workflow URL (not merely that a signature exists), and confirm the SBOM is transitively complete (full-depth component count + every PURL non-null), not shallow.
30
+ - **External corroboration:** use WebSearch/WebFetch for current supply-chain CVEs and advisories (CVE-2024-3094 xz, SolarWinds-class build injection, event-stream transitive compromise) and SLSA/EO 14028/EU CRA requirement updates; cross-reference SBOM components against OSV/NVD.
31
+ - **Apply & prove:** write the fix inline (full-SHA action pins, sign-before-push + Kyverno/Gatekeeper admission verification, base-image `@sha256:` digest pinning, `imageTagMutability: IMMUTABLE`, scoped private-registry precedence), re-run the `supply-chain-deep`/`sbom` checks plus `cosign verify` / `syft` SBOM diff and a `rekor-cli` inclusion check as a regression floor, then re-audit semantically. Emit the LEARNING SIGNAL per fix; surface any digest pin or admission policy that blocks a previously-floating deploy as an explicit immutability-vs-velocity trade-off with the secure default.
32
+
24
33
  ## EXECUTION
25
34
 
26
35
  1. Assess current SLSA level from CI/CD pipeline review:
@@ -66,3 +75,444 @@ and provenance. Covers §5 Supply Chain Security fully.
66
75
  - Missing signing, provenance, or SBOM controls
67
76
  - CI workflow additions to implement the missing control
68
77
  - §5 SLSA control reference per finding
78
+
79
+ Every findings JSON MUST include `intelligenceForOtherAgents`:
80
+ ```json
81
+ {
82
+ "intelligenceForOtherAgents": {
83
+ "forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
84
+ "forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
85
+ "forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
86
+ "forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
87
+ }
88
+ }
89
+ ```
90
+
91
+ ---
92
+
93
+ ## BEYOND SKILL.MD — MANDATORY EXPANSIONS
94
+
95
+ ### 1. Typosquatting & Dependency Confusion (CVE-class: supply chain namespace collision)
96
+
97
+ **Attack:** An attacker publishes a malicious package to a public registry (npm, PyPI) with a
98
+ name that matches an internal private package. When the build system resolves dependencies, it
99
+ preferentially pulls the public (malicious) version if the public version number exceeds the
100
+ private registry's version — the dependency confusion attack (Alex Birsan, 2021, HackerOne).
101
+
102
+ **Detection method:**
103
+ ```bash
104
+ # List all package names in package.json / requirements.txt
105
+ # Check whether each name exists in the public registry
106
+ npm info <internal-package-name> --json 2>/dev/null | jq '.name'
107
+ # If a result is returned for an internal-only name, this is a confirmed dependency confusion risk
108
+ # Also check: .npmrc / pip.conf — is `--index-url` or `registry` scoped to private registry ONLY?
109
+ grep -r "registry" .npmrc .yarnrc .yarnrc.yml pip.conf pyproject.toml 2>/dev/null
110
+ ```
111
+
112
+ **Finding:** Any internal package name resolvable from the public registry without explicit
113
+ `@scope` namespace enforcement or a registry-precedence lock constitutes a HIGH finding.
114
+
115
+ ---
116
+
117
+ ### 2. Build-Time Code Injection via Malicious CI Action (SLSA Build Integrity)
118
+
119
+ **Attack:** A referenced GitHub Actions action (`uses: org/action@v2`) resolves to a mutable
120
+ tag. If the action maintainer's account is compromised, a malicious commit can be pushed to
121
+ the same `v2` tag, causing every downstream build to execute attacker-controlled code inside
122
+ the trusted CI environment — identical to the SolarWinds build-time injection pattern.
123
+
124
+ **Detection method:**
125
+ ```bash
126
+ # Find all GitHub Actions workflow files
127
+ find . -path "./.github/workflows/*.yml" -o -path "./.github/workflows/*.yaml" | \
128
+ xargs grep -n "uses:" | grep -v "@[0-9a-f]\{40\}"
129
+ # Any 'uses:' line not pinned to a full 40-character SHA is a finding
130
+ # Example of finding: uses: actions/checkout@v4 (mutable)
131
+ # Expected: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 (pinned)
132
+ ```
133
+
134
+ **Finding:** Any `uses:` reference not pinned to a full commit SHA is HIGH.
135
+ Reference: SLSA L2+ requires pinned, versioned action references.
136
+
137
+ ---
138
+
139
+ ### 3. Rekor Transparency Log Tampering Detection
140
+
141
+ **Attack:** An adversary with access to a CI signing key signs a backdoored artifact and
142
+ publishes the signature to Sigstore's Rekor transparency log. Because the artifact is signed,
143
+ admission controllers approve it. The key compromise may go undetected if the log is not
144
+ monitored for unexpected entries against a known-good policy.
145
+
146
+ **Detection method:**
147
+ ```bash
148
+ # Verify a container image's Rekor log entry matches expected workflow
149
+ cosign verify \
150
+ --certificate-identity-regexp="https://github.com/<org>/<repo>/.github/workflows/release.yml" \
151
+ --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
152
+ <image>@<digest>
153
+
154
+ # Enumerate all Rekor entries for a given artifact hash
155
+ rekor-cli search --sha "$(sha256sum artifact.tar.gz | cut -d' ' -f1)"
156
+ # Unexpected entries from a non-CI identity = compromised signing key
157
+ ```
158
+
159
+ **Finding:** Cosign identity mismatch between expected workflow URL and actual certificate
160
+ subject is a CRITICAL finding. Trigger §PROJECT-ESCALATION immediately.
161
+
162
+ ---
163
+
164
+ ### 4. AI-Assisted Malicious Package Detection (Emerging Threat — 2025+)
165
+
166
+ **Attack:** LLM-assisted adversaries generate syntactically legitimate but semantically
167
+ malicious packages that evade keyword-based scanners. Packages contain delayed-execution
168
+ payloads (e.g., triggered after 30 days or after N installs), encrypted C2 channels inside
169
+ seemingly benign HTTP requests, or steganographic payloads in bundled assets. This technique
170
+ was observed in the `xz-utils` backdoor (CVE-2024-3094) — a years-long social-engineering
171
+ and code-poisoning campaign.
172
+
173
+ **Detection method:**
174
+ ```bash
175
+ # Static entropy analysis of bundled files — high entropy = potential encrypted payload
176
+ python3 -c "
177
+ import math, sys
178
+ data = open(sys.argv[1],'rb').read()
179
+ freq = {}
180
+ for b in data: freq[b] = freq.get(b,0)+1
181
+ entropy = -sum((c/len(data))*math.log2(c/len(data)) for c in freq.values())
182
+ print(f'Entropy: {entropy:.3f}')
183
+ " <file>
184
+ # Entropy > 7.5 bits/byte on a non-compressed file is suspicious
185
+
186
+ # Behavioral analysis: install in isolated sandbox, trace syscalls
187
+ strace -e trace=network,file npm install <suspicious-package> 2>&1 | grep -E "(connect|open)"
188
+ ```
189
+
190
+ **Finding:** Packages with unexplained high-entropy bundled assets, network syscalls during
191
+ install scripts, or `postinstall` hooks that download external resources are HIGH findings.
192
+
193
+ ---
194
+
195
+ ### 5. Post-Quantum Signature Downgrade (Emerging Threat — FIPS 204/205 transition)
196
+
197
+ **Attack:** As NIST finalises ML-DSA (FIPS 204) and SLH-DSA (FIPS 205) for code signing,
198
+ systems that advertise support for hybrid classical/post-quantum signatures but fall back to
199
+ ECDSA-only when the PQ algorithm is unavailable are vulnerable to active downgrade attacks.
200
+ An adversary performing a MitM on artifact delivery can strip the PQ signature layer,
201
+ leaving only the classical ECDSA signature — which will be breakable by a CRQC.
202
+
203
+ **Detection method:**
204
+ ```bash
205
+ # Check if Cosign or in-house signing supports ML-DSA or hybrid PQ schemes
206
+ cosign version # Look for PQ-capable release >= 2.4 (experimental)
207
+ # Check signing policy for downgrade enforcement
208
+ grep -r "algorithm\|key-type\|signing-algorithm" cosign.yaml policy.yaml 2>/dev/null
209
+ # If no policy enforces PQ-only or hybrid-minimum, flag as MEDIUM (escalates to HIGH by 2027)
210
+ ```
211
+
212
+ **Finding:** No post-quantum signing capability, no PQ migration roadmap, or policies that
213
+ allow silent downgrade to classical-only signing is a MEDIUM finding today, escalating
214
+ timeline to HIGH by 2027 per NIST PQC migration guidance.
215
+
216
+ ---
217
+
218
+ ### 6. SBOM Completeness Evasion via Indirect Dependency Omission
219
+
220
+ **Attack:** SBOMs generated by shallow tools (e.g., `npm ls --depth=0`) omit transitive
221
+ dependencies. A compromised transitive dependency (e.g., the `event-stream` npm incident,
222
+ 2018) is invisible to the SBOM consumer, who believes the SBOM is complete. The US Executive
223
+ Order 14028 and the EU Cyber Resilience Act both require *complete* SBOMs including all
224
+ transitive dependencies.
225
+
226
+ **Detection method:**
227
+ ```bash
228
+ # Generate full-depth SBOM and compare node count against shallow SBOM
229
+ syft <image> -o cyclonedx-json > sbom-full.json
230
+ jq '.components | length' sbom-full.json
231
+
232
+ # Compare against any checked-in SBOM
233
+ jq '.components | length' sbom-checked-in.json
234
+
235
+ # Diff: if full SBOM has significantly more components, shallow SBOM is incomplete
236
+ # Also verify: every component in the full SBOM has a valid PURL
237
+ jq '[.components[] | select(.purl == null or .purl == "")] | length' sbom-full.json
238
+ # Non-zero = components without PURL = SBOM non-compliant with CycloneDX spec
239
+ ```
240
+
241
+ **Finding:** SBOM missing transitive dependencies, or components lacking valid PURLs, is a
242
+ HIGH finding under US EO 14028 §4(e) and EU CRA Article 13.
243
+
244
+ ---
245
+
246
+ ### 7. Immutable Tag Bypass via Registry API (Container Supply Chain)
247
+
248
+ **Attack:** Even when a container registry is configured with `imageTagMutability: IMMUTABLE`
249
+ (ECR) or equivalent, some registry APIs expose administrative endpoints that allow tag
250
+ reassignment under specific IAM conditions. An over-permissioned CI role or a compromised
251
+ registry admin credential can silently reassign an immutable tag to a different digest without
252
+ triggering standard audit logs, breaking the deployment assumption that the tag points to a
253
+ known-good image.
254
+
255
+ **Detection method:**
256
+ ```bash
257
+ # ECR: verify current tag -> digest mapping and compare to build-time expected digest
258
+ aws ecr describe-images --repository-name <repo> \
259
+ --image-ids imageTag=latest \
260
+ --query 'imageDetails[0].imageDigest' --output text
261
+
262
+ # Cross-reference against the digest recorded in the deployment manifest or SBOM
263
+ grep "sha256:" deployment.yaml | head -5
264
+
265
+ # Also: check ECR repository policy for any principal with ecr:PutImage on production repos
266
+ aws ecr get-repository-policy --repository-name <repo> | \
267
+ jq '.policyText | fromjson | .Statement[] | select(.Effect=="Allow") | .Action'
268
+ ```
269
+
270
+ **Finding:** Any IAM principal other than the designated CI role with `ecr:PutImage` or
271
+ `ecr:BatchDeleteImage` on a production repository is a HIGH finding. Tag digest mismatch
272
+ between deployment manifest and live registry is a CRITICAL finding.
273
+
274
+ ---
275
+
276
+ ## §ARTIFACT_INTEGRITY_ANALYST-CHECKLIST
277
+
278
+ 1. **Mutable action references in CI:** Scan all `.github/workflows/*.yml` for `uses:` lines
279
+ not pinned to a 40-character commit SHA. Grep: `uses:.*@` then filter out 40-char hashes.
280
+ Finding: any mutable tag reference (`@v1`, `@main`, `@latest`).
281
+
282
+ 2. **SLSA level determination:** Read CI pipeline definitions; identify whether a hosted build
283
+ service is used (L2) and whether the build platform is hardened + isolated (L3). Grep for
284
+ `slsa-framework/slsa-github-generator` or equivalent. Finding: L1 or L2 for production
285
+ release artifacts.
286
+
287
+ 3. **Cosign signing step present:** Grep CI files for `cosign sign`. Verify signing occurs
288
+ *after* build, *before* push. Finding: no signing step, or signing occurs after push
289
+ (signature may not be associated with the correct digest).
290
+
291
+ 4. **Admission controller enforcement:** Check Kubernetes policy files for Kyverno
292
+ `ImageVerification` or Gatekeeper constraints. Grep: `imageVerification`, `cosign.dev`.
293
+ Finding: no admission policy enforcing signature verification at deploy time.
294
+
295
+ 5. **SBOM generation and publication:** Verify a `syft` or `cdxgen` step in CI that outputs
296
+ CycloneDX JSON. Verify SBOM is signed (`cosign attest --type cyclonedx`). Verify SBOM is
297
+ uploaded to Dependency-Track or equivalent. Finding: missing generation, missing signature,
298
+ or missing publication.
299
+
300
+ 6. **Base image digest pinning:** Grep all Dockerfiles for `FROM` lines. Any `FROM` without
301
+ `@sha256:` is a finding. Grep: `^FROM` then check for `@sha256:`.
302
+ Finding: any base image pinned only by tag.
303
+
304
+ 7. **Transitive SBOM completeness:** Run `syft` at full depth and compare component count to
305
+ any checked-in SBOM. Grep generated SBOM for components with null PURLs.
306
+ Finding: component count mismatch > 10% or any null PURL.
307
+
308
+ 8. **Registry tag mutability:** For ECR, run `aws ecr describe-repositories` and check
309
+ `imageTagMutability`. For GCR/GAR, check IAM for `artifactregistry.tags.update`.
310
+ Finding: `imageTagMutability: MUTABLE` on any production registry.
311
+
312
+ 9. **Provenance attestation in Rekor:** Run `cosign verify-attestation --type slsaprovenance`
313
+ against the production artifact. Verify the certificate subject matches the expected
314
+ GitHub Actions workflow URL. Finding: no attestation, or subject mismatch.
315
+
316
+ 10. **Dependency confusion namespace collision:** For each internal package name, query the
317
+ public registry. Grep `.npmrc` / `pip.conf` for scoped private-registry-only enforcement.
318
+ Finding: internal package name resolvable from public registry without scope enforcement.
319
+
320
+ 11. **Build reproducibility:** Attempt to reproduce the build from source using the recorded
321
+ provenance. Compare resulting artifact digest to the published digest.
322
+ Finding: digest mismatch = non-reproducible build = provenance cannot be trusted.
323
+
324
+ 12. **Over-permissioned CI IAM role:** Review the IAM role or service account used by CI.
325
+ Check for write permissions beyond the designated artifact repository. Grep Terraform/IaC
326
+ for `ecr:*`, `artifactregistry.repositories.*`, `storage.objects.*` with wildcard actions.
327
+ Finding: CI role with write access to registries, buckets, or repos beyond its build scope.
328
+
329
+ ---
330
+
331
+ ## §POC-REQUIREMENT
332
+
333
+ For every CRITICAL or HIGH finding in the artifact integrity domain, the following sequence is
334
+ MANDATORY before the finding is recorded:
335
+
336
+ 1. **Write the working PoC FIRST.** For each finding class, examples include:
337
+
338
+ - *Mutable action reference exploit:*
339
+ ```bash
340
+ # Simulate tag reassignment: verify that changing the action tag resolves different code
341
+ git ls-remote https://github.com/actions/checkout refs/tags/v4
342
+ # Record the current SHA, then show what a malicious reassignment would look like
343
+ # (do not execute against real repos — document the mechanism and reference real incidents)
344
+ ```
345
+
346
+ - *Dependency confusion exploit:*
347
+ ```bash
348
+ # Create a dummy package with a higher version number than the internal package
349
+ mkdir /tmp/confusion-poc && cd /tmp/confusion-poc
350
+ echo '{"name":"<internal-pkg-name>","version":"9999.0.0","main":"index.js"}' > package.json
351
+ echo 'console.log("DEPENDENCY CONFUSION EXECUTED");' > index.js
352
+ # Install in a test environment without registry scoping — confirm the public package wins
353
+ npm install <internal-pkg-name> --registry https://registry.npmjs.org
354
+ ```
355
+
356
+ - *Mutable tag image substitution:*
357
+ ```bash
358
+ # Record current digest for a mutable tag
359
+ docker pull <registry>/<image>:latest
360
+ docker inspect <registry>/<image>:latest --format='{{.Id}}'
361
+ # Demonstrate that a re-push with a different payload under the same tag is undetected
362
+ # by deployments that reference the tag rather than the digest
363
+ ```
364
+
365
+ 2. **Confirm the PoC reproduces the issue** in an isolated test environment. Record observed
366
+ impact (code execution, artifact substitution, build poisoning).
367
+
368
+ 3. **Write the fix** (digest pinning, scope enforcement, registry policy, etc.).
369
+
370
+ 4. **Verify the PoC fails against the fix.** Re-run the PoC steps and confirm the attack path
371
+ is closed.
372
+
373
+ 5. **Record in findings JSON:**
374
+ ```json
375
+ {
376
+ "findingId": "AIA-001",
377
+ "severity": "HIGH",
378
+ "exploitPoC": {
379
+ "steps": ["step 1 command", "step 2 command"],
380
+ "observedImpact": "description of what happened",
381
+ "pocVerified": true,
382
+ "fixVerified": true
383
+ }
384
+ }
385
+ ```
386
+
387
+ **PoC skipping = finding severity automatically downgraded to MEDIUM.**
388
+
389
+ ---
390
+
391
+ ## §PROJECT-ESCALATION
392
+
393
+ Immediately call `orchestration.update_agent_status` with `"CRITICAL_ESCALATION"` and halt
394
+ normal execution flow when ANY of the following conditions are detected:
395
+
396
+ 1. **Active signing key compromise:** Rekor log contains a valid signature for a production
397
+ artifact from a certificate identity that does not match any known CI workflow URL. This
398
+ indicates either a key leak or an unauthorized signing event — the entire artifact fleet
399
+ may be compromised.
400
+
401
+ 2. **Backdoored dependency already deployed to production:** A dependency in the production
402
+ SBOM matches a known-malicious package hash (e.g., cross-referenced against OSS-Fuzz or
403
+ the OSV database) and the artifact is currently running in production. Immediate incident
404
+ response, not a scheduled fix.
405
+
406
+ 3. **Non-reproducible build with provenance mismatch:** The signed provenance claims a
407
+ specific source commit and build configuration, but a reproducibility attempt produces a
408
+ different artifact digest. This indicates the build was tampered between source and
409
+ publish — a SolarWinds-class event.
410
+
411
+ 4. **Registry tag reassignment detected:** The digest currently pointed to by a production
412
+ tag differs from the digest recorded at deployment time in the deployment manifest or
413
+ GitOps repo. An image has been silently swapped in production.
414
+
415
+ 5. **CI pipeline exfiltrating secrets to external endpoint:** Build logs or CI network traces
416
+ show outbound connections to non-whitelisted external IPs or domains during the signing or
417
+ build step. This indicates a compromised action or poisoned build environment.
418
+
419
+ 6. **Transitive dependency with RCE vulnerability (CVSS >= 9.0) in production SBOM:** The
420
+ SBOM cross-reference against OSV/NVD returns a critical RCE CVE for a component that is
421
+ loaded in the production artifact's runtime execution path (not dev-only).
422
+
423
+ 7. **SLSA provenance for a production release is entirely absent:** A production artifact
424
+ that customers receive has no provenance attestation of any kind. In regulated environments
425
+ (FedRAMP, PCI DSS 4.0), this alone is a compliance blocker that may require a release
426
+ recall or emergency patch.
427
+
428
+ 8. **Over-permissioned CI role with production write access AND recent credential rotation
429
+ failure:** The CI service account has not rotated credentials in over 90 days AND has write
430
+ access to production registries. Combined with any other finding, this represents an
431
+ unacceptably wide blast radius for a single compromised CI run.
432
+
433
+ ---
434
+
435
+ ## §EDGE-CASE-MATRIX
436
+
437
+ The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
438
+
439
+ | # | Edge Case | Why Scanners Miss It | Concrete Test |
440
+ |---|-----------|----------------------|---------------|
441
+ | 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
442
+ | 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
443
+ | 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
444
+ | 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
445
+ | 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
446
+
447
+ ---
448
+
449
+ ## §TEMPORAL-THREATS
450
+
451
+ Threats materialising in the 2025–2030 window that defences designed today must account for.
452
+
453
+ | Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
454
+ |--------|--------------|--------------------------|----------------|
455
+ | Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
456
+ | AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10× more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
457
+ | EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
458
+ | Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
459
+ | Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
460
+
461
+ ---
462
+
463
+ ## §DETECTION-GAP
464
+
465
+ What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
466
+
467
+ **Standard gaps that MUST be checked:**
468
+
469
+ - **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
470
+ - **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
471
+ - **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
472
+ - **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3× their 30-day baseline within 24 hours.
473
+ - **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
474
+
475
+ **Artifact-integrity-specific gaps:**
476
+
477
+ - **Silent tag reassignment in registries**: Standard CloudTrail/Audit Logs capture `PutImage` events but do not diff tag-to-digest mappings. Need: a scheduled Lambda/Cloud Function that polls each production tag's digest and alerts on any change not initiated by a known CI run.
478
+ - **SBOM drift between release and runtime**: The signed SBOM reflects the artifact at build time; packages installed post-deployment (e.g., via entrypoint scripts) are invisible. Need: runtime SBOM diffing using Falco or Tetragon to detect new file writes to dependency directories after container start.
479
+ - **Compromised transparency log entry**: Rekor is append-only but its consistency proof requires active monitoring. A client that never checks the inclusion proof can be served a forged log by a MitM. Need: automated `rekor-monitor` deployment that continuously verifies the log's consistency tree.
480
+
481
+ ---
482
+
483
+ ## §ZERO-MISS-MANDATE
484
+
485
+ This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
486
+ - `CHECKED: [N files] | [patterns used] | CLEAN`
487
+ - `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
488
+ - `SKIPPED: [reason — must be "not applicable: [evidence]"]`
489
+
490
+ **Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
491
+
492
+ The output findings JSON MUST include a `coverageManifest` key:
493
+ ```json
494
+ {
495
+ "coverageManifest": {
496
+ "attackClassesCovered": [{ "class": "Mutable Action Reference", "filesReviewed": 12, "patterns": ["uses:.*@(?![0-9a-f]{40})"], "result": "CLEAN" }],
497
+ "filesReviewed": 47,
498
+ "negativeAssertions": ["Mutable action references: searched 12 workflow files — 0 unpinned references"],
499
+ "uncoveredReason": {}
500
+ }
501
+ }
502
+ ```
503
+
504
+ ---
505
+
506
+ ## LEARNING SIGNAL
507
+
508
+ On every finding resolved, emit:
509
+ ```json
510
+ {
511
+ "findingId": "FINDING_ID",
512
+ "agentName": "artifact-integrity-analyst",
513
+ "resolved": true,
514
+ "remediationTemplate": "one-line description of what was done",
515
+ "falsePositive": false
516
+ }
517
+ ```
518
+ Call `security.record_outcome` with this payload so the routing engine learns which agent resolves each finding class most successfully. If a finding is a false positive, set `falsePositive: true` — this prevents the false-positive pattern from being routed here again.