mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-18 21:49:40 +03:00
Initial commit - 611 cybersecurity skills across all subdomains
This commit is contained in:
@@ -0,0 +1,48 @@
|
||||
# Standards and Compliance Reference
|
||||
|
||||
## OWASP DevSecOps Pipeline Maturity Model
|
||||
|
||||
| Level | SAST | DAST | SCA | Container | Secrets | License |
|
||||
|-------|------|------|-----|-----------|---------|---------|
|
||||
| Level 1 (Basic) | Manual runs | None | Manual dependency check | None | Pre-commit hooks | None |
|
||||
| Level 2 (Integrated) | CI-triggered on MR | Scheduled scans | CI-triggered | Image scan on build | CI scan on commits | CI-triggered |
|
||||
| Level 3 (Enforced) | Required for merge | Gate before deploy | Block on critical CVE | Block vulnerable images | Push protection | Policy enforcement |
|
||||
| Level 4 (Optimized) | Custom rules, tuned FP | Authenticated full scan | Auto-remediation PRs | Signed images only | Auto-rotation | SBOM generation |
|
||||
|
||||
## NIST SP 800-218 (SSDF) Mapping
|
||||
|
||||
| SSDF Practice | GitLab Feature | Pipeline Stage |
|
||||
|---------------|----------------|----------------|
|
||||
| PO.1 Define security requirements | Security policies | Policy configuration |
|
||||
| PW.1 Design software securely | Threat modeling integration | Pre-build |
|
||||
| PW.4 Reuse well-secured software | Dependency scanning | Security stage |
|
||||
| PW.5 Create source code securely | SAST, secret detection | Security stage |
|
||||
| PW.7 Review and test code | MR security widget | Merge request |
|
||||
| PW.8 Test executable code | DAST | Post-deploy staging |
|
||||
| PW.9 Configure software securely | Container scanning | Security stage |
|
||||
| RV.1 Identify vulnerabilities | Vulnerability report | Dashboard |
|
||||
| RV.2 Assess and prioritize | Severity classification | Triage workflow |
|
||||
| RV.3 Remediate vulnerabilities | Issue tracking integration | Sprint planning |
|
||||
|
||||
## CIS Software Supply Chain Security
|
||||
|
||||
- **SCS-1**: Secure source code management with protected branches and signed commits
|
||||
- **SCS-2**: Secure build pipelines with pinned template versions and runner isolation
|
||||
- **SCS-3**: Verified dependencies through dependency scanning and license compliance
|
||||
- **SCS-4**: Secure artifacts with container scanning and signed images
|
||||
- **SCS-5**: Deployment security with manual gates and environment approvals
|
||||
|
||||
## GitLab Scanner Coverage Matrix
|
||||
|
||||
| Vulnerability Type | Primary Scanner | Secondary Scanner |
|
||||
|--------------------|-----------------|-------------------|
|
||||
| SQL Injection | SAST (Semgrep) | DAST |
|
||||
| XSS | SAST | DAST |
|
||||
| SSRF | SAST | DAST |
|
||||
| Command Injection | SAST | DAST |
|
||||
| Insecure Deserialization | SAST | N/A |
|
||||
| Known CVE in dependency | Dependency Scanning | Container Scanning |
|
||||
| Hardcoded credentials | Secret Detection | SAST |
|
||||
| License violation | License Scanning | N/A |
|
||||
| OS-level CVE in image | Container Scanning | N/A |
|
||||
| Authentication flaws | DAST | SAST |
|
||||
@@ -0,0 +1,84 @@
|
||||
# GitLab DevSecOps Pipeline Workflows
|
||||
|
||||
## Workflow 1: Merge Request Security Review
|
||||
|
||||
```
|
||||
Developer creates merge request
|
||||
|
|
||||
Pipeline triggers security scanners in parallel:
|
||||
[SAST] [Secret Detection] [Dependency Scanning] [License Scanning]
|
||||
|
|
||||
MR Security Widget displays results:
|
||||
- New vulnerabilities introduced
|
||||
- Existing vulnerabilities fixed
|
||||
- Comparison with target branch
|
||||
|
|
||||
[No Critical/High] --> Reviewers can approve and merge
|
||||
[Critical/High found] --> MR blocked by approval policy
|
||||
|
|
||||
Security team reviews findings
|
||||
|
|
||||
[Confirmed] --> Developer remediates and re-pushes
|
||||
[False Positive] --> Dismissed with documented reason
|
||||
|
|
||||
All findings resolved --> MR eligible for merge
|
||||
```
|
||||
|
||||
## Workflow 2: Container Image Security Gate
|
||||
|
||||
```
|
||||
Docker image built in CI
|
||||
|
|
||||
Container scanning (Trivy) analyzes image layers
|
||||
|
|
||||
Findings categorized by severity
|
||||
|
|
||||
[Below threshold] --> Image pushed to registry with metadata
|
||||
[Above threshold] --> Pipeline fails, image not pushed
|
||||
|
|
||||
Registry stores scan results as artifact
|
||||
|
|
||||
Deployment pulls only scanned/approved images
|
||||
```
|
||||
|
||||
## Workflow 3: DAST Against Staging Environment
|
||||
|
||||
```
|
||||
Application deployed to staging
|
||||
|
|
||||
DAST browser scan initiated against staging URL
|
||||
|
|
||||
Authenticated scan crawls application pages
|
||||
|
|
||||
Active testing for XSS, SQLi, CSRF, etc.
|
||||
|
|
||||
Results added to vulnerability report
|
||||
|
|
||||
[Pass] --> Manual deploy-to-production gate enabled
|
||||
[Fail on critical] --> Staging deployment rolled back
|
||||
|
|
||||
Production deploy requires manual approval
|
||||
```
|
||||
|
||||
## Workflow 4: Vulnerability Lifecycle Management
|
||||
|
||||
```
|
||||
Scanner detects vulnerability
|
||||
|
|
||||
Status: "Detected" in vulnerability report
|
||||
|
|
||||
Security analyst triages finding
|
||||
|
|
||||
[Confirmed vulnerability] [False positive]
|
||||
| |
|
||||
Status: "Confirmed" Status: "Dismissed"
|
||||
Issue created automatically Reason documented
|
||||
|
|
||||
Developer assigned fix
|
||||
|
|
||||
Fix merged, scanner re-runs
|
||||
|
|
||||
Vulnerability no longer detected
|
||||
|
|
||||
Status: "Resolved"
|
||||
```
|
||||
Reference in New Issue
Block a user