Initial commit - 611 cybersecurity skills across all subdomains

This commit is contained in:
mukul975
2026-02-25 10:47:44 +01:00
commit 22a7ab1462
1765 changed files with 280648 additions and 0 deletions
@@ -0,0 +1,34 @@
# Standards Reference for Container Scanning
## NIST SP 800-190: Application Container Security Guide
| Recommendation | Trivy Coverage |
|---------------|---------------|
| 4.1 Image vulnerabilities | CVE scanning of OS packages and app dependencies |
| 4.2 Image configuration defects | IaC misconfig scanning of Dockerfiles |
| 4.3 Embedded malware | Secret scanning detects embedded credentials |
| 4.4 Embedded cleartext secrets | Secret scanner with regex and entropy detection |
| 4.5 Use of untrusted images | Registry scanning and image provenance verification |
## CIS Docker Benchmark v1.6 Alignment
| CIS Control | Trivy Check |
|-------------|-------------|
| 4.1 Ensure image is created from a trusted base | Base image vulnerability scanning |
| 4.3 Ensure unnecessary packages are not installed | SBOM generation reveals full package inventory |
| 4.6 Add HEALTHCHECK instruction | Dockerfile misconfiguration check |
| 4.9 Ensure COPY instead of ADD | Dockerfile misconfiguration check |
| 4.10 Ensure secrets are not stored in Dockerfiles | Secret detection in filesystem scan |
## Vulnerability Database Sources
| Source | Coverage | Update Frequency |
|--------|----------|------------------|
| NVD (NIST) | All CVEs | Continuous |
| Alpine SecDB | Alpine Linux packages | Daily |
| Debian Security Tracker | Debian packages | Daily |
| Ubuntu CVE Tracker | Ubuntu packages | Daily |
| Red Hat OVAL | RHEL/CentOS packages | Daily |
| GitHub Advisory Database | Language packages | Continuous |
| Go Vulnerability Database | Go modules | Continuous |
| RustSec Advisory Database | Rust crates | Continuous |
@@ -0,0 +1,58 @@
# Aqua Security Container Scanning Workflows
## Workflow 1: CI/CD Image Gate
```
Developer commits code
|
Docker image built in CI
|
Trivy scans image for vulnerabilities
|
[No Critical/High] --> Image pushed to registry
[Critical found] --> Pipeline fails, image rejected
|
SBOM generated and stored alongside image
|
Image tagged with scan metadata
|
Kubernetes admission controller validates scan results
|
Deployment proceeds only with scanned images
```
## Workflow 2: Registry Continuous Scanning
```
New image pushed to container registry
|
Trivy Operator detects new image tag
|
Scheduled scan triggered
|
VulnerabilityReport CR created in cluster
|
New CVE published in NVD
|
Re-scan of all running images
|
Alert generated for newly affected images
|
Remediation ticket created automatically
```
## Workflow 3: SBOM-Based Vulnerability Tracking
```
Image scanned, SBOM generated (CycloneDX/SPDX)
|
SBOM stored in artifact repository
|
New CVE published
|
SBOM re-scanned without rebuilding image
|
Affected images identified across fleet
|
Prioritized patching based on exposure and severity
```