mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-19 05:59:40 +03:00
Initial commit - 611 cybersecurity skills across all subdomains
This commit is contained in:
@@ -0,0 +1,34 @@
|
||||
# Standards Reference for Container Scanning
|
||||
|
||||
## NIST SP 800-190: Application Container Security Guide
|
||||
|
||||
| Recommendation | Trivy Coverage |
|
||||
|---------------|---------------|
|
||||
| 4.1 Image vulnerabilities | CVE scanning of OS packages and app dependencies |
|
||||
| 4.2 Image configuration defects | IaC misconfig scanning of Dockerfiles |
|
||||
| 4.3 Embedded malware | Secret scanning detects embedded credentials |
|
||||
| 4.4 Embedded cleartext secrets | Secret scanner with regex and entropy detection |
|
||||
| 4.5 Use of untrusted images | Registry scanning and image provenance verification |
|
||||
|
||||
## CIS Docker Benchmark v1.6 Alignment
|
||||
|
||||
| CIS Control | Trivy Check |
|
||||
|-------------|-------------|
|
||||
| 4.1 Ensure image is created from a trusted base | Base image vulnerability scanning |
|
||||
| 4.3 Ensure unnecessary packages are not installed | SBOM generation reveals full package inventory |
|
||||
| 4.6 Add HEALTHCHECK instruction | Dockerfile misconfiguration check |
|
||||
| 4.9 Ensure COPY instead of ADD | Dockerfile misconfiguration check |
|
||||
| 4.10 Ensure secrets are not stored in Dockerfiles | Secret detection in filesystem scan |
|
||||
|
||||
## Vulnerability Database Sources
|
||||
|
||||
| Source | Coverage | Update Frequency |
|
||||
|--------|----------|------------------|
|
||||
| NVD (NIST) | All CVEs | Continuous |
|
||||
| Alpine SecDB | Alpine Linux packages | Daily |
|
||||
| Debian Security Tracker | Debian packages | Daily |
|
||||
| Ubuntu CVE Tracker | Ubuntu packages | Daily |
|
||||
| Red Hat OVAL | RHEL/CentOS packages | Daily |
|
||||
| GitHub Advisory Database | Language packages | Continuous |
|
||||
| Go Vulnerability Database | Go modules | Continuous |
|
||||
| RustSec Advisory Database | Rust crates | Continuous |
|
||||
@@ -0,0 +1,58 @@
|
||||
# Aqua Security Container Scanning Workflows
|
||||
|
||||
## Workflow 1: CI/CD Image Gate
|
||||
|
||||
```
|
||||
Developer commits code
|
||||
|
|
||||
Docker image built in CI
|
||||
|
|
||||
Trivy scans image for vulnerabilities
|
||||
|
|
||||
[No Critical/High] --> Image pushed to registry
|
||||
[Critical found] --> Pipeline fails, image rejected
|
||||
|
|
||||
SBOM generated and stored alongside image
|
||||
|
|
||||
Image tagged with scan metadata
|
||||
|
|
||||
Kubernetes admission controller validates scan results
|
||||
|
|
||||
Deployment proceeds only with scanned images
|
||||
```
|
||||
|
||||
## Workflow 2: Registry Continuous Scanning
|
||||
|
||||
```
|
||||
New image pushed to container registry
|
||||
|
|
||||
Trivy Operator detects new image tag
|
||||
|
|
||||
Scheduled scan triggered
|
||||
|
|
||||
VulnerabilityReport CR created in cluster
|
||||
|
|
||||
New CVE published in NVD
|
||||
|
|
||||
Re-scan of all running images
|
||||
|
|
||||
Alert generated for newly affected images
|
||||
|
|
||||
Remediation ticket created automatically
|
||||
```
|
||||
|
||||
## Workflow 3: SBOM-Based Vulnerability Tracking
|
||||
|
||||
```
|
||||
Image scanned, SBOM generated (CycloneDX/SPDX)
|
||||
|
|
||||
SBOM stored in artifact repository
|
||||
|
|
||||
New CVE published
|
||||
|
|
||||
SBOM re-scanned without rebuilding image
|
||||
|
|
||||
Affected images identified across fleet
|
||||
|
|
||||
Prioritized patching based on exposure and severity
|
||||
```
|
||||
Reference in New Issue
Block a user