Initial commit - 611 cybersecurity skills across all subdomains

2026-06-16 07:53:18 +03:00 · 2026-02-25 10:47:44 +01:00
commit 22a7ab1462
1765 changed files with 280648 additions and 0 deletions
@@ -0,0 +1,46 @@
+# Standards Reference: IaC Security Scanning
+
+## CIS Cloud Benchmarks
+
+### CIS AWS Foundations Benchmark v3.0
+- Maps directly to Checkov CKV_AWS_* checks
+- Covers IAM, logging, monitoring, networking, and storage security
+- Automated scanning validates 100+ benchmark controls
+
+### CIS Azure Foundations Benchmark v2.1
+- Maps to Checkov CKV_AZURE_* checks
+- Covers identity, security center, storage, database, and network controls
+
+### CIS GCP Foundations Benchmark v2.0
+- Maps to Checkov CKV_GCP_* checks
+- Covers IAM, logging, networking, VM, storage, and database controls
+
+## NIST SP 800-53 Mapping
+
+| NIST Control | IaC Check | Checkov ID |
+|-------------|-----------|------------|
+| AC-3 Access Enforcement | S3 bucket public access | CKV_AWS_18, CKV_AWS_20 |
+| AU-2 Audit Events | CloudTrail enabled | CKV_AWS_35 |
+| SC-8 Transmission Confidentiality | HTTPS/TLS enforcement | CKV_AWS_2 |
+| SC-28 Protection at Rest | Encryption at rest | CKV_AWS_19, CKV_AWS_17 |
+| SI-4 System Monitoring | CloudWatch/logging | CKV_AWS_24, CKV_AWS_66 |
+
+## OWASP SAMM - Secure Architecture
+
+### Security Architecture Level 2
+- Validate infrastructure configurations against security standards before deployment
+- Use automated tools to enforce architecture security requirements
+
+### Security Architecture Level 3
+- Custom policies encode organization-specific architecture requirements
+- Continuous validation prevents configuration drift from approved patterns
+
+## NIST SSDF (SP 800-218)
+
+### PO.1: Define Security Requirements
+- IaC security policies translate security requirements into enforceable checks
+- Custom policies capture organization-specific requirements
+
+### PW.5: Configure Software Securely
+- PW.5.1: Configure software to have secure settings by default
+- IaC scanning enforces secure defaults in infrastructure provisioning
@@ -0,0 +1,76 @@
+# Workflow Reference: IaC Security Scanning
+
+## IaC Scanning Pipeline
+
+```
+Terraform/IaC Code Change
+       │
+       ▼
+┌──────────────────┐
+│ PR Created       │
+└──────┬───────────┘
+       │
+       ├──────────────────────┐
+       ▼                      ▼
+┌──────────────┐    ┌──────────────┐
+│ Checkov      │    │ tfsec        │
+│ (2500+ rules)│    │ (Terraform)  │
+└──────┬───────┘    └──────┬───────┘
+       │                    │
+       └──────────┬─────────┘
+                  ▼
+       ┌──────────────────┐
+       │ SARIF Upload     │
+       │ to GitHub        │
+       └──────┬───────────┘
+              │
+              ▼
+       ┌──────────────────┐
+       │ Quality Gate     │
+       │ (Block on HIGH+) │
+       └──────┬───────────┘
+              │
+    ┌─────────┴──────────┐
+    ▼                    ▼
+ PASS                  FAIL
+ terraform apply      Block merge
+ permitted            + Fix required
+```
+
+## Checkov Command Reference
+
+| Command | Purpose |
+|---------|---------|
+| `checkov -d ./terraform/` | Scan directory |
+| `checkov -f main.tf` | Scan single file |
+| `checkov -f tfplan.json --framework terraform_plan` | Scan Terraform plan |
+| `checkov --list` | List all available checks |
+| `checkov -d . --check CKV_AWS_18` | Run specific check |
+| `checkov -d . --skip-check CKV_AWS_145` | Skip specific check |
+| `checkov -d . --bc-api-key KEY` | Upload to Bridgecrew |
+| `checkov -d . --create-baseline` | Create baseline file |
+| `checkov -d . --baseline BASELINE` | Scan against baseline |
+| `checkov -d . --external-checks-dir ./custom/` | Use custom checks |
+| `checkov -d . --compact` | Compact output |
+| `checkov -d . --output sarif` | SARIF format output |
+
+## Common Misconfigurations by Cloud Provider
+
+### AWS Top 10 IaC Misconfigurations
+1. S3 bucket public access enabled (CKV_AWS_18, CKV_AWS_20)
+2. Security group with open ingress 0.0.0.0/0 (CKV_AWS_23)
+3. RDS instance not encrypted (CKV_AWS_16)
+4. CloudTrail not enabled (CKV_AWS_35)
+5. EBS volume not encrypted (CKV_AWS_3)
+6. IAM policy with wildcard actions (CKV_AWS_1)
+7. ALB not using HTTPS (CKV_AWS_2)
+8. CloudWatch logs not encrypted (CKV_AWS_24)
+9. IMDSv2 not required (CKV_AWS_79)
+10. VPC flow logs not enabled (CKV_AWS_9)
+
+### Kubernetes Top Misconfigurations
+1. Container running as root (CKV_K8S_6)
+2. Privileged container (CKV_K8S_16)
+3. No resource limits (CKV_K8S_11, CKV_K8S_13)
+4. No readiness/liveness probes (CKV_K8S_9)
+5. hostNetwork enabled (CKV_K8S_19)