mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-13 19:05:17 +03:00
Expand 4 remaining SKILL.md stubs with researched content
This commit is contained in:
@@ -14,20 +14,190 @@ license: Apache-2.0
|
||||
|
||||
# Implementing DevSecOps Security Scanning
|
||||
|
||||
Automate SAST, SCA, container image, and secret scanning in CI/CD
|
||||
pipelines with fail/pass gates based on severity thresholds.
|
||||
|
||||
|
||||
## When to Use
|
||||
|
||||
- When deploying or configuring implementing devsecops security scanning capabilities in your environment
|
||||
- When establishing security controls aligned to compliance requirements
|
||||
- When building or improving security architecture for this domain
|
||||
- When conducting security assessments that require this implementation
|
||||
- Setting up automated security scanning in a new or existing CI/CD pipeline
|
||||
- Shifting security left by catching vulnerabilities before production
|
||||
- Meeting compliance requirements (SOC 2, PCI-DSS, ISO 27001) mandating automated security testing
|
||||
- Integrating SAST, DAST, and SCA for comprehensive application security coverage
|
||||
- Establishing security gates that block deployments with critical/high vulnerabilities
|
||||
|
||||
**Do not use** as a replacement for manual penetration testing. Automated scanning catches common patterns but cannot replace human-driven assessments for business logic flaws.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Familiarity with application security concepts and tools
|
||||
- Access to a test or lab environment for safe execution
|
||||
- Python 3.8+ with required dependencies installed
|
||||
- Appropriate authorization for any testing activities
|
||||
- CI/CD platform: GitHub Actions, GitLab CI, Jenkins, or Azure DevOps
|
||||
- Container runtime (Docker) for running scanning tools
|
||||
- A staging environment URL for DAST scanning
|
||||
- Tool requirements: Semgrep (free), Trivy (free), OWASP ZAP (free), Gitleaks (free)
|
||||
|
||||
## Workflow
|
||||
|
||||
### Step 1: Add Secrets Detection with Gitleaks
|
||||
|
||||
```yaml
|
||||
# .github/workflows/security.yml
|
||||
name: DevSecOps Security Pipeline
|
||||
on:
|
||||
push:
|
||||
branches: [main, develop]
|
||||
pull_request:
|
||||
branches: [main]
|
||||
|
||||
jobs:
|
||||
secrets-scan:
|
||||
name: Secrets Detection (Gitleaks)
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- name: Run Gitleaks
|
||||
uses: gitleaks/gitleaks-action@v2
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
```
|
||||
|
||||
### Step 2: Add SAST Scanning with Semgrep
|
||||
|
||||
```yaml
|
||||
sast-scan:
|
||||
name: SAST (Semgrep)
|
||||
runs-on: ubuntu-latest
|
||||
container:
|
||||
image: semgrep/semgrep
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Run Semgrep SAST scan
|
||||
run: |
|
||||
semgrep scan \
|
||||
--config p/security-audit \
|
||||
--config p/owasp-top-ten \
|
||||
--severity ERROR \
|
||||
--error \
|
||||
--json --output semgrep-results.json .
|
||||
- uses: actions/upload-artifact@v4
|
||||
if: always()
|
||||
with:
|
||||
name: semgrep-results
|
||||
path: semgrep-results.json
|
||||
```
|
||||
|
||||
### Step 3: Add SCA and Container Scanning with Trivy
|
||||
|
||||
```yaml
|
||||
sca-scan:
|
||||
name: SCA & Container Scan (Trivy)
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Trivy filesystem scan (dependencies)
|
||||
uses: aquasecurity/trivy-action@0.28.0
|
||||
with:
|
||||
scan-type: 'fs'
|
||||
scan-ref: '.'
|
||||
severity: 'CRITICAL,HIGH'
|
||||
exit-code: '1'
|
||||
format: 'json'
|
||||
output: 'trivy-fs-results.json'
|
||||
- name: Build and scan container image
|
||||
run: |
|
||||
docker build -t app:${{ github.sha }} .
|
||||
- uses: aquasecurity/trivy-action@0.28.0
|
||||
with:
|
||||
image-ref: 'app:${{ github.sha }}'
|
||||
severity: 'CRITICAL,HIGH'
|
||||
exit-code: '1'
|
||||
```
|
||||
|
||||
### Step 4: Add DAST Scanning with OWASP ZAP
|
||||
|
||||
```yaml
|
||||
dast-scan:
|
||||
name: DAST (OWASP ZAP)
|
||||
runs-on: ubuntu-latest
|
||||
needs: [deploy-staging]
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: ZAP Baseline Scan
|
||||
uses: zaproxy/action-baseline@v0.14.0
|
||||
with:
|
||||
target: ${{ vars.STAGING_URL }}
|
||||
rules_file_name: '.zap/rules.tsv'
|
||||
```
|
||||
|
||||
Configure `.zap/rules.tsv` alert thresholds:
|
||||
|
||||
```tsv
|
||||
40012 FAIL (Cross Site Scripting - Reflected)
|
||||
40014 FAIL (Cross Site Scripting - Persistent)
|
||||
40018 FAIL (SQL Injection)
|
||||
90019 FAIL (Server Side Code Injection)
|
||||
10038 FAIL (Content Security Policy Header Not Set)
|
||||
```
|
||||
|
||||
### Step 5: Enforce Security Gates
|
||||
|
||||
```yaml
|
||||
security-gate:
|
||||
name: Security Gate
|
||||
runs-on: ubuntu-latest
|
||||
needs: [secrets-scan, sast-scan, sca-scan]
|
||||
if: always()
|
||||
steps:
|
||||
- name: Check scan results
|
||||
run: |
|
||||
if [[ "${{ needs.secrets-scan.result }}" == "failure" ]]; then
|
||||
echo "BLOCKED: Secrets detected"; exit 1
|
||||
fi
|
||||
if [[ "${{ needs.sast-scan.result }}" == "failure" ]]; then
|
||||
echo "BLOCKED: SAST critical/high findings"; exit 1
|
||||
fi
|
||||
if [[ "${{ needs.sca-scan.result }}" == "failure" ]]; then
|
||||
echo "BLOCKED: Vulnerable dependencies"; exit 1
|
||||
fi
|
||||
echo "All security gates passed"
|
||||
```
|
||||
|
||||
### Step 6: Configure Pre-commit Hooks
|
||||
|
||||
```yaml
|
||||
# .pre-commit-config.yaml
|
||||
repos:
|
||||
- repo: https://github.com/gitleaks/gitleaks
|
||||
rev: v8.22.1
|
||||
hooks:
|
||||
- id: gitleaks
|
||||
- repo: https://github.com/semgrep/semgrep
|
||||
rev: v1.102.0
|
||||
hooks:
|
||||
- id: semgrep
|
||||
args: ['--config', 'p/security-audit', '--error']
|
||||
```
|
||||
|
||||
```bash
|
||||
pip install pre-commit
|
||||
pre-commit install
|
||||
pre-commit run --all-files
|
||||
```
|
||||
|
||||
## Key Concepts
|
||||
|
||||
| Term | Definition |
|
||||
|------|------------|
|
||||
| **SAST** | Static Application Security Testing - analyzes source code without execution |
|
||||
| **DAST** | Dynamic Application Security Testing - tests running applications |
|
||||
| **SCA** | Software Composition Analysis - scans dependencies for known vulnerabilities |
|
||||
| **SBOM** | Software Bill of Materials - inventory of all components |
|
||||
| **Shift Left** | Moving security testing earlier in the SDLC |
|
||||
| **Security Gate** | CI/CD checkpoint blocking deployment on scan failures |
|
||||
|
||||
## Verification
|
||||
|
||||
- [ ] Gitleaks blocks commits containing hardcoded secrets
|
||||
- [ ] Semgrep runs on every PR and reports findings
|
||||
- [ ] Trivy detects known-vulnerable dependencies
|
||||
- [ ] OWASP ZAP baseline scan runs against staging URL
|
||||
- [ ] Security gate blocks merges when critical/high findings exist
|
||||
- [ ] Branch protection rules enforce required status checks
|
||||
- [ ] Pre-commit hooks catch issues locally before push
|
||||
|
||||
Reference in New Issue
Block a user