Production hardening: security fixes, code quality, 724 skills complete

- Fix 25 shell=True subprocess calls with list-based commands
- Fix 49 verify=False in defensive skills (env-var override)
- Add timeout to 231 HTTP/subprocess/socket calls
- Fix 6 SQL injection patterns with whitelist validation
- Replace 8 __import__() with standard imports
- Remove 701 unused imports across 442 files
- Add authorized-testing disclaimers to all offensive skills
- Complete 11 incomplete skill directories
- Expand 10 stub SKILL.md files with full content
- Fix 2 YAML parse errors in frontmatter
- Fix 5 pre-existing syntax errors
- Convert 22 hardcoded paths/ports to environment variables
- Back up 21 redundant skill pairs to .bak
- Fix 2 global declaration errors
- 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE)
- 0 compile errors across all 724 agent.py files
This commit is contained in:
mukul975
2026-03-19 13:26:49 +01:00
parent 63b442d347
commit c47eed6a64
900 changed files with 23085 additions and 2720 deletions
@@ -0,0 +1,74 @@
# API Reference: Building Cloud Security Posture Management
## boto3 - AWS CSPM Checks
### S3 Public Access
```python
s3 = boto3.client("s3")
pab = s3.get_public_access_block(Bucket="my-bucket")
config = pab["PublicAccessBlockConfiguration"]
```
### Unencrypted EBS Volumes
```python
ec2 = boto3.client("ec2")
for vol in ec2.describe_volumes()["Volumes"]:
if not vol["Encrypted"]:
print(f"Unencrypted: {vol['VolumeId']}")
```
### Open Security Groups
```python
for sg in ec2.describe_security_groups()["SecurityGroups"]:
for rule in sg["IpPermissions"]:
for ip in rule.get("IpRanges", []):
if ip["CidrIp"] == "0.0.0.0/0":
print(f"OPEN: {sg['GroupId']} port {rule['FromPort']}")
```
### IAM Users Without MFA
```python
iam = boto3.client("iam")
for user in iam.list_users()["Users"]:
mfa = iam.list_mfa_devices(UserName=user["UserName"])["MFADevices"]
if not mfa:
print(f"No MFA: {user['UserName']}")
```
### Public RDS Instances
```python
rds = boto3.client("rds")
for db in rds.describe_db_instances()["DBInstances"]:
if db["PubliclyAccessible"]:
print(f"Public RDS: {db['DBInstanceIdentifier']}")
```
## Key CSPM Checks
| Check | Service | boto3 Method |
|-------|---------|-------------|
| Public S3 | S3 | `get_public_access_block()` |
| Unencrypted EBS | EC2 | `describe_volumes()` |
| Open SGs | EC2 | `describe_security_groups()` |
| No MFA | IAM | `list_mfa_devices()` |
| Public RDS | RDS | `describe_db_instances()` |
| CloudTrail | CloudTrail | `describe_trails()` |
## Steampipe (SQL-Based CSPM)
```sql
select name, region, server_side_encryption_configuration
from aws_s3_bucket
where server_side_encryption_configuration is null;
```
### References
- boto3: https://boto3.amazonaws.com/v1/documentation/api/latest/
- Prowler: https://github.com/prowler-cloud/prowler
- Steampipe: https://steampipe.io/