mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-26 11:44:37 +03:00
mukul975
8cae0648ec
Demand-driven expansion targeting the fastest-growing 2025-2026 threat and
skills categories (ISC2/WEF/CrowdStrike/Mandiant signals):
- AI Security (NEW domain, 12 skills): LLM red-teaming with garak/PyRIT,
prompt injection (direct/indirect/RAG), MCP tool-poisoning, agentic tool
invocation, guardrails, model/data poisoning, system-prompt leakage,
embedding/vector weaknesses, model extraction, continuous red-teaming
- Supply Chain Security (NEW domain, 5 skills): SBOMs, dependency confusion,
malicious-npm triage, typosquatting, SLSA/Sigstore provenance
- Hardware & Firmware Security (NEW domain, 4 skills): CHIPSEC/UEFI audit,
Secure Boot bypass, TPM measured-boot attestation, ESP bootkit hunting
- Identity (10): Entra ID/ROADtools, GraphRunner, AADInternals, ADCS/Certipy,
shadow credentials, coercion, BloodHound CE, device-code phishing, SSO abuse
- Cloud-native (8): Stratus, Pacu, CloudFox, container escape, K8s RBAC,
Falco, Trivy, kube-bench
- Offensive C2 (6): Sliver, Havoc, NetExec, DPAPI, NTLM relay ESC8, redirectors
- DFIR (6): Hayabusa, Chainsaw, KAPE, Velociraptor, EZ Tools, Plaso
- Backfill (4): OpenCTI, MISP, honeytokens, post-quantum crypto migration
Each skill follows the repo taxonomy (SKILL.md + references/{standards,api-reference}.md
+ scripts/agent.py + LICENSE), with researched real tool commands (no placeholders),
complete frontmatter, and ATT&CK/ATLAS + NIST CSF mappings. Updates README domain
table, skill count, and index.json.
2.3 KiB
2.3 KiB
SBOM Toolchain Command Reference
Syft (SBOM generation)
Source prefixes: <image> (default = container image), dir:<path>, file:<path>,
registry:<image>, docker:<image>, oci-archive:<path>.
| Flag / form | Purpose |
|---|---|
-o <format>[=<file>] |
Output format and optional file |
--scope <squashed|all-layers> |
Layer scope for images |
--exclude <glob> |
Exclude paths |
syft <src> -o table |
Human-readable summary |
Common -o formats: cyclonedx-json, cyclonedx-xml, spdx-json, spdx (tag-value), syft-json, table.
syft alpine:latest -o cyclonedx-json=alpine.cdx.json
syft dir:. -o spdx-json=app.spdx.json
syft myorg/app:1.4.2 -o cyclonedx-json=app.cdx.json -o spdx-json=app.spdx.json -o table
Grype (vulnerability scanning)
Source prefixes: sbom:<file>, <image>, dir:<path>, registry:<image>.
| Flag | Purpose |
|---|---|
-o <format> |
table, json, cyclonedx, sarif |
--fail-on <severity> |
Exit non-zero at/above severity (low|medium|high|critical) |
--only-fixed |
Report only vulns with a fix available |
--add-cpes-if-none |
Improve matching for SBOMs lacking CPEs |
db update |
Update the vulnerability database |
grype sbom:app.cdx.json -o table
grype sbom:app.cdx.json -o json > app.vulns.json
grype sbom:app.cdx.json --only-fixed --fail-on critical
grype myorg/app:1.4.2 -o table
grype db update
Cosign (signing / attestation)
| Command | Purpose |
|---|---|
cosign attest --key <key> --predicate <sbom> --type <type> <image> |
Attach signed SBOM attestation |
cosign verify-attestation --key <pub> --type <type> <image> |
Verify attestation |
cosign download attestation <image> |
Retrieve attached attestation |
cosign generate-key-pair |
Create signing keys |
--type values: spdxjson, cyclonedx, slsaprovenance, or a custom URI.
Keyless mode: set COSIGN_EXPERIMENTAL=1 and omit --key (uses Fulcio/Rekor).
cosign attest --key cosign.key --predicate app.spdx.json --type spdxjson myorg/app:1.4.2
cosign verify-attestation --key cosign.pub --type spdxjson myorg/app:1.4.2
cosign download attestation myorg/app:1.4.2
Policy file (.grype.yaml)
only-fixed: true
fail-on-severity: high
ignore:
- vulnerability: CVE-2024-0000 # documented, risk-accepted