Files
Anthropic-Cybersecurity-Skills/skills/detecting-supply-chain-attacks-in-ci-cd/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

56 lines
1.6 KiB
Markdown

# API Reference: Detecting Supply Chain Attacks in CI/CD
## GitHub Actions Workflow Parsing
```python
import yaml
with open(".github/workflows/ci.yml") as f:
wf = yaml.safe_load(f)
# Key fields
wf["permissions"] # Workflow-level permissions
wf["jobs"]["build"]["steps"] # Step list
step["uses"] # Action reference (owner/repo@ref)
step["run"] # Shell script
step["env"] # Environment variables
```
## Supply Chain Risk Patterns
| Risk | Pattern | Severity |
|------|---------|----------|
| Unpinned action | `uses: owner/action@main` | CRITICAL |
| Mutable tag | `uses: owner/action@v1` | MEDIUM |
| Script injection | `run: echo ${{ github.event.issue.title }}` | CRITICAL |
| Write permissions | `permissions: write-all` | HIGH |
| Curl pipe bash | `RUN curl \| bash` | HIGH |
| Latest image tag | `FROM image:latest` | MEDIUM |
## Dependency Confusion Check
```python
import requests
# Check if private package exists on public registry
resp = requests.get(f"https://registry.npmjs.org/{pkg}")
exists = resp.status_code == 200
resp = requests.get(f"https://pypi.org/pypi/{pkg}/json")
exists = resp.status_code == 200
```
## Pinning Actions to SHA
```yaml
# Bad: mutable reference
uses: actions/checkout@main
# Good: pinned to commit SHA
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
```
### References
- GitHub Actions security hardening: https://docs.github.com/en/actions/security-guides
- StepSecurity: https://github.com/step-security/harden-runner
- Dependency confusion: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610