diff --git a/.github/agents/sck.malicious-code-scanner.agent.md b/.github/agents/sck.malicious-code-scanner.agent.md index 4e2c28a..0684961 100644 --- a/.github/agents/sck.malicious-code-scanner.agent.md +++ b/.github/agents/sck.malicious-code-scanner.agent.md @@ -41,8 +41,7 @@ The `runTerminal` tool may ONLY be used for: - ✅ `bandit` - Python security scanner - ✅ `guarddog` - Supply chain security scanner - ✅ `shellcheck` - Shell script analyzer -- ✅ `graudit` - Pattern-based scanner -- ✅ `mkdir -p .github/.audit` - Creating output directories +- ✅ `graudit` - Pattern-based scanner- ✅ `checkov` - Infrastructure as Code security scanner- ✅ `mkdir -p .github/.audit` - Creating output directories - ✅ `which`/`--version` commands - Checking tool availability - ✅ `grep`, `find`, `cat`, `head`, `tail` - Reading/searching files (NOT executing them) @@ -82,6 +81,7 @@ When security skills are available in `.github/skills/`, leverage them for compr | **GuardDog** | `.github/skills/guarddog-security-scan/SKILL.md` | Supply chain & malware detection (Python/Node.js) | | **ShellCheck** | `.github/skills/shellcheck-security-scan/SKILL.md` | Shell script security analysis | | **Graudit** | `.github/skills/graudit-security-scan/SKILL.md` | Multi-language pattern matching | +| **Checkov** | `.github/skills/checkov-security-scan/SKILL.md` | Infrastructure as Code (IaC) security & compliance | **Workflow with skills:** 1. Check if `.github/skills/` directory exists @@ -123,6 +123,7 @@ bandit --version 2>/dev/null && echo "✅ Bandit available" || echo "⚠️ Band guarddog --version 2>/dev/null && echo "✅ GuardDog available" || echo "⚠️ GuardDog not installed" shellcheck --version 2>/dev/null && echo "✅ ShellCheck available" || echo "⚠️ ShellCheck not installed" which graudit 2>/dev/null && echo "✅ Graudit available" || echo "⚠️ Graudit not installed" +checkov --version 2>/dev/null && echo "✅ Checkov available" || echo "⚠️ Checkov not installed" ``` ### Step 3: Select Operating Mode @@ -156,6 +157,11 @@ Based on the skills' decision matrices, execute in this order: | Python + deps | `guarddog pypi verify` | `bandit -r .` | guarddog-security-scan | | Node.js | `guarddog npm scan` | `graudit -d js` | guarddog-security-scan | | Shell (.sh) | `shellcheck` | `graudit -d exec` | shellcheck-security-scan | +| Terraform (.tf) | `checkov -d . --framework terraform` | `graudit -d secrets` | checkov-security-scan | +| Kubernetes (manifests) | `checkov -d . --framework kubernetes` | `graudit -d secrets` | checkov-security-scan | +| Dockerfile | `checkov -f Dockerfile --framework dockerfile` | `shellcheck` (RUN commands) | checkov-security-scan | +| GitHub Actions (.yml) | `checkov -d .github/workflows --framework github_actions` | `shellcheck` (run steps) | checkov-security-scan | +| CloudFormation | `checkov -d . --framework cloudformation` | `graudit -d secrets` | checkov-security-scan | | Unknown/Untrusted | `graudit -d exec,secrets` | All others | graudit-security-scan | ### Cross-Reference with tools-audit.md @@ -412,8 +418,11 @@ For each suspicious pattern found, evaluate: | Node.js | **ESLint** + `eslint-plugin-security` | `child_process.exec()`, unsafe patterns | | PowerShell | **PSScriptAnalyzer** | `Invoke-Expression`, `Set-ExecutionPolicy` | | Bash | **ShellCheck** | Unquoted variables, command injection risks | -| Bash | **Graudit** | High-risk signatures like `/dev/tcp/` | - +| Bash | **Graudit** | High-risk signatures like `/dev/tcp/` || Terraform | **Checkov** | Exposed secrets in IaC, insecure resource configs, public access | +| Kubernetes | **Checkov** | Privileged containers, secrets in manifests, security policies | +| Dockerfile | **Checkov** | Hardcoded secrets, insecure base images, exposed ports | +| GitHub Actions | **Checkov** | Secrets in workflows, unpinned actions, shell injection risks | +| CloudFormation | **Checkov** | AWS misconfigurations, hardcoded credentials, public resources | --- ## Analysis Framework @@ -553,6 +562,7 @@ After completing your analysis, save all findings to `.github/.audit/scan-result | guarddog-security-scan | ✅ Found / ❌ Not Found | ✅ / ❌ | | shellcheck-security-scan | ✅ Found / ❌ Not Found | ✅ / ❌ | | graudit-security-scan | ✅ Found / ❌ Not Found | ✅ / ❌ | +| checkov-security-scan | ✅ Found / ❌ Not Found | ✅ / ❌ | ### Limitations (if Standalone Mode) [List any detection limitations due to missing tools] @@ -612,6 +622,7 @@ After completing your analysis, save all findings to `.github/.audit/scan-result | GuardDog | `.github/skills/guarddog-security-scan/SKILL.md` | | ShellCheck | `.github/skills/shellcheck-security-scan/SKILL.md` | | Graudit | `.github/skills/graudit-security-scan/SKILL.md` | +| Checkov | `.github/skills/checkov-security-scan/SKILL.md` | ### If Skills Are Missing: diff --git a/.github/prompts/sck.tools-advisor.prompt.md b/.github/prompts/sck.tools-advisor.prompt.md index f7fabfe..3f1da8c 100644 --- a/.github/prompts/sck.tools-advisor.prompt.md +++ b/.github/prompts/sck.tools-advisor.prompt.md @@ -138,6 +138,35 @@ Review these skills from the `.github/skills/` folder: - **NOT for**: Malicious package detection (use GuardDog), source code vulnerabilities (use Bandit/Graudit) - **Key distinction from GuardDog**: Dependency-Check detects **known CVEs** in dependencies; GuardDog detects **malicious packages/malware** +### 6. Checkov Security Scan +- **Skill**: `checkov-security-scan` +- **Skill file**: [.github/skills/checkov-security-scan/SKILL.md](.github/skills/checkov-security-scan/SKILL.md) +- **Purpose**: Infrastructure as Code (IaC) security misconfiguration and compliance violation detection +- **Supported frameworks**: + - **Terraform**: `.tf`, `.tf.json`, plan files + - **CloudFormation**: `.yaml`, `.yml`, `.json`, `.template` templates + - **Kubernetes**: Manifests, Helm charts, Kustomize + - **Dockerfile**: `Dockerfile`, `Dockerfile.*` + - **ARM/Bicep**: Azure templates + - **CI/CD**: GitHub Actions (`.github/workflows/*.yml`), GitLab CI (`.gitlab-ci.yml`), Azure Pipelines, CircleCI, Bitbucket + - **Other**: Ansible, Argo Workflows, Serverless Framework, OpenAPI/Swagger +- **Detection capabilities**: + - Overly permissive IAM policies and access controls + - Unencrypted storage (S3, EBS, RDS, Azure Storage, GCS) + - Publicly accessible resources (security groups, storage buckets) + - Security group misconfigurations (open ports 22, 3389, etc.) + - Container security issues (privileged mode, root user) + - Missing health checks, logging, and monitoring + - Hardcoded secrets in IaC configuration + - CI/CD workflow security issues (unpinned actions, shell injection) +- **Check categories**: 1000+ built-in checks (CKV_AWS_*, CKV_AZURE_*, CKV_GCP_*, CKV_K8S_*, CKV_DOCKER_*, CKV_GHA_*, CKV_SECRET_*) +- **Output formats**: CLI, JSON, SARIF, JUnit XML, CycloneDX SBOM +- **Compliance frameworks**: CIS benchmarks, SOC2, HIPAA, PCI-DSS, ISO 27001 +- **MITRE ATT&CK mapped**: Yes (T1530, T1078, T1046, T1190, T1562, T1552, T1610) +- **Best for**: IaC security audits, pre-deployment validation, cloud misconfiguration detection, compliance scanning, CI/CD security gates +- **NOT for**: Application source code vulnerabilities (use Bandit/Graudit), dependency/package audits (use GuardDog/Dependency-Check) +- **Key distinction**: Checkov scans **infrastructure configuration** for misconfigurations; other tools scan **application code** for vulnerabilities + --- ## Quick Decision Flowchart @@ -150,6 +179,15 @@ START: What's the primary concern? ├─► "Is code UNTRUSTED or potentially MALICIOUS?" │ └─► YES → Graudit (exec+secrets) FIRST, then others │ +├─► "Are there INFRASTRUCTURE AS CODE (IaC) files?" +│ ├─► Terraform (.tf) → Checkov --framework terraform +│ ├─► Kubernetes manifests → Checkov --framework kubernetes +│ ├─► CloudFormation (.yaml/.json) → Checkov --framework cloudformation +│ ├─► Dockerfile → Checkov --framework dockerfile +│ ├─► Helm charts → Checkov --framework helm +│ ├─► GitHub Actions workflows → Checkov --framework github_actions +│ └─► Mixed IaC → Checkov -d . (auto-detect) +│ ├─► "Are there DEPENDENCY FILES?" (requirements.txt, package.json, etc.) │ ├─► Need MALWARE/supply chain attack detection? │ │ └─► YES → GuardDog verify FIRST @@ -158,7 +196,8 @@ START: What's the primary concern? │ (For comprehensive audit: run BOTH GuardDog + Dependency-Check) │ ├─► "Is COMPLIANCE required?" (SOC2, PCI-DSS, HIPAA) -│ └─► YES → Dependency-Check with --failOnCVSS threshold +│ ├─► IaC compliance → Checkov with compliance framework flags +│ └─► Dependency compliance → Dependency-Check with --failOnCVSS threshold │ ├─► "What LANGUAGE is the code?" │ ├─► Python (.py) → Bandit (primary) + Graudit (secrets) @@ -168,8 +207,11 @@ START: What's the primary concern? │ ├─► Mixed/Unknown → Graudit (default) first, then language-specific │ └─► Other (PHP, etc.) → Graudit (language-specific db) │ -└─► "Are there CI/CD or INFRASTRUCTURE files?" - └─► YES → ShellCheck for shell in workflows/Dockerfiles +└─► "Are there CI/CD or BUILD files?" + ├─► GitHub Actions workflows → Checkov --framework github_actions + ├─► GitLab CI (.gitlab-ci.yml) → Checkov --framework gitlab_ci + ├─► Dockerfile → Checkov --framework dockerfile + ShellCheck for RUN commands + └─► Shell scripts in CI → ShellCheck + Graudit (exec) ``` --- @@ -195,7 +237,15 @@ Use this matrix to determine optimal skill selection: | **Unknown/untrusted** | Graudit (exec, secrets) | All applicable tools | Quick triage | | **Mobile (Android/iOS)** | Graudit (android/ios) | Graudit (secrets) | Platform-specific | | **PHP** | Graudit (php) | Dependency-Check (experimental), Graudit (secrets, sql) | CVE + pattern matching | -| **Compliance required** | Dependency-Check (--failOnCVSS) | All applicable source scanners | CVE gates + code review | +| **Terraform** | Checkov (--framework terraform) | Graudit (secrets) | IaC misconfiguration detection | +| **CloudFormation** | Checkov (--framework cloudformation) | Graudit (secrets) | AWS IaC security | +| **Kubernetes manifests** | Checkov (--framework kubernetes) | Graudit (secrets) | K8s security policies | +| **Dockerfile** | Checkov (--framework dockerfile) | ShellCheck (RUN commands), Graudit (secrets) | Container best practices | +| **Helm charts** | Checkov (--framework helm) | Graudit (secrets) | Helm security | +| **GitHub Actions** | Checkov (--framework github_actions) | ShellCheck (run steps), Graudit (exec, secrets) | CI/CD workflow security | +| **GitLab CI** | Checkov (--framework gitlab_ci) | ShellCheck (scripts), Graudit (exec, secrets) | CI/CD pipeline security | +| **Mixed IaC + code** | Checkov (IaC) → Language-specific | All applicable tools | Infrastructure + application | +| **Compliance required** | Dependency-Check (--failOnCVSS) + Checkov (IaC) | All applicable source scanners | CVE gates + IaC compliance + code review | --- @@ -204,13 +254,15 @@ Use this matrix to determine optimal skill selection: When multiple tools could apply, use these priority rules: 1. **Untrusted code always wins**: If origin is unknown/suspicious → Start with Graudit (exec+secrets) -2. **Dependencies before source**: If dependency files exist → GuardDog verify (malware) AND/OR Dependency-Check (CVEs) before scanning source -3. **CVE detection vs Malware detection**: Use BOTH GuardDog (malware) + Dependency-Check (CVEs) for comprehensive supply chain security -4. **AST tools over regex**: For Python use Bandit over Graudit; for Shell use ShellCheck over Graudit -5. **Graudit complements, not replaces**: Always add Graudit `secrets` as secondary scan -6. **Specificity over generality**: Language-specific database > `default` database -7. **Compliance requirements**: If SOC2/PCI-DSS/HIPAA required → Dependency-Check with `--failOnCVSS` is mandatory -8. **Java/.NET projects**: Dependency-Check is primary for dependencies (strongest support for these ecosystems) +2. **IaC before application code**: If IaC files exist → Checkov FIRST to catch infrastructure misconfigurations +3. **Dependencies before source**: If dependency files exist → GuardDog verify (malware) AND/OR Dependency-Check (CVEs) before scanning source +4. **CVE detection vs Malware detection**: Use BOTH GuardDog (malware) + Dependency-Check (CVEs) for comprehensive supply chain security +5. **AST tools over regex**: For Python use Bandit over Graudit; for Shell use ShellCheck over Graudit; for IaC use Checkov over Graudit +6. **Graudit complements, not replaces**: Always add Graudit `secrets` as secondary scan +7. **Specificity over generality**: Framework-specific tool > Language-specific database > `default` database +8. **Compliance requirements**: If SOC2/PCI-DSS/HIPAA required → Dependency-Check with `--failOnCVSS` + Checkov for IaC compliance +9. **Java/.NET projects**: Dependency-Check is primary for dependencies (strongest support for these ecosystems) +10. **Cloud deployments**: Always run Checkov for Terraform/CloudFormation/K8s before deployment --- @@ -225,9 +277,11 @@ When time is limited, prioritize scans based on risk profile: | **Routine Audit** (own code) | 1. Language-specific → 2. Graudit (secrets) | 5-10 min | | **Deep Analysis** (security review) | All tools, all databases | 15-30 min | | **Supply Chain Focus** | 1. GuardDog verify → 2. Dependency-Check → 3. Graudit (secrets) | 5-15 min | -| **Compliance Audit** (SOC2/PCI-DSS) | 1. Dependency-Check (--failOnCVSS 7) → 2. All source scanners | 10-20 min | +| **Compliance Audit** (SOC2/PCI-DSS) | 1. Dependency-Check (--failOnCVSS 7) → 2. Checkov (IaC) → 3. All source scanners | 15-25 min | | **Java/.NET Enterprise** | 1. Dependency-Check → 2. Graudit (language+secrets) | 5-15 min | -| **Pre-Deployment Gate** | 1. Dependency-Check (--failOnCVSS 7) → 2. GuardDog verify → 3. Source scan | 10-20 min | +| **Pre-Deployment Gate** | 1. Checkov (IaC) → 2. Dependency-Check (--failOnCVSS 7) → 3. GuardDog verify → 4. Source scan | 15-25 min | +| **IaC Security Audit** | 1. Checkov (all frameworks) → 2. Graudit (secrets) | 5-10 min | +| **Cloud Migration** | 1. Checkov (--framework terraform,cloudformation) → 2. All applicable tools | 10-20 min | --- @@ -259,8 +313,22 @@ Search the target path for: - `pom.xml`, `build.gradle` → Java dependencies - `composer.json` → PHP dependencies +**Infrastructure as Code (IaC) Files**: +- `.tf`, `.tf.json` → Terraform configurations +- `.yaml`, `.yml`, `.json`, `.template` (in cloud dirs) → CloudFormation templates +- Kubernetes manifests (deployments, services, pods, etc.) +- `Dockerfile`, `Dockerfile.*` → Container definitions +- `Chart.yaml`, `values.yaml` (in Helm directories) → Helm charts +- `kustomization.yaml` → Kustomize +- `.bicep` → Azure Bicep templates +- `serverless.yml` → Serverless Framework + **CI/CD & Build Files**: -- `.github/workflows/*.yml` → GitHub Actions (may contain shell) +- `.github/workflows/*.yml` → GitHub Actions (may contain shell + IaC) +- `.gitlab-ci.yml` → GitLab CI +- `azure-pipelines.yml` → Azure Pipelines +- `.circleci/config.yml` → CircleCI +- `bitbucket-pipelines.yml` → Bitbucket Pipelines - `Dockerfile`, `.dockerignore` → Docker (shell commands in RUN) - `Makefile` → Make (shell commands) - `Jenkinsfile` → Jenkins (Groovy + shell) @@ -268,13 +336,16 @@ Search the target path for: ### Step 2: Assess Risk Profile Determine the risk areas: +- **Infrastructure risk**: IaC files present? → Checkov priority for cloud misconfigurations - **Supply chain risk**: Dependencies present? → GuardDog priority (verify before scan) - **Code vulnerabilities**: Custom code present? → Language-specific tools -- **Infrastructure risk**: Shell/CI files? → ShellCheck priority -- **Secrets exposure**: Any code files? → Graudit secrets database +- **CI/CD security**: Workflow files? → Checkov for workflow security + ShellCheck for embedded shell +- **Container security**: Dockerfiles? → Checkov for best practices + ShellCheck for RUN commands +- **Secrets exposure**: Any code/IaC files? → Graudit secrets database + Checkov secrets checks - **Untrusted/malicious code**: Unknown origin? → Graudit (exec+secrets) first for quick triage - **Framework-specific**: Django/Flask? → Bandit with targeted test IDs - **Mobile apps**: Android/iOS code? → Graudit (android/ios databases) +- **Cloud compliance**: SOC2/HIPAA/PCI-DSS? → Checkov with compliance framework flags ### Step 2.5: Check for Red Flags (Escalate to Urgent Triage) @@ -377,6 +448,21 @@ When recommending skills, include these optimized commands: - Docker scan: `docker run -v $(pwd):/src owasp/dependency-check --scan /src --out /src/reports` - Quick scan (cached DB): `dependency-check.sh --scan ./ --noupdate --format HTML --out ./reports` +### Checkov +- Quick IaC scan: `checkov -d . --compact` +- Terraform specific: `checkov -d . --framework terraform` +- Kubernetes manifests: `checkov -d ./k8s --framework kubernetes` +- Dockerfile security: `checkov -f Dockerfile --framework dockerfile` +- GitHub Actions: `checkov -d .github/workflows --framework github_actions` +- Multiple frameworks: `checkov -d . --framework terraform,kubernetes,dockerfile` +- JSON output: `checkov -d . -o json -o cli --output-file-path results.json,console` +- SARIF for CI/CD: `checkov -d . -o sarif --output-file-path results.sarif` +- Fail on HIGH/CRITICAL: `checkov -d . --hard-fail-on HIGH,CRITICAL` +- Skip specific checks: `checkov -d . --skip-check CKV_AWS_1,CKV_DOCKER_7` +- Terraform plan scan: `terraform show -json tfplan > tfplan.json && checkov -f tfplan.json --framework terraform_plan` +- With external modules: `checkov -d . --download-external-modules true` +- List all checks: `checkov --list --framework terraform` + --- ## Next Steps @@ -404,15 +490,19 @@ To execute these recommended scans: |----------|---------------| | Use Bandit for non-Python files | Use Graudit with appropriate database | | Use GuardDog to scan your own source code | Use Bandit (Python) or Graudit (others) | +| Use Checkov for application source code | Checkov is for IaC only—use Bandit/Graudit for app code | | Use only Graudit for Python when Bandit is available | Use Bandit as primary, Graudit as secondary | +| Use only Graudit for IaC when Checkov is available | Use Checkov as primary for IaC, Graudit for secrets | | Skip GuardDog when dependency files exist | Always verify dependencies first | +| Skip Checkov when IaC files exist | Always scan IaC before deployment | | Use ShellCheck alone for obfuscated scripts | Add Graudit (exec) for base64/hex patterns | | Recommend `graudit -d default` when language is known | Use language-specific database | -| Skip secrets scan | Always include Graudit (secrets) as secondary | +| Skip secrets scan | Always include Graudit (secrets) + Checkov secrets checks | | Use GuardDog alone for CVE detection | GuardDog detects malware, not CVEs—add Dependency-Check | | Use Dependency-Check for malware detection | Dependency-Check detects CVEs, not malware—add GuardDog | | Skip Dependency-Check for Java/.NET projects | These ecosystems have strongest Dependency-Check support | -| Ignore compliance requirements | Use Dependency-Check with --failOnCVSS for SOC2/PCI-DSS/HIPAA | +| Skip Checkov for Terraform/K8s/CloudFormation | These are primary Checkov targets | +| Ignore compliance requirements | Use Dependency-Check with --failOnCVSS + Checkov for IaC compliance | --- @@ -427,6 +517,7 @@ When making recommendations, account for these limitations: | **ShellCheck** | Base64/hex obfuscated payloads, dynamic payload generation, embedded Python/Perl/Ruby | Add `graudit -d exec`, run in sandbox | | **Graudit** | Logic flaws, obfuscated/encrypted code beyond patterns, context-dependent vulns | Manual review, combine with AST tools | | **Dependency-Check** | Malicious packages (malware), source code vulnerabilities, false positives from CPE matching, zero-day vulnerabilities not yet in NVD | Use GuardDog for malware, Bandit/Graudit for source code, suppression.xml for false positives | +| **Checkov** | Runtime misconfigurations, logic flaws in application code, dynamic/computed values, actual deployed state vs declared config, secrets in encrypted/base64 beyond patterns | Static analysis only - validate with cloud security posture tools, combine with Graudit for secrets, cannot scan application source code | ### Combined Blind Spots All tools are static analysis only - they cannot detect: diff --git a/.github/prompts/sck.update-skills.prompt.md b/.github/prompts/sck.update-skills.prompt.md new file mode 100644 index 0000000..76c05ea --- /dev/null +++ b/.github/prompts/sck.update-skills.prompt.md @@ -0,0 +1,286 @@ +--- +name: add-new-security-skill +description: Template prompt for integrating a new security scanning skill into the tools-advisor and malicious-code-scanner systems +argument-hint: "Provide tool name and of the new skill (e.g., 'checkov')" +--- + +# Adding a New Security Scanning Skill + +Use this prompt template when adding a new security scanning skill to ensure it's properly integrated into both the tools-advisor and malicious-code-scanner agent. + +## Prerequisites + +Before starting, ensure you have: +- [ ] Created the skill in `.github/skills//SKILL.md` +- [ ] Created the skill README in `.github/skills//README.md` +- [ ] The skill includes: description, detection capabilities, supported languages/frameworks, MITRE ATT&CK mappings (if applicable) +- [ ] Command examples for using the skill's tool + +## Information Gathering Template + +Copy this template and fill it out with information from your new skill: + +```markdown +## New Skill Information + +### Basic Details +- **Skill ID**: `[e.g., checkov-security-scan]` +- **Skill Name**: [e.g., Checkov Security Scan] +- **Tool Command**: [e.g., checkov] +- **Skill File Path**: `.github/skills/[skill-name]/SKILL.md` + +### Purpose & Scope +- **Primary Purpose**: [What does this skill scan/detect? e.g., Infrastructure as Code security] +- **Target Type**: [Code/Dependencies/Infrastructure/CI-CD/Other] +- **Best For**: [When should this be the primary tool?] +- **NOT For**: [What should this tool NOT be used for?] + +### Supported Formats +- **Languages**: [e.g., Python, JavaScript, or N/A] +- **Frameworks**: [e.g., Terraform, Kubernetes, Django, or N/A] +- **File Types**: [e.g., .tf, .yaml, Dockerfile, etc.] + +### Detection Capabilities +List what this skill detects (3-8 bullet points): +- [Capability 1] +- [Capability 2] +- [Capability 3] +- ... + +### MITRE ATT&CK Mappings (if applicable) +- [T1234: Technique Name] +- [T5678: Another Technique] +- ... + +### Tool Commands +Provide 5-10 example commands for common use cases: + +```bash +# Basic scan +[command example] + +# Scan specific framework +[command example] + +# Output in JSON +[command example] + +# CI/CD integration +[command example] + +# Advanced usage +[command example] +``` + +### Tool Installation +```bash +# How to install the tool +[installation command] + +# How to verify installation +[verification command] +``` + +### Key Distinction +How does this tool differ from existing tools? +[e.g., "Checkov scans infrastructure configuration for misconfigurations; other tools scan application code for vulnerabilities"] +``` + +--- + +## Prompt for Copilot + +Once you've filled out the template above, use this prompt: + +``` +I need to integrate a new security scanning skill into the security scanning system. Please update both: +1. .github/prompts/sck.tools-advisor.prompt.md +2. .github/agents/sck.malicious-code-scanner.agent.md + +Here's the skill information: + +[PASTE YOUR FILLED TEMPLATE HERE] + +Please update the following sections in both files: + +### For sck.tools-advisor.prompt.md: +1. Add new skill entry (Section X) in "Available Security Scanning Skills" +2. Update the "Quick Decision Flowchart" to include decision paths for this skill +3. Add entries to the "Decision Matrix" table +4. Update "Conflict Resolution Rules" if this skill has priority considerations +5. Add to "Risk-Based Priority Matrix" if applicable +6. Update "Step 1: Identify Code Composition" with new file types to detect +7. Update "Step 2: Assess Risk Profile" with new risk areas +8. Add command examples to "Tool-Specific Command Hints" +9. Add to "Tool Limitations" table +10. Update "Anti-Patterns" table if there are common misuses + +### For sck.malicious-code-scanner.agent.md: +1. Add to "Operating Modes - Skills Table" +2. Add to "Allowed Terminal Commands ONLY" section +3. Add to "Step 2: Detect Available Tools" version check +4. Add entries to "Tool Execution Priority" table +5. Add to "Phase 3: Recommended Static Analysis Tools" table +6. Update "Scan Configuration" template (Skills Detected table) +7. Add to "Skill File Locations" quick reference table + +Use the same format and style as the existing Checkov integration for consistency. +``` + +--- + +## Verification Checklist + +After integration, verify these updates were made: + +### In sck.tools-advisor.prompt.md: +- [ ] New skill listed with full description (skill ID, purpose, capabilities, detection list) +- [ ] Decision flowchart includes new file types/use cases +- [ ] Decision matrix has entries for all relevant code types +- [ ] Conflict resolution rules mention the skill where applicable +- [ ] Risk-based priority matrix updated if relevant +- [ ] File identification section lists file types to detect +- [ ] Risk profile assessment includes related risk areas +- [ ] Command hints section has 5+ example commands +- [ ] Tool limitations documented +- [ ] Anti-patterns table updated if applicable + +### In sck.malicious-code-scanner.agent.md: +- [ ] Skill appears in Operating Modes table +- [ ] Tool command whitelisted in "Allowed Terminal Commands" +- [ ] Version check command added to tool detection +- [ ] Tool execution priority table has entries for supported file types +- [ ] Static analysis tools table updated with capabilities +- [ ] Scan configuration template includes the skill +- [ ] Skill file location added to quick reference + +### Testing: +- [ ] Ask tools-advisor to analyze a project with files the new skill should detect +- [ ] Verify tools-advisor recommends the new skill +- [ ] Verify malicious-code-scanner agent mentions the skill when appropriate +- [ ] Check that command examples are correct and executable + +--- + +## Example: Adding Checkov (Reference) + +Here's an example of how Checkov was integrated: + +### In sck.tools-advisor.prompt.md: + +**Section Added**: "6. Checkov Security Scan" in Available Security Scanning Skills +```markdown +### 6. Checkov Security Scan +- **Skill**: `checkov-security-scan` +- **Skill file**: [.github/skills/checkov-security-scan/SKILL.md](...) +- **Purpose**: Infrastructure as Code (IaC) security misconfiguration detection +- **Supported frameworks**: Terraform, CloudFormation, Kubernetes, Dockerfile, Helm, GitHub Actions, GitLab CI +- **Detection capabilities**: [list of 8 capabilities] +- **Best for**: IaC security audits, pre-deployment validation +- **NOT for**: Application source code vulnerabilities +``` + +**Flowchart Updated**: +``` +├─► "Are there INFRASTRUCTURE AS CODE (IaC) files?" +│ ├─► Terraform (.tf) → Checkov --framework terraform +│ ├─► Kubernetes manifests → Checkov --framework kubernetes +│ └─► ... +``` + +**Decision Matrix Added**: +``` +| **Terraform** | Checkov (--framework terraform) | Graudit (secrets) | IaC misconfiguration | +| **Dockerfile** | Checkov (--framework dockerfile) | ShellCheck, Graudit | Container best practices | +``` + +**Command Hints Added**: +```bash +### Checkov +- Quick IaC scan: `checkov -d . --compact` +- Terraform specific: `checkov -d . --framework terraform` +- [8 more examples] +``` + +### In sck.malicious-code-scanner.agent.md: + +**Skills Table Updated**: +``` +| **Checkov** | `.github/skills/checkov-security-scan/SKILL.md` | Infrastructure as Code (IaC) security & compliance | +``` + +**Allowed Commands Updated**: +``` +- ✅ `checkov` - Infrastructure as Code security scanner +``` + +**Tool Execution Priority Added**: +``` +| Terraform (.tf) | `checkov -d . --framework terraform` | `graudit -d secrets` | checkov-security-scan | +| Dockerfile | `checkov -f Dockerfile --framework dockerfile` | `shellcheck` | checkov-security-scan | +``` + +**Static Analysis Tools Added**: +``` +| Terraform | **Checkov** | Exposed secrets in IaC, insecure resource configs, public access | +| Kubernetes | **Checkov** | Privileged containers, secrets in manifests, security policies | +``` + +--- + +## Quick Integration Command + +For a streamlined integration, use this single command format: + +``` +@workspace Update the security scanning system with a new skill: + +Skill: [skill-name] +Tool: [tool-command] +Purpose: [what it scans] +Formats: [file types/frameworks] +Detection: [what it detects] + +Update files: +1. .github/prompts/sck.tools-advisor.prompt.md +2. .github/agents/sck.malicious-code-scanner.agent.md + +Follow the same integration pattern used for checkov-security-scan as reference. +``` + +--- + +## Notes + +- Always maintain alphabetical or logical ordering when adding to lists +- Keep descriptions concise (1-2 sentences) in the agent file +- Keep descriptions detailed (3-5 sentences) in the tools-advisor prompt +- Use consistent formatting with existing entries +- Include MITRE ATT&CK mappings when applicable +- Ensure command examples are tested and accurate +- Update version check commands to match the actual tool's syntax +- Consider tool priority relative to existing tools +- Document what the tool CANNOT do, not just what it can do + +--- + +## Support + +If you encounter issues during integration: +1. Review the Checkov integration as a reference pattern +2. Check that all sections mentioned in the verification checklist are updated +3. Ensure file paths are correct +4. Verify command examples actually work with the tool +5. Test the integration by asking the tools-advisor to analyze relevant files + +--- + +## Maintenance + +When updating an existing skill: +1. Update the skill file in `.github/skills//SKILL.md` first +2. Use this prompt to propagate changes to tools-advisor and malicious-code-scanner +3. Update version check commands if tool syntax changed +4. Add new commands to the examples sections +5. Update detection capabilities if expanded +6. Re-run verification checklist diff --git a/.github/skills/checkov-security-scan/README.md b/.github/skills/checkov-security-scan/README.md new file mode 100644 index 0000000..5cb917c --- /dev/null +++ b/.github/skills/checkov-security-scan/README.md @@ -0,0 +1,95 @@ +# Checkov Security Scan Skill + +An Agent Skill for VS Code Copilot that scans Infrastructure as Code (IaC) for security misconfigurations and compliance violations using [Checkov](https://github.com/bridgecrewio/checkov) by Bridgecrew/Palo Alto Networks. + +## What It Does + +Scans IaC configurations for security issues including: +- Overly permissive IAM policies and access controls +- Unencrypted storage (S3, EBS, RDS) +- Publicly accessible resources +- Security group misconfigurations (open ports) +- Container security issues (privileged, root user) +- Missing health checks and logging +- Hardcoded secrets in configuration +- CI/CD workflow security issues + +## Supported Frameworks + +| Framework | File Types | +|-----------|------------| +| Terraform | `.tf`, `.tf.json`, plan files | +| CloudFormation | `.yaml`, `.yml`, `.json`, `.template` | +| Kubernetes | K8s manifests, Helm charts, Kustomize | +| Dockerfile | `Dockerfile`, `Dockerfile.*` | +| ARM/Bicep | Azure templates | +| GitHub Actions | `.github/workflows/*.yml` | +| GitLab CI | `.gitlab-ci.yml` | +| Serverless | `serverless.yml` | +| And more | Ansible, Argo, OpenAPI, etc. | + +## Requirements + +```bash +pip install checkov +``` + +## Usage + +Enable `chat.useAgentSkills` in VS Code settings, then ask Copilot: + +| Request | What Happens | +|---------|--------------| +| "Scan this Terraform for security issues" | Scans Terraform configurations | +| "Check my Kubernetes manifests for vulnerabilities" | Scans K8s YAML files | +| "Audit my Dockerfile for security best practices" | Checks Dockerfile security | +| "Is my CloudFormation template secure?" | Scans CFN templates | +| "Check my GitHub Actions for security issues" | Audits workflow files | + +## Example Commands + +```bash +# Scan a directory (auto-detects frameworks) +checkov -d /path/to/iac/ + +# Scan specific framework +checkov -d . --framework terraform +checkov -d ./k8s --framework kubernetes +checkov -f Dockerfile --framework dockerfile + +# Output formats +checkov -d . -o json +checkov -d . -o sarif + +# Skip specific checks +checkov -d . --skip-check CKV_AWS_1,CKV_DOCKER_7 + +# Only fail on critical issues +checkov -d . --hard-fail-on HIGH,CRITICAL + +# List all available checks +checkov --list +``` + +## Check Categories + +| Prefix | Description | +|--------|-------------| +| `CKV_AWS_*` | AWS security checks | +| `CKV_AZURE_*` | Azure security checks | +| `CKV_GCP_*` | GCP security checks | +| `CKV_K8S_*` | Kubernetes security checks | +| `CKV_DOCKER_*` | Dockerfile best practices | +| `CKV_GHA_*` | GitHub Actions security | +| `CKV_SECRET_*` | Secrets detection | + +## Files + +- `SKILL.md` - Full skill instructions and checks reference +- `examples/misconfiguration-patterns.md` - IaC patterns the scanner detects + +## Learn More + +- [Checkov GitHub](https://github.com/bridgecrewio/checkov) +- [Bridgecrew Documentation](https://docs.prismacloud.io/en/enterprise-edition/content-collections/application-security) +- [VS Code Agent Skills Docs](https://code.visualstudio.com/docs/copilot/customization/agent-skills) diff --git a/.github/skills/checkov-security-scan/SKILL.md b/.github/skills/checkov-security-scan/SKILL.md new file mode 100644 index 0000000..0191997 --- /dev/null +++ b/.github/skills/checkov-security-scan/SKILL.md @@ -0,0 +1,573 @@ +--- +name: checkov-security-scan +description: Scan Infrastructure as Code (IaC) for security misconfigurations and compliance violations using Checkov. (1) Primary use for Terraform, CloudFormation, Kubernetes manifests, Dockerfiles, Helm charts, ARM/Bicep templates, GitHub Actions, GitLab CI, and CI/CD pipelines. (2) Detects cloud misconfigurations, exposed secrets, overly permissive IAM policies, unencrypted storage, public access risks, container security issues. (3) Use for IaC security audits, compliance scanning (CIS, SOC2, HIPAA, PCI-DSS), pre-deployment validation, CI/CD security gates. Do NOT use for application source code vulnerabilities (use bandit, graudit) or dependency/package audits (use guarddog, dependency-check). +--- + +# Checkov Security Scanning Skill + +This skill enables scanning Infrastructure as Code (IaC) for security misconfigurations and compliance violations using **Checkov** - an open-source static analysis tool by Bridgecrew/Palo Alto Networks that covers 20+ frameworks with 1000+ built-in security checks. + +> **Key Distinction**: Checkov detects **IaC misconfigurations** (insecure cloud resource configurations). For **application source code** vulnerabilities, use `bandit` (Python) or `graudit` (multi-language). For **dependency audits**, use `guarddog` or `dependency-check`. + +## Quick Reference + +| Task | Command | +|------|---------| +| Scan a directory | `checkov -d /path/to/iac/` | +| Scan a specific file | `checkov -f main.tf` | +| Scan Terraform only | `checkov -d . --framework terraform` | +| Scan Kubernetes manifests | `checkov -d ./k8s --framework kubernetes` | +| Scan Dockerfile | `checkov -f Dockerfile --framework dockerfile` | +| JSON output for automation | `-o json` | +| SARIF output for CI/CD | `-o sarif` | +| List all available checks | `checkov --list` | +| Skip specific checks | `--skip-check CKV_AWS_1,CKV_DOCKER_7` | +| Fail only on HIGH/CRITICAL | `--hard-fail-on HIGH,CRITICAL` | + +## When to Use This Skill + +**PRIMARY USE CASES:** +- Audit Terraform configurations for AWS, Azure, GCP, and other cloud providers +- Scan Kubernetes manifests for container security issues +- Check Dockerfiles for security best practices +- Validate CloudFormation templates before deployment +- Scan Helm charts and Kustomize configurations +- Audit GitHub Actions, GitLab CI, and other CI/CD workflows +- Compliance scanning against CIS benchmarks, SOC2, HIPAA, PCI-DSS +- Pre-commit/pre-deployment security gates + +**DO NOT USE FOR:** +- Application source code vulnerabilities → use `bandit` (Python) or `graudit` +- Dependency/package audits → use `guarddog` or `dependency-check` +- Shell script security → use `shellcheck` +- Runtime security scanning → use specialized runtime tools + +## Decision Tree: Choosing the Right Scan + +``` +What are you scanning? +│ +├── Infrastructure as Code (IaC)? +│ ├── Terraform (.tf, .tf.json) → checkov -d . --framework terraform +│ ├── Kubernetes manifests → checkov -d . --framework kubernetes +│ ├── Dockerfile → checkov -f Dockerfile --framework dockerfile +│ ├── CloudFormation (.yaml/.json) → checkov -d . --framework cloudformation +│ ├── Helm charts → checkov -d . --framework helm +│ ├── ARM/Bicep → checkov -d . --framework arm,bicep +│ └── GitHub Actions → checkov -d . --framework github_actions +│ +├── CI/CD configuration? +│ ├── GitHub Actions → checkov --framework github_actions +│ ├── GitLab CI → checkov --framework gitlab_ci +│ ├── Azure Pipelines → checkov --framework azure_pipelines +│ └── CircleCI/BitBucket → checkov --framework circleci_pipelines,bitbucket_pipelines +│ +├── Python/JavaScript source code? +│ └── Use bandit or graudit instead +│ +└── Third-party dependencies? + └── Use guarddog or dependency-check instead +``` + +## Prerequisites + +Checkov must be installed. If not available, install it: + +```bash +# Install via pip (recommended) +pip install checkov + +# Or use pipx for isolated install +pipx install checkov + +# Or use Homebrew (macOS/Linux) +brew install checkov + +# Or use Docker (isolated, no local install) +docker pull bridgecrew/checkov +alias checkov='docker run --tty --rm --volume "$(pwd):/tf" --workdir /tf bridgecrew/checkov' + +# Verify installation +checkov --version +``` + +**Troubleshooting Installation:** +```bash +# If pip install fails, ensure Python 3.8+ +python --version + +# If permissions issues occur +pip install --user checkov + +# Check if checkov is in PATH +which checkov || echo "Add to PATH or use full path" +``` + +## Core Scanning Commands + +### Scan a Directory + +```bash +# Scan all IaC files in a directory (auto-detects frameworks) +checkov -d /path/to/infrastructure/ + +# Scan current directory +checkov -d . + +# Scan with compact output (no code blocks) +checkov -d . --compact +``` + +### Scan Specific Files + +```bash +# Scan a single Terraform file +checkov -f main.tf + +# Scan multiple files +checkov -f main.tf -f variables.tf -f outputs.tf + +# Scan a Dockerfile +checkov -f Dockerfile --framework dockerfile +``` + +### Framework-Specific Scans + +```bash +# Terraform only +checkov -d . --framework terraform + +# Kubernetes manifests +checkov -d ./k8s --framework kubernetes + +# CloudFormation templates +checkov -d ./cfn --framework cloudformation + +# Dockerfile +checkov -f Dockerfile --framework dockerfile + +# Helm charts +checkov -d ./helm-chart --framework helm + +# GitHub Actions workflows +checkov -d .github/workflows --framework github_actions + +# Multiple frameworks +checkov -d . --framework terraform,kubernetes,dockerfile +``` + +### Output Formats + +```bash +# Default CLI output +checkov -d . + +# JSON output for parsing +checkov -d . -o json + +# SARIF for GitHub/GitLab Security +checkov -d . -o sarif + +# JUnit XML for CI/CD test reporting +checkov -d . -o junitxml + +# Multiple outputs simultaneously +checkov -d . -o cli -o json -o sarif --output-file-path console,results.json,results.sarif + +# CycloneDX SBOM format +checkov -d . -o cyclonedx_json +``` + +## Available Check Categories + +Checkov includes 1000+ built-in checks across multiple categories. + +### Check ID Prefixes by Provider + +| Prefix | Provider/Category | Example Checks | +|--------|-------------------|----------------| +| `CKV_AWS_*` | Amazon Web Services | IAM, S3, EC2, RDS, Lambda | +| `CKV_AZURE_*` | Microsoft Azure | VMs, Storage, AKS, SQL | +| `CKV_GCP_*` | Google Cloud Platform | GKE, Cloud Storage, IAM | +| `CKV_DOCKER_*` | Dockerfiles | Image security, USER directive | +| `CKV_K8S_*` | Kubernetes | Pod security, RBAC, network policies | +| `CKV_GHA_*` | GitHub Actions | Workflow security, secrets | +| `CKV_GITLABCI_*` | GitLab CI | Pipeline security | +| `CKV_SECRET_*` | Secrets Detection | Hardcoded credentials | +| `CKV_ALI_*` | Alibaba Cloud | Alibaba-specific resources | +| `CKV_OCI_*` | Oracle Cloud | OCI resources | +| `CKV_TF_*` | Terraform General | Provider-agnostic checks | +| `CKV_OPENAPI_*` | OpenAPI/Swagger | API specification security | +| `CKV_ANSIBLE_*` | Ansible | Playbook security | +| `CKV_ARGO_*` | Argo Workflows | Workflow security | + +### Security Check Categories + +| Category | Description | MITRE ATT&CK | +|----------|-------------|--------------| +| **Encryption** | Data at rest/transit encryption | T1530 | +| **Access Control** | IAM policies, RBAC, authentication | T1078 | +| **Network Security** | Security groups, firewalls, ingress/egress | T1046, T1190 | +| **Public Access** | Publicly accessible resources | T1190 | +| **Logging & Monitoring** | Audit logs, CloudTrail, CloudWatch | T1562 | +| **Secrets Management** | Hardcoded credentials, API keys | T1552 | +| **Container Security** | Privileged containers, root users | T1610 | +| **Compliance** | CIS benchmarks, SOC2, HIPAA, PCI-DSS | - | + +### Example Checks by Framework + +**Terraform (AWS):** +| Check ID | Description | +|----------|-------------| +| `CKV_AWS_1` | Ensure IAM policies don't allow full "*-*" admin privileges | +| `CKV_AWS_2` | Ensure ALB protocol is HTTPS | +| `CKV_AWS_3` | Ensure EBS is encrypted by default | +| `CKV_AWS_18` | Ensure S3 access logging is enabled | +| `CKV_AWS_19` | Ensure S3 bucket has server-side encryption | +| `CKV_AWS_20` | Ensure S3 bucket is not publicly readable | +| `CKV_AWS_21` | Ensure S3 bucket versioning is enabled | +| `CKV_AWS_23` | Ensure every security group has a description | +| `CKV_AWS_24` | Ensure no security group allows ingress from 0.0.0.0/0 to port 22 | +| `CKV_AWS_25` | Ensure no security group allows ingress from 0.0.0.0/0 to port 3389 | + +**Kubernetes:** +| Check ID | Description | +|----------|-------------| +| `CKV_K8S_1` | Do not admit containers sharing host PID namespace | +| `CKV_K8S_2` | Do not admit privileged containers | +| `CKV_K8S_3` | Do not admit containers running as root | +| `CKV_K8S_8` | Ensure liveness probe is configured | +| `CKV_K8S_9` | Ensure readiness probe is configured | +| `CKV_K8S_21` | Default namespace should not be used | +| `CKV_K8S_22` | Use read-only filesystem for containers | +| `CKV_K8S_28` | Ensure seccomp profile is set | +| `CKV_K8S_35` | Prefer using secrets for sensitive environment variables | + +**Dockerfile:** +| Check ID | Description | +|----------|-------------| +| `CKV_DOCKER_1` | Ensure port 22 (SSH) is not exposed | +| `CKV_DOCKER_2` | Ensure HEALTHCHECK instructions are added | +| `CKV_DOCKER_3` | Ensure USER instruction is added (non-root) | +| `CKV_DOCKER_7` | Ensure base image uses non-latest tag | +| `CKV_DOCKER_8` | Ensure package manager caches are cleaned | +| `CKV_DOCKER_9` | Ensure COPY is used instead of ADD | +| `CKV_DOCKER_10` | Ensure secrets are not stored in Dockerfile | +| `CKV_DOCKER_11` | Ensure base image is pinned using digest | + +**GitHub Actions:** +| Check ID | Description | +|----------|-------------| +| `CKV_GHA_1` | Ensure run step does not use shell injection | +| `CKV_GHA_2` | Ensure actions use pinned SHA | +| `CKV_GHA_3` | Ensure workflow run is not triggered on workflow_run | +| `CKV_GHA_4` | Ensure self-hosted runners are not used | +| `CKV_GHA_7` | Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS is not set | +| `CKV2_GHA_1` | Ensure top-level permissions are read-only | + +## Selective Check Scanning + +```bash +# Run only specific checks +checkov -d . -c CKV_AWS_1,CKV_AWS_2,CKV_AWS_3 + +# Run checks by type +checkov -d . --check-type terraform + +# Skip specific checks +checkov -d . --skip-check CKV_AWS_1,CKV_DOCKER_7 + +# Skip paths +checkov -d . --skip-path tests/ --skip-path .terraform/ + +# List all available checks +checkov --list + +# Filter checks by framework +checkov --list --framework terraform +``` + +## Severity Filtering + +```bash +# Only fail on HIGH and CRITICAL severity +checkov -d . --hard-fail-on HIGH,CRITICAL + +# Soft fail on LOW and MEDIUM (exit 0) +checkov -d . --soft-fail-on LOW,MEDIUM + +# Show only failed checks +checkov -d . --quiet + +# Always exit 0 (soft fail all) +checkov -d . --soft-fail +``` + +## Configuration File + +Create `.checkov.yaml` in your project root: + +```yaml +# Framework selection +framework: + - terraform + - dockerfile + - kubernetes + +# Skip specific checks +skip-check: + - CKV_AWS_1 + - CKV_DOCKER_7 + +# Skip paths +skip-path: + - tests/ + - .terraform/ + - examples/ + +# Output settings +output: cli +compact: true +quiet: false + +# Severity configuration +soft-fail-on: + - LOW + - MEDIUM + +hard-fail-on: + - HIGH + - CRITICAL + +# Terraform settings +download-external-modules: true +external-modules-download-path: .external_modules +evaluate-variables: true +var-file: + - variables.tfvars + +# For CI/CD +soft-fail: false +``` + +Create config from CLI args: +```bash +checkov --create-config .checkov.yaml +``` + +## Workflow for Security Audit + +### Quick Scan (1-2 minutes) + +```bash +# Quick scan of IaC directory +checkov -d . --compact + +# Focus on critical issues only +checkov -d . --hard-fail-on HIGH,CRITICAL --quiet +``` + +### Comprehensive Audit (3-5 minutes) + +```bash +# Step 1: Full scan with all frameworks +checkov -d . -o cli -o json --output-file-path console,full-report.json + +# Step 2: Review critical findings +checkov -d . --hard-fail-on CRITICAL --quiet + +# Step 3: Framework-specific deep dive +checkov -d ./terraform --framework terraform -o cli +checkov -d ./k8s --framework kubernetes -o cli +checkov -f Dockerfile --framework dockerfile -o cli +``` + +### Pre-Deployment Validation + +```bash +# Scan Terraform plan (most accurate for runtime config) +terraform init +terraform plan -out=tfplan +terraform show -json tfplan > tfplan.json +checkov -f tfplan.json --framework terraform_plan + +# Scan with external modules +checkov -d . --download-external-modules true +``` + +## CI/CD Integration + +### GitHub Actions + +```yaml +name: IaC Security Scan +on: [push, pull_request] + +jobs: + checkov: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Run Checkov + uses: bridgecrewio/checkov-action@v12 + with: + directory: . + framework: terraform,dockerfile,kubernetes + output_format: cli,sarif + output_file_path: console,results.sarif + soft_fail: false + + - name: Upload SARIF + if: always() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif +``` + +### GitLab CI + +```yaml +checkov: + image: bridgecrew/checkov:latest + script: + - checkov -d . -o cli -o gitlab_sast --output-file-path console,gl-sast-report.json + artifacts: + reports: + sast: gl-sast-report.json +``` + +### Pre-commit Hook + +```yaml +# .pre-commit-config.yaml +repos: + - repo: https://github.com/bridgecrewio/checkov + rev: '3.2.500' + hooks: + - id: checkov + args: + - --framework=terraform,dockerfile +``` + +## Interpreting Results + +### Output Format + +``` +Passed checks: 42, Failed checks: 3, Skipped checks: 0 + +Check: CKV_AWS_20: "Ensure S3 bucket is not publicly readable" + FAILED for resource: aws_s3_bucket.public_bucket + File: /main.tf:15-25 + Guide: https://docs.prismacloud.io/en/... + + 15 | resource "aws_s3_bucket" "public_bucket" { + 16 | bucket = "my-public-bucket" + 17 | acl = "public-read" # <- Issue here + 18 | } +``` + +### Severity Assessment + +| Severity | Action Required | +|----------|------------------| +| **CRITICAL** | Immediate fix before deployment | +| **HIGH** | Fix before production | +| **MEDIUM** | Fix in next sprint | +| **LOW** | Best practice improvement | + +### Verification Checklist + +For each finding, verify: +- [ ] Is this a real misconfiguration, not intentional? +- [ ] What is the blast radius if exploited? +- [ ] Is there a compensating control? +- [ ] What compliance frameworks does this violate? + +## Combining with Other Security Tools + +| Tool | Use For | Command | +|------|---------|---------| +| **Checkov** | IaC misconfigurations | `checkov -d .` | +| **Bandit** | Python code vulnerabilities | `bandit -r ./src` | +| **Graudit** | Multi-language secrets/patterns | `graudit -d secrets ./` | +| **GuardDog** | Malicious dependencies | `guarddog pypi verify requirements.txt` | +| **ShellCheck** | Shell script security | `shellcheck *.sh` | +| **Trivy** | Container image scanning | `trivy image myimage:latest` | + +### Recommended Full Audit Workflow + +```bash +# 1. Scan IaC configurations (Checkov) +checkov -d . --framework terraform,kubernetes,dockerfile + +# 2. Scan Python code for vulnerabilities (Bandit) +bandit -r ./src -f json -o bandit-results.json + +# 3. Check for hardcoded secrets (Graudit) +graudit -d secrets ./ + +# 4. Audit dependencies (GuardDog) +guarddog pypi verify requirements.txt + +# 5. Scan container images (Trivy) +trivy image --severity HIGH,CRITICAL myimage:latest +``` + +## Environment Variables + +| Variable | Description | +|----------|-------------| +| `BC_API_KEY` | Prisma Cloud API key for enhanced checks | +| `CKV_FRAMEWORK` | Default frameworks to scan | +| `CKV_CHECK` | Default checks to run | +| `CKV_SKIP_CHECK` | Default checks to skip | +| `CKV_EVAL_VARS` | Evaluate Terraform variables | +| `DOWNLOAD_EXTERNAL_MODULES` | Download Terraform modules | +| `CHECKOV_CREATE_GRAPH` | Enable graph-based checks | + +## Troubleshooting + +### Common Issues + +| Issue | Solution | +|-------|----------| +| `command not found: checkov` | Run `pip install checkov` or check PATH | +| Slow scan with external modules | Set `--external-modules-download-path` to cache | +| Too many false positives | Use `--skip-check` or create `.checkov.yaml` | +| Memory issues on large repos | Scan specific directories instead of root | +| Missing Terraform modules | Use `--download-external-modules true` | + +### Performance Optimization + +```bash +# Scan only changed files in CI +checkov -f $(git diff --name-only HEAD~1 | grep -E '\.(tf|yaml|yml|json)$') + +# Use baseline for existing issues +checkov -d . --create-baseline +checkov -d . --baseline .checkov.baseline + +# Cache external modules +checkov -d . --download-external-modules true --external-modules-download-path .modules_cache +``` + +## Limitations + +- Checkov performs **static analysis** - cannot detect runtime misconfigurations +- Some checks may produce **false positives** in complex configurations +- Terraform plan scanning requires `terraform init` to be run first +- External module scanning requires network access to download modules +- Does not scan application source code - use bandit/graudit for that +- Secrets detection is pattern-based - use dedicated secret scanners for comprehensive coverage +- Always validate critical findings with manual review + +## Additional Resources + +- [Misconfiguration Patterns Examples](./examples/misconfiguration-patterns.md) - Example IaC patterns Checkov detects +- [Checkov GitHub Repository](https://github.com/bridgecrewio/checkov) - Official documentation +- [Bridgecrew Documentation](https://docs.prismacloud.io/en/enterprise-edition/content-collections/application-security) - Enterprise features +- [CIS Benchmarks](https://www.cisecurity.org/cis-benchmarks) - Compliance reference + +``` diff --git a/.github/skills/checkov-security-scan/examples/misconfiguration-patterns.md b/.github/skills/checkov-security-scan/examples/misconfiguration-patterns.md new file mode 100644 index 0000000..db97594 --- /dev/null +++ b/.github/skills/checkov-security-scan/examples/misconfiguration-patterns.md @@ -0,0 +1,632 @@ +# IaC Misconfiguration Patterns Detected by Checkov + +This reference shows example Infrastructure as Code (IaC) misconfigurations that Checkov detects. Use these examples to understand what the scanner looks for and how to remediate issues. + +## Terraform (AWS) Patterns + +### CKV_AWS_1: Overly Permissive IAM Policy + +```hcl +# INSECURE: Full admin privileges ("*" actions on "*" resources) +resource "aws_iam_policy" "admin_policy" { + name = "full-admin" + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = "*" # <- Issue: Allows all actions + Resource = "*" # <- Issue: On all resources + } + ] + }) +} + +# SECURE: Least privilege - only required permissions +resource "aws_iam_policy" "minimal_policy" { + name = "s3-read-only" + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = ["s3:GetObject", "s3:ListBucket"] + Resource = ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"] + } + ] + }) +} +``` + +### CKV_AWS_20: Publicly Readable S3 Bucket + +```hcl +# INSECURE: S3 bucket with public-read ACL +resource "aws_s3_bucket" "public_bucket" { + bucket = "my-public-bucket" +} + +resource "aws_s3_bucket_acl" "public_acl" { + bucket = aws_s3_bucket.public_bucket.id + acl = "public-read" # <- Issue: World-readable +} + +# SECURE: Private bucket with explicit block +resource "aws_s3_bucket" "private_bucket" { + bucket = "my-private-bucket" +} + +resource "aws_s3_bucket_public_access_block" "private_bucket_block" { + bucket = aws_s3_bucket.private_bucket.id + + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} +``` + +### CKV_AWS_19: S3 Bucket Without Encryption + +```hcl +# INSECURE: No server-side encryption configured +resource "aws_s3_bucket" "unencrypted" { + bucket = "my-unencrypted-bucket" +} + +# SECURE: Server-side encryption enabled +resource "aws_s3_bucket" "encrypted" { + bucket = "my-encrypted-bucket" +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "encrypted" { + bucket = aws_s3_bucket.encrypted.id + + rule { + apply_server_side_encryption_by_default { + kms_master_key_id = aws_kms_key.mykey.arn + sse_algorithm = "aws:kms" + } + } +} +``` + +### CKV_AWS_24: Security Group Allows SSH from Internet + +```hcl +# INSECURE: SSH open to the world +resource "aws_security_group" "ssh_open" { + name = "allow-ssh-anywhere" + + ingress { + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] # <- Issue: Open to internet + } +} + +# SECURE: SSH restricted to trusted IPs +resource "aws_security_group" "ssh_restricted" { + name = "allow-ssh-trusted" + + ingress { + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["10.0.0.0/8"] # Internal network only + } +} +``` + +### CKV_AWS_3: Unencrypted EBS Volume + +```hcl +# INSECURE: EBS volume without encryption +resource "aws_ebs_volume" "unencrypted" { + availability_zone = "us-east-1a" + size = 100 + encrypted = false # <- Issue: Data at rest not encrypted +} + +# SECURE: Encrypted EBS volume +resource "aws_ebs_volume" "encrypted" { + availability_zone = "us-east-1a" + size = 100 + encrypted = true + kms_key_id = aws_kms_key.ebs_key.arn +} +``` + +### CKV2_AWS_6: S3 Bucket Without Logging + +```hcl +# INSECURE: No access logging configured +resource "aws_s3_bucket" "no_logging" { + bucket = "my-bucket-no-logging" +} + +# SECURE: Access logging enabled +resource "aws_s3_bucket" "with_logging" { + bucket = "my-bucket-with-logging" +} + +resource "aws_s3_bucket_logging" "with_logging" { + bucket = aws_s3_bucket.with_logging.id + + target_bucket = aws_s3_bucket.log_bucket.id + target_prefix = "access-logs/" +} +``` + +--- + +## Kubernetes Patterns + +### CKV_K8S_2: Privileged Container + +```yaml +# INSECURE: Container runs with full host privileges +apiVersion: v1 +kind: Pod +metadata: + name: privileged-pod +spec: + containers: + - name: app + image: nginx + securityContext: + privileged: true # <- Issue: Full host access + +--- +# SECURE: Non-privileged container +apiVersion: v1 +kind: Pod +metadata: + name: secure-pod +spec: + containers: + - name: app + image: nginx + securityContext: + privileged: false + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 +``` + +### CKV_K8S_3: Container Running as Root + +```yaml +# INSECURE: Container runs as root user +apiVersion: v1 +kind: Pod +metadata: + name: root-pod +spec: + containers: + - name: app + image: nginx + # No securityContext - defaults to root + +--- +# SECURE: Container runs as non-root +apiVersion: v1 +kind: Pod +metadata: + name: nonroot-pod +spec: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + fsGroup: 1000 + containers: + - name: app + image: nginx + securityContext: + allowPrivilegeEscalation: false +``` + +### CKV_K8S_8: Missing Liveness Probe + +```yaml +# INSECURE: No health checks configured +apiVersion: v1 +kind: Pod +metadata: + name: no-probes +spec: + containers: + - name: app + image: myapp:latest + ports: + - containerPort: 8080 + +--- +# SECURE: Liveness and readiness probes configured +apiVersion: v1 +kind: Pod +metadata: + name: with-probes +spec: + containers: + - name: app + image: myapp:latest + ports: + - containerPort: 8080 + livenessProbe: + httpGet: + path: /health + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 5 +``` + +### CKV_K8S_21: Using Default Namespace + +```yaml +# INSECURE: Deploying to default namespace +apiVersion: apps/v1 +kind: Deployment +metadata: + name: myapp + namespace: default # <- Issue: Default namespace + +--- +# SECURE: Using dedicated namespace +apiVersion: v1 +kind: Namespace +metadata: + name: myapp-production + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: myapp + namespace: myapp-production # Dedicated namespace +``` + +### CKV_K8S_35: Secrets in Environment Variables + +```yaml +# INSECURE: Hardcoded secrets in environment +apiVersion: v1 +kind: Pod +metadata: + name: hardcoded-secrets +spec: + containers: + - name: app + image: myapp + env: + - name: DATABASE_PASSWORD + value: "super-secret-password" # <- Issue: Hardcoded secret + +--- +# SECURE: Using Kubernetes Secrets +apiVersion: v1 +kind: Pod +metadata: + name: using-secrets +spec: + containers: + - name: app + image: myapp + env: + - name: DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: db-credentials + key: password +``` + +### CKV_K8S_22: Read-Only Filesystem + +```yaml +# INSECURE: Writable container filesystem +apiVersion: v1 +kind: Pod +metadata: + name: writable-fs +spec: + containers: + - name: app + image: nginx + +--- +# SECURE: Read-only root filesystem with emptyDir volumes +apiVersion: v1 +kind: Pod +metadata: + name: readonly-fs +spec: + containers: + - name: app + image: nginx + securityContext: + readOnlyRootFilesystem: true + volumeMounts: + - name: tmp + mountPath: /tmp + - name: cache + mountPath: /var/cache/nginx + volumes: + - name: tmp + emptyDir: {} + - name: cache + emptyDir: {} +``` + +--- + +## Dockerfile Patterns + +### CKV_DOCKER_1: SSH Port Exposed + +```dockerfile +# INSECURE: Exposing SSH port +FROM ubuntu:20.04 +RUN apt-get update && apt-get install -y openssh-server +EXPOSE 22 # <- Issue: SSH should not be in containers + +# SECURE: No SSH, use kubectl exec or docker exec +FROM ubuntu:20.04 +# Don't install or expose SSH +EXPOSE 8080 # Only expose application port +``` + +### CKV_DOCKER_3: Missing USER Instruction + +```dockerfile +# INSECURE: Container runs as root +FROM python:3.9 +WORKDIR /app +COPY . . +RUN pip install -r requirements.txt +CMD ["python", "app.py"] +# <- Issue: No USER instruction, runs as root + +# SECURE: Create and use non-root user +FROM python:3.9 +RUN useradd --create-home --shell /bin/bash appuser +WORKDIR /app +COPY --chown=appuser:appuser . . +RUN pip install -r requirements.txt +USER appuser # Run as non-root +CMD ["python", "app.py"] +``` + +### CKV_DOCKER_7: Using Latest Tag + +```dockerfile +# INSECURE: Using latest tag (mutable) +FROM python:latest # <- Issue: Unpredictable, could change + +# SECURE: Pin specific version +FROM python:3.9.18-slim # Specific version +# Or use SHA digest for immutability +FROM python@sha256:1a2b3c4d5e6f... +``` + +### CKV_DOCKER_9: Using ADD Instead of COPY + +```dockerfile +# INSECURE: ADD can execute remote URLs and extract archives +FROM ubuntu:20.04 +ADD https://example.com/app.tar.gz /app/ # <- Issue: Security risk +ADD app.tar.gz /app/ # <- Issue: Auto-extracts + +# SECURE: Use COPY and explicit extraction +FROM ubuntu:20.04 +COPY app.tar.gz /tmp/ +RUN tar -xzf /tmp/app.tar.gz -C /app && rm /tmp/app.tar.gz +COPY local-files/ /app/ +``` + +### CKV_DOCKER_10: Secrets in Dockerfile + +```dockerfile +# INSECURE: Hardcoded secrets +FROM python:3.9 +ENV DATABASE_PASSWORD=supersecret123 # <- Issue: Secret in image +ARG API_KEY=sk-12345 # <- Issue: Secret in build args + +# SECURE: Use runtime secrets +FROM python:3.9 +# Pass secrets at runtime, not build time +# docker run -e DATABASE_PASSWORD=$SECRET myimage +# Or use Docker secrets / mounted files +``` + +### CKV_DOCKER_8: Package Manager Cache Not Cleaned + +```dockerfile +# INSECURE: Leaves package manager cache +FROM ubuntu:20.04 +RUN apt-get update && apt-get install -y python3 +# <- Issue: Cache files increase image size and attack surface + +# SECURE: Clean up in same layer +FROM ubuntu:20.04 +RUN apt-get update && \ + apt-get install -y --no-install-recommends python3 && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* +``` + +--- + +## GitHub Actions Patterns + +### CKV_GHA_1: Shell Injection in Run Step + +```yaml +# INSECURE: Unquoted user input in shell +name: Build +on: pull_request +jobs: + build: + runs-on: ubuntu-latest + steps: + - run: echo ${{ github.event.pull_request.title }} + # <- Issue: Title could contain shell commands like `; rm -rf /` + +# SECURE: Quote variables or use environment +name: Build +on: pull_request +jobs: + build: + runs-on: ubuntu-latest + steps: + - run: echo "$TITLE" + env: + TITLE: ${{ github.event.pull_request.title }} +``` + +### CKV_GHA_2: Unpinned Action Versions + +```yaml +# INSECURE: Using mutable tags +steps: + - uses: actions/checkout@v4 # <- Issue: v4 could change + - uses: actions/setup-node@main # <- Issue: main branch + +# SECURE: Pin to specific SHA +steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 +``` + +### CKV2_GHA_1: Overly Permissive Workflow Permissions + +```yaml +# INSECURE: Default write-all permissions +name: Build +on: push +jobs: + build: + runs-on: ubuntu-latest + # <- Issue: No permissions block = write-all + +# SECURE: Read-only permissions with explicit grants +name: Build +on: push +permissions: + contents: read # Minimal default +jobs: + build: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write # Only what's needed +``` + +--- + +## CloudFormation Patterns + +### CKV_AWS_53: RDS Without Encryption + +```yaml +# INSECURE: RDS instance without encryption +Resources: + MyDB: + Type: AWS::RDS::DBInstance + Properties: + DBInstanceClass: db.t3.micro + Engine: mysql + MasterUsername: admin + MasterUserPassword: !Ref DBPassword + # <- Issue: No StorageEncrypted property + +# SECURE: RDS with encryption enabled +Resources: + MyDB: + Type: AWS::RDS::DBInstance + Properties: + DBInstanceClass: db.t3.micro + Engine: mysql + MasterUsername: admin + MasterUserPassword: !Ref DBPassword + StorageEncrypted: true + KmsKeyId: !Ref MyKMSKey +``` + +### CKV_AWS_46: CloudWatch Logs Not Encrypted + +```yaml +# INSECURE: Log group without KMS encryption +Resources: + MyLogGroup: + Type: AWS::Logs::LogGroup + Properties: + LogGroupName: /my/app/logs + # <- Issue: No KmsKeyId + +# SECURE: Log group with KMS encryption +Resources: + MyLogGroup: + Type: AWS::Logs::LogGroup + Properties: + LogGroupName: /my/app/logs + KmsKeyId: !GetAtt LogEncryptionKey.Arn + RetentionInDays: 90 +``` + +--- + +## Common Remediation Patterns + +### Encryption at Rest +- S3: Enable `ServerSideEncryptionConfiguration` +- EBS: Set `encrypted = true` +- RDS: Enable `StorageEncrypted` +- CloudWatch: Add `KmsKeyId` + +### Encryption in Transit +- ALB/NLB: Use HTTPS listeners +- S3: Enforce `aws:SecureTransport` in bucket policy +- API Gateway: Require HTTPS/TLS + +### Access Control +- Use principle of least privilege +- Avoid `*` in IAM policies +- Use specific resource ARNs +- Enable MFA for sensitive operations + +### Network Security +- Restrict security group ingress to specific CIDRs +- Never open 22 (SSH) or 3389 (RDP) to 0.0.0.0/0 +- Use VPC endpoints for AWS services + +### Container Security +- Run as non-root user +- Use read-only root filesystem +- Add health checks (liveness/readiness probes) +- Pin image versions with SHA digests + +--- + +## Detection Tips + +When Checkov detects these patterns: + +1. **Assess the risk** - Is this intentional or a misconfiguration? +2. **Check compensating controls** - Are there other security measures in place? +3. **Evaluate compliance requirements** - Does this violate any standards? +4. **Plan remediation** - Prioritize by severity and blast radius +5. **Test changes** - Validate fixes don't break functionality + +## Learn More + +- [CIS Benchmarks](https://www.cisecurity.org/cis-benchmarks) +- [AWS Security Best Practices](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/) +- [Kubernetes Security Best Practices](https://kubernetes.io/docs/concepts/security/) +- [Docker Security Best Practices](https://docs.docker.com/develop/security-best-practices/) diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml new file mode 100644 index 0000000..4e25ef1 --- /dev/null +++ b/.github/workflows/copilot-setup-steps.yml @@ -0,0 +1,133 @@ +name: "Copilot Setup Steps" + +# Automatically run the setup steps when they are changed to allow for easy validation, +# and allow manual testing through the repository's "Actions" tab +on: + workflow_dispatch: + push: + paths: + - .github/workflows/copilot-setup-steps.yml + pull_request: + paths: + - .github/workflows/copilot-setup-steps.yml + +jobs: + # The job MUST be called `copilot-setup-steps` or it will not be picked up by Copilot. + copilot-setup-steps: + runs-on: ubuntu-latest + + # Set the permissions to the lowest permissions possible needed for your steps. + # Copilot will be given its own token for its operations. + permissions: + contents: read + + steps: + - name: Checkout code + uses: actions/checkout@v5 + + # ============================================================ + # PYTHON SETUP (Required for Checkov and useful for projects) + # ============================================================ + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: "3.11" + + # ============================================================ + # JAVA SETUP (Required for OWASP Dependency-Check) + # ============================================================ + - name: Set up Java + uses: actions/setup-java@v4 + with: + distribution: "temurin" + java-version: "17" + + # ============================================================ + # GRAUDIT SECURITY SCANNER + # Grep-based source code auditing tool for detecting dangerous + # patterns, command injection, hardcoded secrets, and more. + # https://github.com/wireghoul/graudit + # ============================================================ + - name: Install Graudit + run: | + echo "Installing Graudit Security Scanner..." + git clone https://github.com/wireghoul/graudit ~/graudit + echo "$HOME/graudit" >> $GITHUB_PATH + echo "GRDIR=$HOME/graudit/signatures" >> $GITHUB_ENV + + - name: Verify Graudit installation + run: | + export PATH="$HOME/graudit:$PATH" + export GRDIR="$HOME/graudit/signatures" + graudit -h || echo "Graudit help command executed" + echo "Available Graudit signature databases:" + ls -la ~/graudit/signatures/ + + # ============================================================ + # OWASP DEPENDENCY-CHECK + # Software Composition Analysis (SCA) tool that identifies + # known vulnerabilities (CVEs) in project dependencies. + # https://github.com/dependency-check/DependencyCheck + # ============================================================ + - name: Install OWASP Dependency-Check + run: | + echo "Installing OWASP Dependency-Check..." + # Get the latest version + DC_VERSION=$(curl -s https://dependency-check.github.io/DependencyCheck/current.txt) + echo "Latest Dependency-Check version: $DC_VERSION" + + # Download and extract + curl -Ls "https://github.com/dependency-check/DependencyCheck/releases/download/v${DC_VERSION}/dependency-check-${DC_VERSION}-release.zip" -o /tmp/dependency-check.zip + unzip -q /tmp/dependency-check.zip -d ~/ + + # Add to PATH + echo "$HOME/dependency-check/bin" >> $GITHUB_PATH + + - name: Verify Dependency-Check installation + run: | + export PATH="$HOME/dependency-check/bin:$PATH" + dependency-check.sh --version + + # ============================================================ + # CHECKOV SECURITY SCANNER + # Infrastructure as Code (IaC) static analysis tool for + # detecting misconfigurations in Terraform, CloudFormation, + # Kubernetes, Dockerfiles, and more. + # https://github.com/bridgecrewio/checkov + # ============================================================ + - name: Install Checkov + run: | + echo "Installing Checkov Security Scanner..." + pip install --upgrade pip + pip install checkov + + - name: Verify Checkov installation + run: | + checkov --version + echo "Checkov frameworks supported:" + checkov --list | head -50 + + # ============================================================ + # FINAL VERIFICATION + # ============================================================ + - name: Verify all security tools are available + run: | + echo "==========================================" + echo "Security Scanning Tools Installation Summary" + echo "==========================================" + echo "" + echo "1. Graudit:" + which graudit || echo " Location: $HOME/graudit/graudit" + echo " Signature databases available in: $HOME/graudit/signatures/" + echo "" + echo "2. OWASP Dependency-Check:" + which dependency-check.sh || echo " Location: $HOME/dependency-check/bin/dependency-check.sh" + dependency-check.sh --version 2>/dev/null || true + echo "" + echo "3. Checkov:" + which checkov + checkov --version + echo "" + echo "==========================================" + echo "All security scanning tools installed successfully!" + echo "==========================================" diff --git a/README.md b/README.md index a2071e5..64d5fab 100644 --- a/README.md +++ b/README.md @@ -43,6 +43,7 @@ Skills teach Copilot how to use specific security tools: | Skill | Purpose | Use For | |-------|---------|---------| | **bandit-security-scan** | Python AST-based security analysis | Python code vulnerabilities, dangerous functions (eval, exec, pickle), SQL injection | +| **checkov-security-scan** | Infrastructure as Code security analysis | Terraform, CloudFormation, Kubernetes manifests, Dockerfiles, cloud misconfigurations, IAM policies | | **guarddog-security-scan** | Supply chain & malware detection | Dependencies (`requirements.txt`, `package.json`), typosquatting, malicious packages | | **shellcheck-security-scan** | Shell script static analysis | Bash/sh scripts, command injection, unquoted variables | | **graudit-security-scan** | Multi-language pattern matching | Quick scans on unknown codebases, secrets detection, 15+ languages | @@ -58,6 +59,7 @@ Skills teach Copilot how to use specific security tools: | **`/sechek.security-scan`** | Full workspace scan with the security scanner agent | | **`/sechek.security-scan-quick`** | Fast scan for malicious patterns, exfiltration, reverse shells | | **`/sechek.security-scan-python`** | Python-focused scan using Bandit and GuardDog | +| **`/sechek.security-scan-iac`** | Infrastructure as Code scan using Checkov for cloud misconfigurations | | **`/sechek.security-scan-shell`** | Shell script scan using ShellCheck and Graudit | | **`/sechek.security-scan-supply-chain`** | Scan dependencies for supply chain attacks | | **`/sechek.security-scan-precommit`** | Pre-commit check for secrets and vulnerabilities | diff --git a/media/sec-check-m.png b/media/sec-check-m.png new file mode 100644 index 0000000..f1b3a38 Binary files /dev/null and b/media/sec-check-m.png differ diff --git a/media/sec-check.png b/media/sec-check.png index f1b3a38..32eeded 100644 Binary files a/media/sec-check.png and b/media/sec-check.png differ