-
Notifications
You must be signed in to change notification settings - Fork 0
Skills Reference
itarun.p edited this page Mar 3, 2026
·
1 revision
| # | Skill | Command | Tool | Decision Loop | Description |
|---|---|---|---|---|---|
| 1 | sast-scan | /sast-scan |
Semgrep | Out-of-Loop | Static analysis — 84 custom rules (OWASP A01-A10 + K8s + GraphQL) |
| 2 | dast-scan | /dast-scan |
ZAP/Nuclei | In-the-Loop | Dynamic testing (ZAP: baseline/full/api + Nuclei: CVE/full/custom) |
| 3 | sca-scan | /sca-scan |
Grype | Out-of-Loop | Dependency scanning — CVE matching |
| 4 | container-scan | /container-scan |
Trivy | Out-of-Loop | Docker image scanning + misconfiguration |
| 5 | iac-scan | /iac-scan |
Checkov | Out-of-Loop | IaC scanning — CIS Benchmarks |
| 6 | secret-scan | /secret-scan |
GitLeaks/TruffleHog | Out-of-Loop | Secret detection — API keys, tokens, passwords |
| 7 | sbom-generate | /sbom-generate |
Syft | Out-of-Loop | Software Bill of Materials (CycloneDX/SPDX) |
| # | Skill | Command | Tool | Decision Loop | Description |
|---|---|---|---|---|---|
| 8 | k8s-scan | /k8s-scan |
kube-bench | Out-of-Loop | Kubernetes CIS Benchmark + manifest security |
| 9 | graphql-scan | /graphql-scan |
Nuclei | On-the-Loop | GraphQL introspection, query depth, batch attacks |
| # | Skill | Command | Decision Loop | Description |
|---|---|---|---|---|
| 10 | devsecops-setup | /devsecops-setup |
On-the-Loop | Initialize pipeline — tech stack detection + config |
| 11 | full-pipeline | /full-pipeline |
On-the-Loop | Run all scans via DAG pipeline — unified report |
| 12 | compliance-report | /compliance-report |
On-the-Loop | Map to OWASP/NIST/MITRE/NCSA/PDPA/SOC2/ISO27001 |
| 13 | incident-response | /incident-response |
In-the-Loop | IR playbook (NIST 800-61) |
| 14 | security-gate | /security-gate |
In-the-Loop | Pass/fail gate — RBAC policy |
| 15 | auto-fix | /auto-fix |
On-the-Loop | Scan -> patch -> approve -> fix -> re-scan |
| 16 | slsa-assess | /slsa-assess |
On-the-Loop | SLSA v1.1 provenance assessment (Levels 0-3, EU CRA) |
| Loop | Scope | Skills |
|---|---|---|
| Out-of-Loop | AI autonomous — no approval needed | sast, sca, container, iac, secret, sbom, k8s |
| On-the-Loop | AI proposes, human approves | setup, full-pipeline, compliance, auto-fix, graphql, slsa |
| In-the-Loop | Human decides, AI assists | dast (target approval), security-gate, incident-response |
Each skill is defined in skills/<name>/SKILL.md with YAML frontmatter:
---
name: sast-scan
description: Static application security testing with Semgrep
user-invocable: true
argument-hint: "[--target <path>] [--severity HIGH]"
allowed-tools: ["Read", "Glob", "Grep", "Bash"]
---| File | Domain |
|---|---|
| sast-patterns.md | SAST rule patterns and false positive filtering |
| dast-methodology.md | DAST/ZAP methodology, automation YAML, header matrix |
| sca-supply-chain.md | SCA supply chain risk, license compliance |
| container-hardening.md | Container security, Dockerfile best practices |
| iac-security-patterns.md | IaC patterns, CIS benchmarks |
| secret-management.md | Secret management, rotation, detection |
| compliance-frameworks.md | OWASP/NIST/MITRE/NCSA/PDPA compliance frameworks |
| threat-modeling.md | STRIDE/PASTA threat modeling methodology |
| incident-response.md | NIST 800-61 IR procedures |
| remediation-patterns.md | Generic remediation patterns |
| software-integrity.md | Software integrity and supply chain |
| logging-monitoring.md | Logging/monitoring + A09 custom rules reference |
| remediation-django.md | Django-specific security fixes |
| remediation-react-nextjs.md | React/Next.js security fixes |
| remediation-express-node.md | Express/Node.js security fixes |
| remediation-spring.md | Spring Boot security fixes |
| slsa-reference.md | SLSA v1.1 provenance levels + EU CRA alignment |
| k8s-security-reference.md | Kubernetes security best practices + CIS Benchmarks |
| graphql-security-reference.md | GraphQL security patterns + OWASP API Top 10 |
| Rule File | Rules | OWASP Category |
|---|---|---|
| a01-access-control-rules.yml | 8 | A01:2021 Broken Access Control |
| a02-crypto-rules.yml | 6 | A02:2021 Cryptographic Failures |
| a03-injection-rules.yml | 11 | A03:2021 Injection / A05:2025 |
| a04-insecure-design-rules.yml | 4 | A04:2021 Insecure Design |
| a05-misconfig-rules.yml | 6 | A05:2021 Security Misconfiguration |
| a06-component-rules.yml | 5 | A06:2021 Vulnerable Components / A03:2025 |
| a07-auth-rules.yml | 5 | A07:2021 Auth Failures |
| a08-integrity-rules.yml | 5 | A08:2021 Software & Data Integrity |
| a09-logging-rules.yml | 7 | A09:2021 Security Logging & Monitoring |
| a10-ssrf-rules.yml | 7 | A10:2021 SSRF / A01:2025 |
| a10-exception-rules.yml | 4 | A10:2025 Exception Handling (NEW) |
| k8s-manifest-rules.yml | 8 | Kubernetes manifest security |
| graphql-rules.yml | 8 | GraphQL endpoint security |
| Total | 84 | OWASP 10/10 + K8s + GraphQL |