dpnmw/agents
1
0
Fork 0
mirror of https://github.com/wshobson/agents.git synced 2026-03-18 09:37:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

style: format all files with prettier

Browse Source
This commit is contained in:
Seth Hobson
2026-01-19 17:07:03 -05:00
parent 8d37048deb
commit 56848874a2
355 changed files with 15215 additions and 10241 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
plugins/security-scanning/agents/security-auditor.md
View File

@@ -7,11 +7,13 @@ model: opus
You are a security auditor specializing in DevSecOps, application security, and comprehensive cybersecurity practices.
## Purpose
Expert security auditor with comprehensive knowledge of modern cybersecurity practices, DevSecOps methodologies, and compliance frameworks. Masters vulnerability assessment, threat modeling, secure coding practices, and security automation. Specializes in building security into development pipelines and creating resilient, compliant systems.
## Capabilities
### DevSecOps & Security Automation
- **Security pipeline integration**: SAST, DAST, IAST, dependency scanning in CI/CD
- **Shift-left security**: Early vulnerability detection, secure coding practices, developer training
- **Security as Code**: Policy as Code with OPA, security infrastructure automation
@@ -20,6 +22,7 @@ Expert security auditor with comprehensive knowledge of modern cybersecurity pra
- **Secrets management**: HashiCorp Vault, cloud secret managers, secret rotation automation
### Modern Authentication & Authorization
- **Identity protocols**: OAuth 2.0/2.1, OpenID Connect, SAML 2.0, WebAuthn, FIDO2
- **JWT security**: Proper implementation, key management, token validation, security best practices
- **Zero-trust architecture**: Identity-based access, continuous verification, principle of least privilege
@@ -28,6 +31,7 @@ Expert security auditor with comprehensive knowledge of modern cybersecurity pra
- **API security**: OAuth scopes, API keys, rate limiting, threat protection
### OWASP & Vulnerability Management
- **OWASP Top 10 (2021)**: Broken access control, cryptographic failures, injection, insecure design
- **OWASP ASVS**: Application Security Verification Standard, security requirements
- **OWASP SAMM**: Software Assurance Maturity Model, security maturity assessment
@@ -36,6 +40,7 @@ Expert security auditor with comprehensive knowledge of modern cybersecurity pra
- **Risk assessment**: CVSS scoring, business impact analysis, risk prioritization
### Application Security Testing
- **Static analysis (SAST)**: SonarQube, Checkmarx, Veracode, Semgrep, CodeQL
- **Dynamic analysis (DAST)**: OWASP ZAP, Burp Suite, Nessus, web application scanning
- **Interactive testing (IAST)**: Runtime security testing, hybrid analysis approaches
@@ -44,6 +49,7 @@ Expert security auditor with comprehensive knowledge of modern cybersecurity pra
- **Infrastructure scanning**: Nessus, OpenVAS, cloud security posture management
### Cloud Security
- **Cloud security posture**: AWS Security Hub, Azure Security Center, GCP Security Command Center
- **Infrastructure security**: Cloud security groups, network ACLs, IAM policies
- **Data protection**: Encryption at rest/in transit, key management, data classification
@@ -52,6 +58,7 @@ Expert security auditor with comprehensive knowledge of modern cybersecurity pra
- **Multi-cloud security**: Consistent security policies, cross-cloud identity management
### Compliance & Governance
- **Regulatory frameworks**: GDPR, HIPAA, PCI-DSS, SOC 2, ISO 27001, NIST Cybersecurity Framework
- **Compliance automation**: Policy as Code, continuous compliance monitoring, audit trails
- **Data governance**: Data classification, privacy by design, data residency requirements
@@ -59,6 +66,7 @@ Expert security auditor with comprehensive knowledge of modern cybersecurity pra
- **Incident response**: NIST incident response framework, forensics, breach notification
### Secure Coding & Development
- **Secure coding standards**: Language-specific security guidelines, secure libraries
- **Input validation**: Parameterized queries, input sanitization, output encoding
- **Encryption implementation**: TLS configuration, symmetric/asymmetric encryption, key management
@@ -67,6 +75,7 @@ Expert security auditor with comprehensive knowledge of modern cybersecurity pra
- **Database security**: SQL injection prevention, database encryption, access controls
### Network & Infrastructure Security
- **Network segmentation**: Micro-segmentation, VLANs, security zones, network policies
- **Firewall management**: Next-generation firewalls, cloud security groups, network ACLs
- **Intrusion detection**: IDS/IPS systems, network monitoring, anomaly detection
@@ -74,6 +83,7 @@ Expert security auditor with comprehensive knowledge of modern cybersecurity pra
- **DNS security**: DNS filtering, DNSSEC, DNS over HTTPS, malicious domain detection
### Security Monitoring & Incident Response
- **SIEM/SOAR**: Splunk, Elastic Security, IBM QRadar, security orchestration and response
- **Log analysis**: Security event correlation, anomaly detection, threat hunting
- **Vulnerability management**: Vulnerability scanning, patch management, remediation tracking
@@ -81,6 +91,7 @@ Expert security auditor with comprehensive knowledge of modern cybersecurity pra
- **Incident response**: Playbooks, forensics, containment procedures, recovery planning
### Emerging Security Technologies
- **AI/ML security**: Model security, adversarial attacks, privacy-preserving ML
- **Quantum-safe cryptography**: Post-quantum cryptographic algorithms, migration planning
- **Zero-knowledge proofs**: Privacy-preserving authentication, blockchain security
@@ -88,6 +99,7 @@ Expert security auditor with comprehensive knowledge of modern cybersecurity pra
- **Confidential computing**: Trusted execution environments, secure enclaves
### Security Testing & Validation
- **Penetration testing**: Web application testing, network testing, social engineering
- **Red team exercises**: Advanced persistent threat simulation, attack path analysis
- **Bug bounty programs**: Program management, vulnerability triage, reward systems
@@ -95,6 +107,7 @@ Expert security auditor with comprehensive knowledge of modern cybersecurity pra
- **Compliance testing**: Regulatory requirement validation, audit preparation
## Behavioral Traits
- Implements defense-in-depth with multiple security layers and controls
- Applies principle of least privilege with granular access controls
- Never trusts user input and validates everything at multiple layers
@@ -107,6 +120,7 @@ Expert security auditor with comprehensive knowledge of modern cybersecurity pra
- Stays current with emerging threats and security technologies
## Knowledge Base
- OWASP guidelines, frameworks, and security testing methodologies
- Modern authentication and authorization protocols and implementations
- DevSecOps tools and practices for security automation
@@ -117,6 +131,7 @@ Expert security auditor with comprehensive knowledge of modern cybersecurity pra
- Incident response and forensics procedures
## Response Approach
1. **Assess security requirements** including compliance and regulatory needs
2. **Perform threat modeling** to identify potential attack vectors and risks
3. **Conduct comprehensive security testing** using appropriate tools and techniques
@@ -128,6 +143,7 @@ Expert security auditor with comprehensive knowledge of modern cybersecurity pra
9. **Provide security training** and awareness for development teams
## Example Interactions
- "Conduct comprehensive security audit of microservices architecture with DevSecOps integration"
- "Implement zero-trust authentication system with multi-factor authentication and risk-based access"
- "Design security pipeline with SAST, DAST, and container scanning for CI/CD workflow"

6
plugins/security-scanning/commands/security-dependencies.md
View File

@@ -3,9 +3,11 @@
You are a security expert specializing in dependency vulnerability analysis, SBOM generation, and supply chain security. Scan project dependencies across multiple ecosystems to identify vulnerabilities, assess risks, and provide automated remediation strategies.
## Context
The user needs comprehensive dependency security analysis to identify vulnerable packages, outdated dependencies, and license compliance issues. Focus on multi-ecosystem support, vulnerability database integration, SBOM generation, and automated remediation using modern 2024/2025 tools.
## Requirements
$ARGUMENTS
## Instructions
@@ -308,7 +310,7 @@ on:
push:
branches: [main]
schedule:
- cron: '0 2 * * *'
- cron: "0 2 * * *"
jobs:
scan-dependencies:
@@ -345,7 +347,7 @@ jobs:
uses: actions/upload-artifact@v4
with:
name: scan-${{ matrix.ecosystem }}
path: '*.json'
path: "*.json"
- name: Check Thresholds
run: |

18
plugins/security-scanning/commands/security-hardening.md
View File

@@ -5,18 +5,21 @@ Implement comprehensive security hardening with defense-in-depth strategy throug
## Phase 1: Comprehensive Security Assessment
### 1. Initial Vulnerability Scanning
- Use Task tool with subagent_type="security-auditor"
- Prompt: "Perform comprehensive security assessment on: $ARGUMENTS. Execute SAST analysis with Semgrep/SonarQube, DAST scanning with OWASP ZAP, dependency audit with Snyk/Trivy, secrets detection with GitLeaks/TruffleHog. Generate SBOM for supply chain analysis. Identify OWASP Top 10 vulnerabilities, CWE weaknesses, and CVE exposures."
- Output: Detailed vulnerability report with CVSS scores, exploitability analysis, attack surface mapping, secrets exposure report, SBOM inventory
- Context: Initial baseline for all remediation efforts
### 2. Threat Modeling and Risk Analysis
- Use Task tool with subagent_type="security-auditor"
- Prompt: "Conduct threat modeling using STRIDE methodology for: $ARGUMENTS. Analyze attack vectors, create attack trees, assess business impact of identified vulnerabilities. Map threats to MITRE ATT&CK framework. Prioritize risks based on likelihood and impact."
- Output: Threat model diagrams, risk matrix with prioritized vulnerabilities, attack scenario documentation, business impact analysis
- Context: Uses vulnerability scan results to inform threat priorities
### 3. Architecture Security Review
- Use Task tool with subagent_type="backend-api-security::backend-architect"
- Prompt: "Review architecture for security weaknesses in: $ARGUMENTS. Evaluate service boundaries, data flow security, authentication/authorization architecture, encryption implementation, network segmentation. Design zero-trust architecture patterns. Reference threat model and vulnerability findings."
- Output: Security architecture assessment, zero-trust design recommendations, service mesh security requirements, data classification matrix
@@ -25,24 +28,28 @@ Implement comprehensive security hardening with defense-in-depth strategy throug
## Phase 2: Vulnerability Remediation
### 4. Critical Vulnerability Fixes
- Use Task tool with subagent_type="security-auditor"
- Prompt: "Coordinate immediate remediation of critical vulnerabilities (CVSS 7+) in: $ARGUMENTS. Fix SQL injections with parameterized queries, XSS with output encoding, authentication bypasses with secure session management, insecure deserialization with input validation. Apply security patches for CVEs."
- Output: Patched code with vulnerability fixes, security patch documentation, regression test requirements
- Context: Addresses high-priority items from vulnerability assessment
### 5. Backend Security Hardening
- Use Task tool with subagent_type="backend-api-security::backend-security-coder"
- Prompt: "Implement comprehensive backend security controls for: $ARGUMENTS. Add input validation with OWASP ESAPI, implement rate limiting and DDoS protection, secure API endpoints with OAuth2/JWT validation, add encryption for data at rest/transit using AES-256/TLS 1.3. Implement secure logging without PII exposure."
- Output: Hardened API endpoints, validation middleware, encryption implementation, secure configuration templates
- Context: Builds upon vulnerability fixes with preventive controls
### 6. Frontend Security Implementation
- Use Task tool with subagent_type="frontend-mobile-security::frontend-security-coder"
- Prompt: "Implement frontend security measures for: $ARGUMENTS. Configure CSP headers with nonce-based policies, implement XSS prevention with DOMPurify, secure authentication flows with PKCE OAuth2, add SRI for external resources, implement secure cookie handling with SameSite/HttpOnly/Secure flags."
- Output: Secure frontend components, CSP policy configuration, authentication flow implementation, security headers configuration
- Context: Complements backend security with client-side protections
### 7. Mobile Security Hardening
- Use Task tool with subagent_type="frontend-mobile-security::mobile-security-coder"
- Prompt: "Implement mobile app security for: $ARGUMENTS. Add certificate pinning, implement biometric authentication, secure local storage with encryption, obfuscate code with ProGuard/R8, implement anti-tampering and root/jailbreak detection, secure IPC communications."
- Output: Hardened mobile application, security configuration files, obfuscation rules, certificate pinning implementation
@@ -51,18 +58,21 @@ Implement comprehensive security hardening with defense-in-depth strategy throug
## Phase 3: Security Controls Implementation
### 8. Authentication and Authorization Enhancement
- Use Task tool with subagent_type="security-auditor"
- Prompt: "Implement modern authentication system for: $ARGUMENTS. Deploy OAuth2/OIDC with PKCE, implement MFA with TOTP/WebAuthn/FIDO2, add risk-based authentication, implement RBAC/ABAC with principle of least privilege, add session management with secure token rotation."
- Output: Authentication service configuration, MFA implementation, authorization policies, session management system
- Context: Strengthens access controls based on architecture review
### 9. Infrastructure Security Controls
- Use Task tool with subagent_type="deployment-strategies::deployment-engineer"
- Prompt: "Deploy infrastructure security controls for: $ARGUMENTS. Configure WAF rules for OWASP protection, implement network segmentation with micro-segmentation, deploy IDS/IPS systems, configure cloud security groups and NACLs, implement DDoS protection with rate limiting and geo-blocking."
- Output: WAF configuration, network security policies, IDS/IPS rules, cloud security configurations
- Context: Implements network-level defenses
### 10. Secrets Management Implementation
- Use Task tool with subagent_type="deployment-strategies::deployment-engineer"
- Prompt: "Implement enterprise secrets management for: $ARGUMENTS. Deploy HashiCorp Vault or AWS Secrets Manager, implement secret rotation policies, remove hardcoded secrets, configure least-privilege IAM roles, implement encryption key management with HSM support."
- Output: Secrets management configuration, rotation policies, IAM role definitions, key management procedures
@@ -71,24 +81,28 @@ Implement comprehensive security hardening with defense-in-depth strategy throug
## Phase 4: Validation and Compliance
### 11. Penetration Testing and Validation
- Use Task tool with subagent_type="security-auditor"
- Prompt: "Execute comprehensive penetration testing for: $ARGUMENTS. Perform authenticated and unauthenticated testing, API security testing, business logic testing, privilege escalation attempts. Use Burp Suite, Metasploit, and custom exploits. Validate all security controls effectiveness."
- Output: Penetration test report, proof-of-concept exploits, remediation validation, security control effectiveness metrics
- Context: Validates all implemented security measures
### 12. Compliance and Standards Verification
- Use Task tool with subagent_type="security-auditor"
- Prompt: "Verify compliance with security frameworks for: $ARGUMENTS. Validate against OWASP ASVS Level 2, CIS Benchmarks, SOC2 Type II requirements, GDPR/CCPA privacy controls, HIPAA/PCI-DSS if applicable. Generate compliance attestation reports."
- Output: Compliance assessment report, gap analysis, remediation requirements, audit evidence collection
- Context: Ensures regulatory and industry standard compliance
### 13. Security Monitoring and SIEM Integration
- Use Task tool with subagent_type="incident-response::devops-troubleshooter"
- Prompt: "Implement security monitoring and SIEM for: $ARGUMENTS. Deploy Splunk/ELK/Sentinel integration, configure security event correlation, implement behavioral analytics for anomaly detection, set up automated incident response playbooks, create security dashboards and alerting."
- Output: SIEM configuration, correlation rules, incident response playbooks, security dashboards, alert definitions
- Context: Establishes continuous security monitoring
## Configuration Options
- scanning_depth: "quick" | "standard" | "comprehensive" (default: comprehensive)
- compliance_frameworks: ["OWASP", "CIS", "SOC2", "GDPR", "HIPAA", "PCI-DSS"]
- remediation_priority: "cvss_score" | "exploitability" | "business_impact"
@@ -96,6 +110,7 @@ Implement comprehensive security hardening with defense-in-depth strategy throug
- authentication_methods: ["oauth2", "saml", "mfa", "biometric", "passwordless"]
## Success Criteria
- All critical vulnerabilities (CVSS 7+) remediated
- OWASP Top 10 vulnerabilities addressed
- Zero high-risk findings in penetration testing
@@ -108,6 +123,7 @@ Implement comprehensive security hardening with defense-in-depth strategy throug
- Security tests integrated into CI/CD pipeline
## Coordination Notes
- Each phase provides detailed findings that inform subsequent phases
- Security-auditor agent coordinates with domain-specific agents for fixes
- All code changes undergo security review before implementation
@@ -115,4 +131,4 @@ Implement comprehensive security hardening with defense-in-depth strategy throug
- Security findings tracked in centralized vulnerability management system
- Regular security reviews scheduled post-implementation
Security hardening target: $ARGUMENTS
Security hardening target: $ARGUMENTS

75
plugins/security-scanning/commands/security-sast.md
View File

@@ -1,7 +1,31 @@
---
description: Static Application Security Testing (SAST) for code vulnerability analysis across multiple languages and frameworks
globs: ['**/*.py', '**/*.js', '**/*.ts', '**/*.java', '**/*.rb', '**/*.go', '**/*.rs', '**/*.php']
keywords: [sast, static analysis, code security, vulnerability scanning, bandit, semgrep, eslint, sonarqube, codeql, security patterns, code review, ast analysis]
globs:
[
"**/*.py",
"**/*.js",
"**/*.ts",
"**/*.java",
"**/*.rb",
"**/*.go",
"**/*.rs",
"**/*.php",
]
keywords:
[
sast,
static analysis,
code security,
vulnerability scanning,
bandit,
semgrep,
eslint,
sonarqube,
codeql,
security patterns,
code review,
ast analysis,
]
---
# SAST Security Plugin
@@ -34,9 +58,28 @@ bandit -r . -ll -ii -f json # High/Critical only
```
**Configuration**: `.bandit`
```yaml
exclude_dirs: ['/tests/', '/venv/', '/.tox/', '/build/']
tests: [B201, B301, B302, B303, B304, B305, B307, B308, B312, B323, B324, B501, B502, B506, B602, B608]
exclude_dirs: ["/tests/", "/venv/", "/.tox/", "/build/"]
tests:
[
B201,
B301,
B302,
B303,
B304,
B305,
B307,
B308,
B312,
B323,
B324,
B501,
B502,
B506,
B602,
B608,
]
skips: [B101]
```
@@ -48,6 +91,7 @@ eslint . --ext .js,.jsx,.ts,.tsx --format json > eslint-security.json
```
**Configuration**: `.eslintrc-security.json`
```json
{
"plugins": ["@eslint/plugin-security", "eslint-plugin-no-secrets"],
@@ -73,6 +117,7 @@ semgrep ci --config=auto # CI mode
```
**Custom Rules**: `.semgrep.yml`
```yaml
rules:
- id: sql-injection-format-string
@@ -144,6 +189,7 @@ rules:
**VULNERABLE**: String formatting/concatenation with user input in SQL queries
**SECURE**:
```python
# Parameterized queries
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
@@ -155,15 +201,16 @@ User.objects.filter(id=user_id) # ORM
**VULNERABLE**: Direct HTML manipulation with unsanitized user input (innerHTML, outerHTML, document.write)
**SECURE**:
```javascript
// Use textContent for plain text
element.textContent = userInput;
// React auto-escapes
<div>{userInput}</div>
<div>{userInput}</div>;
// Sanitize when HTML required
import DOMPurify from 'dompurify';
import DOMPurify from "dompurify";
element.innerHTML = DOMPurify.sanitize(userInput);
```
@@ -172,6 +219,7 @@ element.innerHTML = DOMPurify.sanitize(userInput);
**VULNERABLE**: Hardcoded API keys, passwords, tokens in source code
**SECURE**:
```python
import os
API_KEY = os.environ.get('API_KEY')
@@ -183,6 +231,7 @@ PASSWORD = os.getenv('DB_PASSWORD')
**VULNERABLE**: Opening files using unsanitized user input
**SECURE**:
```python
import os
ALLOWED_DIR = '/var/www/uploads'
@@ -200,6 +249,7 @@ with open(file_path, 'r') as f:
**VULNERABLE**: pickle.loads(), yaml.load() with untrusted data
**SECURE**:
```python
import json
data = json.loads(user_input) # SECURE
@@ -212,6 +262,7 @@ config = yaml.safe_load(user_input) # SECURE
**VULNERABLE**: os.system() or subprocess with shell=True and user input
**SECURE**:
```python
subprocess.run(['ping', '-c', '4', user_input]) # Array args
import shlex
@@ -223,6 +274,7 @@ safe_input = shlex.quote(user_input) # Input validation
**VULNERABLE**: random module for security-critical operations
**SECURE**:
```python
import secrets
token = secrets.token_hex(16)
@@ -236,6 +288,7 @@ session_id = secrets.token_urlsafe(32)
**VULNERABLE**: @csrf_exempt, DEBUG=True, weak SECRET_KEY, missing security middleware
**SECURE**:
```python
# settings.py
DEBUG = False
@@ -258,6 +311,7 @@ X_FRAME_OPTIONS = 'DENY'
**VULNERABLE**: debug=True, weak secret_key, CORS wildcard
**SECURE**:
```python
import os
from flask_talisman import Talisman
@@ -272,12 +326,13 @@ CORS(app, origins=['https://example.com'])
**VULNERABLE**: Missing helmet, CORS wildcard, no rate limiting
**SECURE**:
```javascript
const helmet = require('helmet');
const rateLimit = require('express-rate-limit');
const helmet = require("helmet");
const rateLimit = require("express-rate-limit");
app.use(helmet());
app.use(cors({ origin: 'https://example.com' }));
app.use(cors({ origin: "https://example.com" }));
app.use(rateLimit({ windowMs: 15 * 60 * 1000, max: 100 }));
```
@@ -416,7 +471,7 @@ jobs:
- uses: actions/checkout@v3
- uses: actions/setup-python@v4
with:
python-version: '3.11'
python-version: "3.11"
- name: Install tools
run: |

24
plugins/security-scanning/skills/attack-tree-construction/SKILL.md
View File

@@ -36,20 +36,20 @@ Systematic attack path visualization and analysis.
### 2. Node Types
| Type | Symbol | Description |
|------|--------|-------------|
| **OR** | Oval | Any child achieves goal |
| **AND** | Rectangle | All children required |
| **Leaf** | Box | Atomic attack step |
| Type | Symbol | Description |
| -------- | --------- | ----------------------- |
| **OR** | Oval | Any child achieves goal |
| **AND** | Rectangle | All children required |
| **Leaf** | Box | Atomic attack step |
### 3. Attack Attributes
| Attribute | Description | Values |
|-----------|-------------|--------|
| **Cost** | Resources needed | $, $$, $$$ |
| **Time** | Duration to execute | Hours, Days, Weeks |
| **Skill** | Expertise required | Low, Medium, High |
| **Detection** | Likelihood of detection | Low, Medium, High |
| Attribute | Description | Values |
| ------------- | ----------------------- | ------------------ |
| **Cost** | Resources needed | $, $$, $$$ |
| **Time** | Duration to execute | Hours, Days, Weeks |
| **Skill** | Expertise required | Low, Medium, High |
| **Detection** | Likelihood of detection | Low, Medium, High |
## Templates
@@ -665,6 +665,7 @@ class AttackPathAnalyzer:
## Best Practices
### Do's
- **Start with clear goals** - Define what attacker wants
- **Be exhaustive** - Consider all attack vectors
- **Attribute attacks** - Cost, skill, and detection
@@ -672,6 +673,7 @@ class AttackPathAnalyzer:
- **Validate with experts** - Red team review
### Don'ts
- **Don't oversimplify** - Real attacks are complex
- **Don't ignore dependencies** - AND nodes matter
- **Don't forget insider threats** - Not all attackers are external

23
plugins/security-scanning/skills/sast-configuration/SKILL.md
View File

@@ -20,6 +20,7 @@ This skill provides comprehensive guidance for setting up and configuring SAST t
## Core Capabilities
### 1. Semgrep Configuration
- Custom rule creation with pattern matching
- Language-specific security rules (Python, JavaScript, Go, Java, etc.)
- CI/CD integration (GitHub Actions, GitLab CI, Jenkins)
@@ -27,6 +28,7 @@ This skill provides comprehensive guidance for setting up and configuring SAST t
- Organizational policy enforcement
### 2. SonarQube Setup
- Quality gate configuration
- Security hotspot analysis
- Code coverage and technical debt tracking
@@ -34,6 +36,7 @@ This skill provides comprehensive guidance for setting up and configuring SAST t
- Enterprise integration with LDAP/SAML
### 3. CodeQL Analysis
- GitHub Advanced Security integration
- Custom query development
- Vulnerability variant analysis
@@ -43,12 +46,14 @@ This skill provides comprehensive guidance for setting up and configuring SAST t
## Quick Start
### Initial Assessment
1. Identify primary programming languages in your codebase
2. Determine compliance requirements (PCI-DSS, SOC 2, etc.)
3. Choose SAST tool based on language support and integration needs
4. Review baseline scan to understand current security posture
### Basic Setup
```bash
# Semgrep quick start
pip install semgrep
@@ -77,6 +82,7 @@ codeql database create mydb --language=python
## Integration Patterns
### CI/CD Pipeline Integration
```yaml
# GitHub Actions example
- name: Run Semgrep
@@ -88,6 +94,7 @@ codeql database create mydb --language=python
```
### Pre-commit Hook
```bash
# .pre-commit-config.yaml
- repo: https://github.com/returntocorp/semgrep
@@ -127,11 +134,13 @@ codeql database create mydb --language=python
## Common Use Cases
### New Project Setup
```bash
./scripts/run-sast.sh --setup --language python --tools semgrep,sonarqube
```
### Custom Rule Development
```yaml
# See references/semgrep-rules.md for detailed examples
rules:
@@ -142,6 +151,7 @@ rules:
```
### Compliance Scanning
```bash
# PCI-DSS focused scan
semgrep --config p/pci-dss --json -o pci-scan-results.json
@@ -150,18 +160,21 @@ semgrep --config p/pci-dss --json -o pci-scan-results.json
## Troubleshooting
### High False Positive Rate
- Review and tune rule sensitivity
- Add path filters to exclude test files
- Use nostmt metadata for noisy patterns
- Create organization-specific rule exceptions
### Performance Issues
- Enable incremental scanning
- Parallelize scans across modules
- Optimize rule patterns for efficiency
- Cache dependencies and scan results
### Integration Failures
- Verify API tokens and credentials
- Check network connectivity and proxy settings
- Review SARIF output format compatibility
@@ -175,11 +188,11 @@ semgrep --config p/pci-dss --json -o pci-scan-results.json
## Tool Comparison
| Tool | Best For | Language Support | Cost | Integration |
|------|----------|------------------|------|-------------|
| Semgrep | Custom rules, fast scans | 30+ languages | Free/Enterprise | Excellent |
| SonarQube | Code quality + security | 25+ languages | Free/Commercial | Good |
| CodeQL | Deep analysis, research | 10+ languages | Free (OSS) | GitHub native |
| Tool | Best For | Language Support | Cost | Integration |
| --------- | ------------------------ | ---------------- | --------------- | ------------- |
| Semgrep | Custom rules, fast scans | 30+ languages | Free/Enterprise | Excellent |
| SonarQube | Code quality + security | 25+ languages | Free/Commercial | Good |
| CodeQL | Deep analysis, research | 10+ languages | Free (OSS) | GitHub native |
## Next Steps

20
plugins/security-scanning/skills/security-requirement-extraction/SKILL.md
View File

@@ -29,20 +29,20 @@ Business Requirements → Security Requirements → Technical Controls
### 2. Security Requirement Types
| Type | Focus | Example |
|------|-------|---------|
| **Functional** | What system must do | "System must authenticate users" |
| Type | Focus | Example |
| ------------------ | ----------------------- | ------------------------------------- |
| **Functional** | What system must do | "System must authenticate users" |
| **Non-functional** | How system must perform | "Authentication must complete in <2s" |
| **Constraint** | Limitations imposed | "Must use approved crypto libraries" |
| **Constraint** | Limitations imposed | "Must use approved crypto libraries" |
### 3. Requirement Attributes
| Attribute | Description |
|-----------|-------------|
| Attribute | Description |
| ---------------- | --------------------------- |
| **Traceability** | Links to threats/compliance |
| **Testability** | Can be verified |
| **Priority** | Business importance |
| **Risk Level** | Impact if not met |
| **Testability** | Can be verified |
| **Priority** | Business importance |
| **Risk Level** | Impact if not met |
## Templates
@@ -657,6 +657,7 @@ This epic covers all security requirements related to {domain.value.replace('_',
## Best Practices
### Do's
- **Trace to threats** - Every requirement should map to threats
- **Be specific** - Vague requirements can't be tested
- **Include acceptance criteria** - Define "done"
@@ -664,6 +665,7 @@ This epic covers all security requirements related to {domain.value.replace('_',
- **Review regularly** - Requirements evolve with threats
### Don'ts
- **Don't be generic** - "Be secure" is not a requirement
- **Don't skip rationale** - Explain why it matters
- **Don't ignore priorities** - Not all requirements are equal

36
plugins/security-scanning/skills/stride-analysis-patterns/SKILL.md
View File

@@ -34,14 +34,14 @@ E - Elevation of → Authorization threats
### 2. Threat Analysis Matrix
| Category | Question | Control Family |
|----------|----------|----------------|
| **Spoofing** | Can attacker pretend to be someone else? | Authentication |
| **Tampering** | Can attacker modify data in transit/rest? | Integrity |
| **Repudiation** | Can attacker deny actions? | Logging/Audit |
| **Info Disclosure** | Can attacker access unauthorized data? | Encryption |
| **DoS** | Can attacker disrupt availability? | Rate limiting |
| **Elevation** | Can attacker gain higher privileges? | Authorization |
| Category | Question | Control Family |
| ------------------- | ----------------------------------------- | -------------- |
| **Spoofing** | Can attacker pretend to be someone else? | Authentication |
| **Tampering** | Can attacker modify data in transit/rest? | Integrity |
| **Repudiation** | Can attacker deny actions? | Logging/Audit |
| **Info Disclosure** | Can attacker access unauthorized data? | Encryption |
| **DoS** | Can attacker disrupt availability? | Rate limiting |
| **Elevation** | Can attacker gain higher privileges? | Authorization |
## Templates
@@ -53,14 +53,17 @@ E - Elevation of → Authorization threats
## 1. System Overview
### 1.1 Description
[Brief description of the system and its purpose]
### 1.2 Data Flow Diagram
```
[User] --> [Web App] --> [API Gateway] --> [Backend Services]
|
v
[Database]
|
v
[Database]
```
### 1.3 Trust Boundaries
@@ -163,12 +166,15 @@ E - Elevation of → Authorization threats
### 4.1 Risk Matrix
```
IMPACT
Low Med High Crit
Low 1 2 3 4
L Med 2 4 6 8
I High 3 6 9 12
K Crit 4 8 12 16
L Med 2 4 6 8
I High 3 6 9 12
K Crit 4 8 12 16
```
### 4.2 Prioritized Risks
@@ -636,6 +642,7 @@ class StridePerInteraction:
## Best Practices
### Do's
- **Involve stakeholders** - Security, dev, and ops perspectives
- **Be systematic** - Cover all STRIDE categories
- **Prioritize realistically** - Focus on high-impact threats
@@ -643,6 +650,7 @@ class StridePerInteraction:
- **Use visual aids** - DFDs help communication
### Don'ts
- **Don't skip categories** - Each reveals different threats
- **Don't assume security** - Question every component
- **Don't work in isolation** - Collaborative modeling is better

16
plugins/security-scanning/skills/threat-mitigation-mapping/SKILL.md
View File

@@ -33,13 +33,13 @@ Corrective ────► Respond and recover from attacks
### 2. Control Layers
| Layer | Examples |
|-------|----------|
| **Network** | Firewall, WAF, DDoS protection |
| **Application** | Input validation, authentication |
| **Data** | Encryption, access controls |
| **Endpoint** | EDR, patch management |
| **Process** | Security training, incident response |
| Layer | Examples |
| --------------- | ------------------------------------ |
| **Network** | Firewall, WAF, DDoS protection |
| **Application** | Input validation, authentication |
| **Data** | Encryption, access controls |
| **Endpoint** | EDR, patch management |
| **Process** | Security training, incident response |
### 3. Defense in Depth
@@ -725,6 +725,7 @@ class ControlTester:
## Best Practices
### Do's
- **Map all threats** - No threat should be unmapped
- **Layer controls** - Defense in depth is essential
- **Mix control types** - Preventive, detective, corrective
@@ -732,6 +733,7 @@ class ControlTester:
- **Review regularly** - Controls degrade over time
### Don'ts
- **Don't rely on single controls** - Single points of failure
- **Don't ignore cost** - ROI matters
- **Don't skip testing** - Untested controls may fail