zhongwei/gh-agentsecops-secopsagentkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-29 17:51:02 +08:00
commit ff1f4bd119
252 changed files with 72682 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
skills/devsecops/iac-checkov/assets/.gitkeep Normal file
View File

@@ -0,0 +1,9 @@
# Assets Directory
Place files that will be used in the output Claude produces:
- Templates
- Configuration files
- Images/logos
- Boilerplate code
These files are NOT loaded into context but copied/modified in output.

94
skills/devsecops/iac-checkov/assets/checkov_config.yaml Normal file
View File

@@ -0,0 +1,94 @@
# Checkov Configuration File
# Place this file as .checkov.yaml in your project root
# Framework selection
framework:
- terraform
- kubernetes
- dockerfile
- helm
# Checks to skip globally
skip-check:
# Development environment exceptions
- CKV_AWS_17 # RDS backup retention (dev envs)
- CKV_AWS_8 # CloudWatch log encryption (cost optimization)
# Low severity informational checks
- CKV_AWS_50 # Lambda tracing
- CKV_K8S_35 # Prefer secrets as files
# Paths to exclude from scanning
skip-path:
- .terraform/
- .terragrunt-cache/
- node_modules/
- vendor/
- "**/.git"
- "**/test/"
- "**/examples/"
# Severity-based configuration
soft-fail-on:
- LOW
- MEDIUM
hard-fail-on:
- CRITICAL
- HIGH
# Compact output mode
compact: true
# Quiet mode (only show failures)
quiet: false
# Download external Terraform modules
download-external-modules: true
# Output configuration
output:
- cli
- json
- sarif
# Output file path
output-file-path: ./checkov-reports
# Repository identification
repo-id: my-infrastructure
branch: main
# External checks directory
external-checks-dir:
- ./custom_checks
# Baseline file for drift detection
# baseline: .checkov.baseline
# Enable secrets scanning
# framework:
# - secrets
# Prisma Cloud/Bridgecrew integration (optional)
# bc-api-key: ${PRISMA_API_KEY}
# prisma-api-url: https://api.prismacloud.io
# Skip specific resources by regex
# skip-resources-without-violations: true
# CKV check configuration
# check:
# - CIS_AWS
# - CIS_AZURE
# - CIS_KUBERNETES
# Enable/disable specific frameworks
# skip-framework:
# - ansible
# - github_actions
# Custom policies metadata filter
# policy-metadata-filter:
# severity: HIGH,CRITICAL
# category: IAM,ENCRYPTION

199
skills/devsecops/iac-checkov/assets/github_actions.yml Normal file
View File

@@ -0,0 +1,199 @@
# GitHub Actions Workflow for Checkov IaC Security Scanning
# Place this file in .github/workflows/checkov.yml
name: Checkov IaC Security Scan
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
paths:
- '**.tf'
- '**.yaml'
- '**.yml'
- '**.json'
schedule:
# Run weekly security scans on Sunday at 2 AM
- cron: '0 2 * * 0'
workflow_dispatch:
permissions:
contents: read
security-events: write
pull-requests: write
jobs:
checkov-terraform:
name: Terraform Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Checkov on Terraform
uses: bridgecrewio/checkov-action@master
with:
directory: terraform/
framework: terraform
output_format: sarif
output_file_path: checkov-terraform.sarif
soft_fail: false
download_external_modules: true
- name: Upload SARIF Report
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: checkov-terraform.sarif
category: terraform
checkov-kubernetes:
name: Kubernetes Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Checkov on Kubernetes
uses: bridgecrewio/checkov-action@master
with:
directory: k8s/
framework: kubernetes
output_format: sarif
output_file_path: checkov-k8s.sarif
soft_fail: false
- name: Upload SARIF Report
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: checkov-k8s.sarif
category: kubernetes
checkov-dockerfile:
name: Dockerfile Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Checkov on Dockerfiles
uses: bridgecrewio/checkov-action@master
with:
directory: ./
framework: dockerfile
output_format: sarif
output_file_path: checkov-docker.sarif
soft_fail: false
- name: Upload SARIF Report
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: checkov-docker.sarif
category: dockerfile
checkov-compliance:
name: Compliance Scan (CIS, PCI-DSS)
runs-on: ubuntu-latest
if: github.event_name == 'push' || github.event_name == 'schedule'
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install Checkov
run: pip install checkov
- name: Run CIS Compliance Scan
run: |
checkov -d terraform/ \
--framework terraform \
--check CIS_AWS,CIS_AZURE \
-o json -o cli \
--output-file-path ./compliance-reports
- name: Upload Compliance Reports
uses: actions/upload-artifact@v4
if: always()
with:
name: compliance-reports
path: compliance-reports/
retention-days: 90
security-gate:
name: Security Gate Check
runs-on: ubuntu-latest
needs: [checkov-terraform, checkov-kubernetes]
if: always()
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install Dependencies
run: pip install checkov
- name: Run Checkov with Threshold
run: |
# Fail on CRITICAL and HIGH severity issues
checkov -d terraform/ \
--framework terraform \
--hard-fail-on CRITICAL,HIGH \
-o json --output-file-path ./gate-report || EXIT_CODE=$?
# Parse results
if [ -f "gate-report/results_json.json" ]; then
CRITICAL=$(jq '[.results.failed_checks[] | select(.severity == "CRITICAL")] | length' gate-report/results_json.json)
HIGH=$(jq '[.results.failed_checks[] | select(.severity == "HIGH")] | length' gate-report/results_json.json)
echo "Critical findings: $CRITICAL"
echo "High findings: $HIGH"
if [ "$CRITICAL" -gt 0 ] || [ "$HIGH" -gt 0 ]; then
echo "❌ Security gate failed"
exit 1
fi
fi
echo "✅ Security gate passed"
- name: Comment on PR
if: github.event_name == 'pull_request'
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const report = JSON.parse(fs.readFileSync('gate-report/results_json.json', 'utf8'));
const summary = report.summary || {};
const passed = summary.passed || 0;
const failed = summary.failed || 0;
const skipped = summary.skipped || 0;
const body = `## Checkov IaC Security Scan Results
| Status | Count |
|--------|-------|
| ✅ Passed | ${passed} |
| ❌ Failed | ${failed} |
| ⏭️ Skipped | ${skipped} |
${failed > 0 ? '⚠️ Please review and fix the security findings before merging.' : '✅ No security issues detected!'}
`;
github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: body
});

218
skills/devsecops/iac-checkov/assets/gitlab_ci.yml Normal file
View File

@@ -0,0 +1,218 @@
# GitLab CI/CD Pipeline for Checkov IaC Security Scanning
# Add this to your .gitlab-ci.yml file
stages:
- security
- compliance
- report
variables:
CHECKOV_IMAGE: "bridgecrew/checkov:latest"
REPORTS_DIR: "checkov-reports"
# Terraform Security Scan
checkov_terraform:
stage: security
image: $CHECKOV_IMAGE
script:
- mkdir -p $REPORTS_DIR
- |
checkov -d terraform/ \
--framework terraform \
-o json -o junitxml -o sarif \
--output-file-path $REPORTS_DIR \
--compact || EXIT_CODE=$?
- echo "Exit code: ${EXIT_CODE:-0}"
artifacts:
reports:
junit: $REPORTS_DIR/results_junitxml.xml
sast: $REPORTS_DIR/results_sarif.sarif
paths:
- $REPORTS_DIR/
when: always
expire_in: 30 days
only:
changes:
- terraform/**/*
- "*.tf"
tags:
- docker
# Kubernetes Security Scan
checkov_kubernetes:
stage: security
image: $CHECKOV_IMAGE
script:
- mkdir -p $REPORTS_DIR
- |
checkov -d k8s/ \
--framework kubernetes \
-o json -o junitxml \
--output-file-path $REPORTS_DIR \
--compact
artifacts:
reports:
junit: $REPORTS_DIR/results_junitxml.xml
paths:
- $REPORTS_DIR/
when: always
expire_in: 30 days
only:
changes:
- k8s/**/*
- "*.yaml"
- "*.yml"
tags:
- docker
# CloudFormation Security Scan
checkov_cloudformation:
stage: security
image: $CHECKOV_IMAGE
script:
- mkdir -p $REPORTS_DIR
- |
checkov -d cloudformation/ \
--framework cloudformation \
-o json -o junitxml \
--output-file-path $REPORTS_DIR \
--compact
artifacts:
reports:
junit: $REPORTS_DIR/results_junitxml.xml
paths:
- $REPORTS_DIR/
when: always
expire_in: 30 days
only:
changes:
- cloudformation/**/*
allow_failure: true
tags:
- docker
# Compliance Scan (CIS Benchmarks)
checkov_compliance:
stage: compliance
image: $CHECKOV_IMAGE
script:
- mkdir -p $REPORTS_DIR/compliance
- |
# CIS AWS Benchmark
checkov -d terraform/ \
--framework terraform \
--check CIS_AWS \
-o json -o cli \
--output-file-path $REPORTS_DIR/compliance \
--compact || true
# Parse results
if [ -f "$REPORTS_DIR/compliance/results_json.json" ]; then
FAILED=$(jq '.summary.failed' $REPORTS_DIR/compliance/results_json.json)
echo "CIS compliance failures: $FAILED"
fi
artifacts:
paths:
- $REPORTS_DIR/compliance/
when: always
expire_in: 90 days
only:
- main
- develop
tags:
- docker
# Security Gate - Fail on Critical/High
security_gate:
stage: compliance
image: $CHECKOV_IMAGE
script:
- mkdir -p $REPORTS_DIR/gate
- |
# Run scan with severity filtering
checkov -d terraform/ \
--framework terraform \
--hard-fail-on CRITICAL,HIGH \
-o json \
--output-file-path $REPORTS_DIR/gate \
--compact || EXIT_CODE=$?
# Check results
if [ -f "$REPORTS_DIR/gate/results_json.json" ]; then
CRITICAL=$(jq '[.results.failed_checks[] | select(.severity == "CRITICAL")] | length' $REPORTS_DIR/gate/results_json.json)
HIGH=$(jq '[.results.failed_checks[] | select(.severity == "HIGH")] | length' $REPORTS_DIR/gate/results_json.json)
echo "Critical findings: $CRITICAL"
echo "High findings: $HIGH"
if [ "$CRITICAL" -gt 0 ] || [ "$HIGH" -gt 0 ]; then
echo "❌ Security gate failed: Critical or High severity issues found"
exit 1
fi
echo "✅ Security gate passed"
fi
exit ${EXIT_CODE:-0}
artifacts:
paths:
- $REPORTS_DIR/gate/
when: always
expire_in: 30 days
dependencies:
- checkov_terraform
- checkov_kubernetes
only:
- merge_requests
- main
allow_failure: false
tags:
- docker
# Generate Summary Report
generate_report:
stage: report
image: alpine:latest
before_script:
- apk add --no-cache jq curl
script:
- |
# Generate markdown summary
cat > $REPORTS_DIR/summary.md <<EOF
# Checkov IaC Security Scan Summary
**Pipeline:** $CI_PIPELINE_ID
**Branch:** $CI_COMMIT_REF_NAME
**Commit:** $CI_COMMIT_SHORT_SHA
**Date:** $(date)
## Scan Results
EOF
# Parse Terraform scan results
if [ -f "$REPORTS_DIR/results_json.json" ]; then
echo "### Terraform Scan" >> $REPORTS_DIR/summary.md
echo "" >> $REPORTS_DIR/summary.md
echo "| Metric | Count |" >> $REPORTS_DIR/summary.md
echo "|--------|-------|" >> $REPORTS_DIR/summary.md
jq -r '.summary | "| Passed | \(.passed) |\n| Failed | \(.failed) |\n| Skipped | \(.skipped) |"' \
$REPORTS_DIR/results_json.json >> $REPORTS_DIR/summary.md
echo "" >> $REPORTS_DIR/summary.md
fi
cat $REPORTS_DIR/summary.md
artifacts:
paths:
- $REPORTS_DIR/summary.md
when: always
expire_in: 90 days
dependencies:
- checkov_terraform
- checkov_kubernetes
only:
- merge_requests
- main
- develop
tags:
- docker

92
skills/devsecops/iac-checkov/assets/pre_commit_config.yaml Normal file
View File

@@ -0,0 +1,92 @@
# Pre-commit Hook Configuration for Checkov
# Place this file as .pre-commit-config.yaml in your project root
#
# Install: pip install pre-commit
# Setup: pre-commit install
repos:
# Checkov IaC Security Scanning
- repo: https://github.com/bridgecrewio/checkov
rev: 2.5.0
hooks:
- id: checkov
name: Checkov IaC Security Scan
args:
- --soft-fail # Don't block commits (warning only)
- --compact # Concise output
- --framework=terraform # Scan Terraform files
- --framework=kubernetes # Scan Kubernetes files
- --framework=dockerfile # Scan Dockerfiles
files: \.(tf|yaml|yml|json|Dockerfile)$
exclude: |
(?x)^(
.terraform/|
.terragrunt-cache/|
vendor/|
node_modules/
)
# Strict mode (fail on Critical/High) - optional
- repo: https://github.com/bridgecrewio/checkov
rev: 2.5.0
hooks:
- id: checkov
name: Checkov Strict Mode (Critical/High)
args:
- --hard-fail-on=CRITICAL,HIGH
- --compact
- --quiet
files: \.(tf|yaml|yml)$
exclude: |
(?x)^(
.terraform/|
test/|
examples/
)
# Only run on specific branches
stages: [push]
# Terraform-specific scanning with external modules
- repo: https://github.com/bridgecrewio/checkov
rev: 2.5.0
hooks:
- id: checkov
name: Checkov Terraform (with external modules)
args:
- --download-external-modules=true
- --framework=terraform
- --soft-fail
files: \.tf$
exclude: .terraform/
# Additional code quality hooks
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.5.0
hooks:
- id: trailing-whitespace
- id: end-of-file-fixer
- id: check-yaml
args: [--allow-multiple-documents]
- id: check-json
- id: check-merge-conflict
- id: detect-private-key
name: Detect Private Keys (Secrets)
# Terraform formatting
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.86.0
hooks:
- id: terraform_fmt
- id: terraform_validate
- id: terraform_docs
args:
- --hook-config=--add-to-existing-file=true
- --hook-config=--create-file-if-not-exist=true
# YAML linting
- repo: https://github.com/adrienverge/yamllint
rev: v1.33.0
hooks:
- id: yamllint
args: [-c=.yamllint.yaml]
files: \.(yaml|yml)$