Summary
Create the owasp-cicd skill under owasp-cicd providing detection checklists, severity guidance, and remediation patterns for the OWASP Top 10 CI/CD Security Risks vulnerabilities.
This skill is consumed by the security-reviewer agent (not user-invocable). Content is adapted from JasonTheDeveloper's owasp-skills cicd-vulnerabilities skill with hve-core naming and conventions applied.
Acceptance Criteria
Content Source
Adapted from JasonTheDeveloper's owasp-skills cicd-vulnerabilities/ skill. Naming convention changed from cicd-vulnerabilities to owasp-cicd per Discussion #480 terminology alignment.
File Structure
.github/skills/security/owasp-cicd/
├── SKILL.md
└── references/
├── 00-vulnerability-index.md
├── 01-insufficient-flow-control-mechanisms.md
├── 02-inadequate-identity-access-management.md
├── 03-dependency-chain-abuse.md
├── 04-poisoned-pipeline-execution.md
├── 05-insufficient-pbac.md
├── 06-insufficient-credential-hygiene.md
├── 07-insecure-system-configuration.md
├── 08-ungoverned-usage-of-3rd-party-services.md
├── 09-improper-artifact-integrity-validation.md
└── 10-insufficient-logging-visibility.md
Summary
Create the
owasp-cicdskill under owasp-cicd providing detection checklists, severity guidance, and remediation patterns for the OWASP Top 10 CI/CD Security Risks vulnerabilities.This skill is consumed by the
security-revieweragent (not user-invocable). Content is adapted from JasonTheDeveloper's owasp-skillscicd-vulnerabilitiesskill with hve-core naming and conventions applied.Acceptance Criteria
SKILL.md exists with valid frontmatter
name: owasp-cicdmatches directory namedescriptionends with- Brought to you by microsoft/hve-coreuser-invocable: falsemetadata.content_based_onreferences OWASP CI/CD Top 10 source URLreferences/directory contains 11 files:01-insufficient-flow-control-mechanisms.md02-inadequate-identity-access-management.md03-dependency-chain-abuse.md04-poisoned-pipeline-execution.md05-insufficient-pbac.md06-insufficient-credential-hygiene.md07-insecure-system-configuration.md08-ungoverned-usage-of-3rd-party-services.md09-improper-artifact-integrity-validation.md10-insufficient-logging-visibility.mdEach reference file follows the 7-section pattern: Description → Risk → Vulnerability Checklist → Prevention Controls → Example Attacks → Detection Guidance → Remediation
SKILL.md body references the vulnerability index and instructs the agent on how to traverse references
npm run validate:skillspasses for this skillContent Source
Adapted from JasonTheDeveloper's owasp-skills
cicd-vulnerabilities/skill. Naming convention changed fromcicd-vulnerabilitiestoowasp-cicdper Discussion #480 terminology alignment.File Structure
.github/skills/security/owasp-cicd/ ├── SKILL.md └── references/ ├── 00-vulnerability-index.md ├── 01-insufficient-flow-control-mechanisms.md ├── 02-inadequate-identity-access-management.md ├── 03-dependency-chain-abuse.md ├── 04-poisoned-pipeline-execution.md ├── 05-insufficient-pbac.md ├── 06-insufficient-credential-hygiene.md ├── 07-insecure-system-configuration.md ├── 08-ungoverned-usage-of-3rd-party-services.md ├── 09-improper-artifact-integrity-validation.md └── 10-insufficient-logging-visibility.md