Skip to content

feat(skill): introduce owasp-infrastructure#1244

Merged
WilliamBerryiii merged 19 commits intomicrosoft:mainfrom
JasonTheDeveloper:feat/1241
Apr 7, 2026
Merged

feat(skill): introduce owasp-infrastructure#1244
WilliamBerryiii merged 19 commits intomicrosoft:mainfrom
JasonTheDeveloper:feat/1241

Conversation

@JasonTheDeveloper
Copy link
Copy Markdown
Contributor

@JasonTheDeveloper JasonTheDeveloper commented Mar 31, 2026
edited
Loading

Pull Request

Description

In alignment with phase 2 discussed in #480 (comment), this PR introduces the OWASP Infrastructure Top 10 skill to hve-core and the security reviewer agent.

Related Issue(s)

Closes #1241

Type of Change

Select all that apply:

Code & Documentation:

  • Bug fix (non-breaking change fixing an issue)
  • New feature (non-breaking change adding functionality)
  • Breaking change (fix or feature causing existing functionality to change)
  • Documentation update

Infrastructure & Configuration:

  • GitHub Actions workflow
  • Linting configuration (markdown, PowerShell, etc.)
  • Security configuration
  • DevContainer configuration
  • Dependency update

AI Artifacts:

  • Reviewed contribution with prompt-builder agent and addressed all feedback
  • Copilot instructions (.github/instructions/*.instructions.md)
  • Copilot prompt (.github/prompts/*.prompt.md)
  • Copilot agent (.github/agents/*.agent.md)
  • Copilot skill (.github/skills/*/SKILL.md)

Note for AI Artifact Contributors:

  • Agents: Research, indexing/referencing other project (using standard VS Code GitHub Copilot/MCP tools), planning, and general implementation agents likely already exist. Review .github/agents/ before creating new ones.
  • Skills: Must include both bash and PowerShell scripts. See Skills.
  • Model Versions: Only contributions targeting the latest Anthropic and OpenAI models will be accepted. Older model versions (e.g., GPT-3.5, Claude 3) will be rejected.
  • See Agents Not Accepted and Model Version Requirements.

Other:

  • Script/automation (.ps1, .sh, .py)
  • Other (please describe):

Testing

To be able to test the owasp-infrastructure skill using the security reviewer agent you will need a repository containing infrastructure related code/configuration.

  1. Either select the Security Reviewer agent or invoke the agent via the /security-revew instruction
  2. Use the following prompt analyse the code and produce a vulnerability report
    • If you are testing to see if the codebase-profiler.agent.md picks up that the repository contains infrastructure related code (like terraform) and thus uses the owasp-infrastructure skill then that's all you need.
    • If you only want to test the owasp-infrastructure is used, in your prompt add targetSkill=owasp-infrastructure

You should see in the output report the owasp-infrastructure skill being referenced and used.

Checklist

Required Checks

  • Documentation is updated (if applicable)
  • Files follow existing naming conventions
  • Changes are backwards compatible (if applicable)
  • Tests added for new functionality (if applicable)

AI Artifact Contributions

  • Used /prompt-analyze to review contribution
  • Addressed all feedback from prompt-builder review
  • Verified contribution follows common standards and type-specific requirements

Required Automated Checks

The following validation commands must pass before merging:

  • Markdown linting: npm run lint:md
  • Spell checking: npm run spell-check
  • Frontmatter validation: npm run lint:frontmatter
  • Skill structure validation: npm run validate:skills
  • Link validation: npm run lint:md-links
  • PowerShell analysis: npm run lint:ps
  • Plugin freshness: npm run plugin:generate

Security Considerations

  • This PR does not contain any sensitive or NDA information
  • Any new dependencies have been reviewed for security issues
  • Security-related scripts follow the principle of least privilege

@JasonTheDeveloper JasonTheDeveloper requested a review from a team as a code owner March 31, 2026 04:18
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Mar 31, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.62%. Comparing base (dfd04e0) to head (0b571e2).

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #1244      +/-   ##
==========================================
- Coverage   87.63%   87.62%   -0.02%     
==========================================
  Files          61       61              
  Lines        9328     9328              
==========================================
- Hits         8175     8174       -1     
- Misses       1153     1154       +1
Flag Coverage Δ
pester 85.18% <ø> (-0.02%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

katriendg
katriendg reviewed Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@katriendg katriendg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Jason, left a few comments on changes needed before we can merge.

From a merge order probably do this:

  1. Merge PR 1244 (owasp-infrastructure) first — broadest infrastructure scope.
  2. Rebase PR 1245 (owasp-docker) onto updated main, resolve conflicts in 6 shared files, merge.
  3. Rebase PR 1246 (owasp-cicd) onto updated main, resolve conflicts in 6 shared files, merge.

After each merge, run npm run plugin:generate to keep plugin outputs fresh.

Comment thread .github/skills/security/owasp-infrastructure/SKILL.md Outdated
Comment thread .github/skills/security/owasp-infrastructure/SKILL.md Outdated
@JasonTheDeveloper
Copy link
Copy Markdown
Contributor Author

JasonTheDeveloper commented Apr 1, 2026

Using the owasp-infrastructure here are the results:

OWASP Security Assessment Report

Date: 2026-04-01
Repository: hve-core
Agent: Security Reviewer
Skills applied: owasp-infrastructure

Caution

This prompt is an assistive tool only and does not replace professional security tooling (SAST, DAST, SCA, penetration testing, compliance scanners) or qualified human review. All AI-generated vulnerability findings must be reviewed and validated by qualified security professionals before use. AI outputs may contain inaccuracies, miss critical threats, or produce recommendations that are incomplete or inappropriate for your environment.

Executive Summary

A comprehensive infrastructure security assessment of the hve-core repository was conducted using the OWASP Infrastructure Top 10 (2024) framework. All 10 controls were evaluated, resulting in 9 PASS findings and 1 NOT_ASSESSED finding, with zero vulnerabilities identified. The NOT_ASSESSED control (ISR06 — Insecure Network Access Management) is not applicable because hve-core is a documentation and tooling repository running on ephemeral GitHub-hosted runners with no managed network infrastructure. All 10 findings passed through verification unchanged, confirming the repository's strong infrastructure security posture.

Summary Counts

Status Count
PASS 9
FAIL 0
PARTIAL 0
NOT_ASSESSED 1
Total 10

Severity Breakdown (FAIL + PARTIAL only)

Severity Count
CRITICAL 0
HIGH 0
MEDIUM 0
LOW 0

Verification Summary

Verdict Count
CONFIRMED 0
DISPROVED 0
DOWNGRADED 0
UNCHANGED 10

Findings by Framework

owasp-infrastructure

ID Title Status Severity Location Finding Recommendation Verdict Justification
ISR01:2024 Outdated Software PASS N/A N/A Comprehensive dependency update management: Dependabot configured for npm, GitHub Actions, and uv Python packages on a weekly schedule. SHA staleness monitoring detects outdated pinned action references. Weekly security maintenance workflows automate stale dependency detection. Tool versions pinned with SHA256 checksums. pip-audit scans Python dependencies. npm overrides pin transitive dependencies. No additional action needed. UNCHANGED PASS finding passed through without verification.
ISR02:2024 Insufficient Threat Detection PASS N/A N/A Multiple detection layers deployed: Gitleaks secret scanning on every PR and release with soft-fail: false. CodeQL weekly and PR-triggered scans with security-extended queries. OpenSSF Scorecard weekly and after releases. Dependency review on PRs. Workflow permissions scanning. SARIF results uploaded to GitHub Security tab. Weekly validation workflows for continuous monitoring. No additional action needed. UNCHANGED PASS finding passed through without verification.
ISR03:2024 Insecure Configurations PASS N/A N/A Secure configuration practices: top-level permissions: contents: read with minimal per-job escalation, persist-credentials: false on all checkouts, concurrency groups, cancel-in-progress controls. Dedicated workflow-permissions-scan.yml enforces proper permissions. ActionLint validates syntax. Branch protection requires status checks, PR review, CODEOWNERS approval, prohibits admin bypass. JIT access limits admin to 2 hours. No additional action needed. UNCHANGED PASS finding passed through without verification.
ISR04:2024 Insecure Resource and User Management PASS N/A N/A Team-based ACLs with explicit role assignments. CODEOWNERS enforcement for domain expert review. GitHub App tokens for release operations instead of broad PATs. Marketplace publish uses OIDC federation for short-lived Azure credentials. JIT policy restricts admin access to 2-hour windows with approval requirements. Periodically audit team membership and GitHub App installation permissions. UNCHANGED PASS finding passed through without verification.
ISR05:2024 Insecure Use of Cryptography PASS N/A N/A All external communications use HTTPS. GitHub API calls use Bearer token authentication over TLS. Azure marketplace publishing uses OIDC federation. Release artifacts signed using Sigstore attestations with in-toto DSSE envelopes. SBOM generation uses SPDX 2.3 JSON with cryptographic attestation. Tool downloads verify SHA256 checksums. No custom cryptographic implementations or unencrypted protocols. No additional action needed. UNCHANGED PASS finding passed through without verification.
ISR06:2024 Insecure Network Access Management NOT_ASSESSED N/A N/A Not applicable. hve-core is a documentation/tooling/DevOps repository hosted on GitHub with CI/CD on ephemeral GitHub-hosted runners. No self-hosted runners, managed network infrastructure, or deployed services exist. If self-hosted runners or deployed infrastructure are introduced, implement network segmentation and NAC controls. UNCHANGED NOT_ASSESSED finding passed through without verification.
ISR07:2024 Insecure Authentication Methods and Default Credentials PASS N/A N/A No default credentials in codebase. Gitleaks with soft-fail: false blocks secret leakage. Test fixture tokens allowlisted in .gitleaksignore with commit-specific entries. Secrets stored in GitHub Secrets/Variables. OIDC federation for Azure authentication. GitHub App tokens generated per-workflow-run with scoped permissions. Jira and GitLab skill scripts read credentials from environment variables only. No additional action needed. UNCHANGED PASS finding passed through without verification.
ISR08:2024 Information Leakage PASS N/A N/A Comprehensive leakage controls: .gitignore excludes sensitive patterns. Gitleaks prevents secret commits. persist-credentials: false prevents token leakage. Release artifacts include only intended outputs. SARIF results uploaded to restricted Security tab. SECURITY.md provides vulnerability disclosure channels via MSRC. No additional action needed. UNCHANGED PASS finding passed through without verification.
ISR09:2024 Insecure Access to Resources and Management Components PASS N/A N/A Least-privilege access: branch protection requires PR review, CODEOWNERS approval, prohibits admin bypass. Workflow permissions minimized per-job. Release pipeline uses scoped GitHub App tokens. Marketplace publish uses protected environment with OIDC. CODEOWNERS self-protection. JIT access policy limits admin elevation. Security-critical workflows produce auditable SARIF output. No additional action needed. UNCHANGED PASS finding passed through without verification.
ISR10:2024 Insufficient Asset Management and Documentation PASS N/A N/A Comprehensive asset management: SBOM generation via anchore/sbom-action in SPDX 2.3 JSON. Dependency SBOM diffs between releases. tool-checksums.json inventories external tool versions and checksums. Dependabot tracks all ecosystems. package.json and pyproject.toml govern dependencies. Collection manifests document bundled artifact sets. Security documentation covers security model, dependency pinning, and SBOM verification. No additional action needed. UNCHANGED PASS finding passed through without verification.

Detailed Remediation Guidance

None identified.

Disproved Findings

None.

Remediation Checklist

ID Control Status Evidence

Appendix: Skills Used

Skill Framework Version Reference
owasp-infrastructure OWASP Infrastructure Security Top 10 1.0.0 https://owasp.org/www-project-top-10-infrastructure-security-risks/

katriendg
katriendg approved these changes Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@katriendg katriendg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I believe this looks good! The example evaluation you posted is very useful to get a better idea how it runs.

Please note to merge we will need to the npm run docs:test to pass CI. Could you add that (I messaged you offline). Thanks.

@WilliamBerryiii WilliamBerryiii merged commit 024f61f into microsoft:main Apr 7, 2026
40 checks passed
This was referenced Apr 7, 2026
Merged
Open
@JasonTheDeveloper JasonTheDeveloper deleted the feat/1241 branch April 7, 2026 02:41
WilliamBerryiii pushed a commit that referenced this pull request Apr 24, 2026
@hve-core-release-please @github-actions
chore(main): pre-release 3.3.101 (#1274)
0d4452b 
## Pre-Release 3.3.101

### ✨ Features

- add removed maturity tier and retire owasp-docker (#1444)
- add evaluation dataset creator (#1279)
- align RAI planner with guide, remove scoring, improve UX (#1287)
- add PSGallery staleness check and BOM cleanup (#1379)
- ISA-95 network planner agent (#1177)
- auto-generate collection.md with maturity filtering (#1316)
- add folder-consistency check and standardize WARN outp… (#1350)
- add synth-data-generate prompt to data-science collection (#1419)
- add canonical deck workflow and customer-card rendering for design
thinking (#1413)
- add Figma MCP integration for DT artifact export (#1222)
- introduce `owasp-docker` (#1245)
- replace hve-core-specific references with portable discovery-based
language (#1335)
- introduce `owasp-cicd` (#1246)
- add secure-by-design knowledge skill (#1223)
- introduce `owasp-infrastructure` (#1244)
- introduce `owasp-mcp` (#1207)
- add OutputPath parameter to Invoke-LinkLanguageCheck.ps1 (#1229)
- add -OutputPath parameter to Validate-SkillStructure.ps1 (#1225)
- add maintainer-only skip-review label guard (#1293)
- add extension collections overview and integrate into getting started
flow (#950)
- add agentic workflows for automated issue triage, implementation, PR
review, dependency review, and doc-staleness detection (#1219)
- consolidate package-lock.json version sync into
Update-VersionFiles.ps1 (#1240)
- add standards code review agent and full review orchestrator (#1174)
- standardize pytest-mock as Python mocking framework (#1170)
- add Jira backlog workflows and Jira/GitLab skills (#978)
- add centralized version bump script and supply-chain attestation
(#1183)

### 🐛 Bug Fixes

- pin PowerShell-Yaml to 0.4.7 across all install sites (#1378)
- close fork-PR/workflow-file-PR secret-strip gap and normalize
upload-artifact version (#1421)
- replace stream-based lookahead with array indexing in
list-changed-files.sh (#1376)
- centralize ISO 8601 timestamp regex in CIHelpers (#1343)
- update stale documentation date in release-process.md (#1363)
- pin basic-ftp to 5.3.0 to resolve GHSA-rp42-5vxx-qpwr (#1374)
- add bot filter to dependency PR review workflow (#1362)
- resolve pip-audit findings in powerpoint, gitlab, and jira skill lock
files (#1360)
- standardize Timestamp JSON key casing across all lint result files
(#1314)
- add synchronize trigger to PR Review workflow (#1323)
- standardize timestamp in Validate-SkillStructure.ps1 to use
Get-StandardTimestamp (#1280)
- add parallel subagent dispatch and structured JSON contracts to
code-review-full (#1304)
- standardize timestamp in SecurityHelpers.psm1 to use
Get-StandardTimestamp (#1284)
- standardize timestamps in Test-DependencyPinning.ps1 and
SecurityClasses.psm1 (#1282)
- derive collection artifact counts from YAML at build time (#1275)
- standardize timestamp in FrontmatterValidation.psm1 to use
Get-StandardTimestamp (#1285)
- standardize timestamp in Markdown-Link-Check.ps1 to use
Get-StandardTimestamp (#1283)
- escape hyphens in Mermaid diagram on Collections page (#1262)
- add summary timestamp to PSScriptAnalyzer output (#1211)
- fix plugin compatibility and robustness for coding-standards code
review agents (#1289)
- standardize timestamp in Test-CopyrightHeaders.ps1 to use
Get-StandardTimestamp (#1278)
- standardize timestamp in Invoke-YamlLint.ps1 to use
Get-StandardTimestamp (#1270)
- standardize timestamp in Invoke-LinkLanguageCheck.ps1 to use
Get-StandardTimestamp (#1264)
- fix dependency-review path filters and sparse-checkout cone mode
(#1259)
- replace invalid bare tool names with official tool identifiers (#1198)
- fix broken links and remove orphaned reference in code review docs
(#1257)
- exclude Python env dirs from skill validation warnings (#1255)
- pin happy-dom and serialize-javascript to resolve Dependabot
vulnerabilities (#1253)
- remove Mermaid diagram and add missing collection cards (#1247)
- disable MCP servers by default to prevent token limit errors (#1144)
- sync package-lock.json after pre-release version bump (#1236)
- separate mermaid node declarations and add dynamic diagram generation
with tests (#1215)
- replace anchor links in meeting-analyst with bold text references
(#1201)
- remove recursive symlinks in jira and gitlab skill directories (#1233)
- validate-installation scripts now check .github/skills directory
(#1010) (#1206)
- resolve npm audit vulnerabilities via dependency overrides (#1200)
- add post-release triggers to scorecard workflow (#1186)
- add missing .md extensions to relative links in agent documentation
(#1180)

### 📚 Documentation

- broaden Security Review description beyond OWASP (#1385)
- document maintainer advisory mode and skip-review label guard (#1386)
- document ExcludePaths/OutputPath for Invoke-LinkLanguageCheck (#1383)
- CLI getting-started: clarify plugin install commands as alternatives
(-all vs base) (#1251)

### ♻️ Refactoring

- align agent and prompt folder names to collection identifier (#1210)

### 🔧 Maintenance

- pin PSScriptAnalyzer to 1.25.0 and sync stale workflow version
comments (#1389)
- bump lxml from 6.0.2 to 6.1.0 in
/.github/skills/experimental/powerpoint (#1424)
- bump @vscode/vsce from 3.7.1 to 3.9.1 in the npm-dependencies group
(#1390)
- bump the github-actions group across 1 directory with 7 updates
(#1391)
- bump follow-redirects from 1.15.11 to 1.16.0 in /docs/docusaurus
(#1356)
- upgrade Node.js from 20 to 24 and bump cspell to v10 (#1353)
- bump basic-ftp from 5.2.0 to 5.2.1 (#1324)
- update github/gh-aw-actions requirement to
536ea1bad8c6715d098a9dc1afea8d403733acfe in the github-actions group
across 1 directory (#1298)
- update security instruction attributions and compliance (#1294)
- bump the npm-dependencies group with 2 updates (#1297)
- pre-release 3.3.41 (#1252)
- streamline RAI Planner phase structure and documentation (#1273)
- bump happy-dom from 20.8.8 to 20.8.9 in /docs/docusaurus (#1237)
- pre-release 3.3.27 (#1191)
- bump pygments from 2.19.2 to 2.20.0 in /.github/skills/gitlab/gitlab
(#1234)
- bump path-to-regexp from 0.1.12 to 0.1.13 in /docs/docusaurus (#1226)
- bump the github-actions group with 4 updates (#1231)
- add missing folders and alphabetize location lists (#1193)
- bump brace-expansion (#1224)
- bump handlebars from 4.7.8 to 4.7.9 in /docs/docusaurus (#1217)
- bump brace-expansion from 5.0.3 to 5.0.5 in /docs/docusaurus (#1213)
- pre-release 3.3.10 (#1187)
- bump markdownlint-cli2 from 0.21.0 to 0.22.0 in the npm-dependencies
group (#1175)
- bump the github-actions group with 3 updates (#1176)
- pre-release 3.3.1 (#1165)

---
*Managed automatically by pre-release workflow.*

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@hve-core-release-please hve-core-release-please Bot mentioned this pull request Apr 27, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@katriendg katriendg katriendg approved these changes

@WilliamBerryiii WilliamBerryiii WilliamBerryiii approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat(skills): add owasp-infrastructure skill for OWASP Top 10 infrastructure vulnerability assessment

4 participants

@JasonTheDeveloper @codecov-commenter @katriendg @WilliamBerryiii