feat(skill): introduce owasp-cicd#1246
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1246 +/- ##
==========================================
- Coverage 87.66% 87.65% -0.02%
==========================================
Files 61 61
Lines 9328 9328
==========================================
- Hits 8177 8176 -1
- Misses 1151 1152 +1
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
|
@JasonTheDeveloper - will you run this one over HVE Core itself and share the report in this thread? |
|
@WilliamBerryiii yeah sure. I ran the OWASP Security Assessment ReportDate: 2026-04-01 Caution This prompt is an assistive tool only and does not replace professional security tooling (SAST, DAST, SCA, penetration testing, compliance scanners) or qualified human review. All AI-generated vulnerability findings must be reviewed and validated by qualified security professionals before use. AI outputs may contain inaccuracies, miss critical threats, or produce recommendations that are incomplete or inappropriate for your environment. Executive SummaryA comprehensive CI/CD security assessment was performed against the hve-core repository using the OWASP CI/CD Top 10 framework. All 10 controls were evaluated, producing 9 PASS findings and 1 NOT_ASSESSED finding (IAM configuration, which resides outside source code). No vulnerabilities were identified — the repository demonstrates strong pipeline security posture with SHA-pinned actions, least-privilege permissions, secret scanning, SBOM generation, build provenance attestation, and deterministic dependency management. All 10 findings passed through verification unchanged. Summary Counts
Severity Breakdown (FAIL + PARTIAL only)
Verification Summary
Findings by Frameworkowasp-cicd
Detailed Remediation GuidanceNone identified. Disproved FindingsNone. Remediation Checklist
No CONFIRMED or DOWNGRADED findings require remediation. Appendix: Skills Used
|
JasonTheDeveloper
force-pushed
the
feat/1243
branch
from
f96f754 to
ec8d96e
Compare
This makes me really happy! |
WilliamBerryiii
left a comment
WilliamBerryiii
left a comment
There was a problem hiding this comment.
Thanks for this contribution — the content quality across all 10 reference documents is excellent and the agent integrations are thorough.
A few items to address before merge, detailed in inline comments below.
Positive observations:
- All 10 vulnerability reference documents follow a consistent, well-structured format
- Agent integrations (security-reviewer, codebase-profiler, finding-deep-verifier, skill-assessor) are all correctly updated
- Collection and plugin registrations are complete with correct
maturity: experimental - Symlinks follow the established conventions
- Using "index" rather than "master index" is the preferred wording — we will update the existing skills to match
- Using a hyphen in
security.collection.mdis the preferred punctuation — we will update existing entries to match
…s.md` Co-authored-by: Bill Berry <[email protected]>
Co-authored-by: Bill Berry <[email protected]>
Co-authored-by: Bill Berry <[email protected]>
Co-authored-by: Bill Berry <[email protected]>
|
Thanks for the work, this looks good to me now. @WilliamBerryiii if there is nothing missing around the trademark/copyright usage across the titles (just keeping the attribution and notice at the bottom of skill), then I think we can approve and merge? |
|
@katriendg ... had a side chat with @JasonTheDeveloper and we agreed that we'd get these merged and fast follow with a bulk license update across the 3 so that we didn't duplicate work. Having that work in a single PR will make it easier for us to see how the third party notices are handled and ensure a uniform approach. I can also then follow that with some skill level automation to ensure we're taking a structured approach as we pull more skills in. |
…ptions Issue microsoft#1320 (part 2 of 2) — the 'master index' → 'index' rewording from part 1 already landed, so this PR only carries the em-dash → hyphen change decided during review of microsoft#1246. Replaces the ' — ' separator between bolded bullet labels and their descriptions with ' - ' (hyphen) across every collection file: collections/ado.collection.md collections/coding-standards.collection.md collections/data-science.collection.md collections/design-thinking.collection.md collections/experimental.collection.md collections/github.collection.md collections/hve-core.collection.md collections/hve-core-all.collection.md collections/installer.collection.md collections/project-planning.collection.md collections/rai-planning.collection.md Also mirrors the change in each plugins/<name>/README.md so the generated plugin outputs match the source collection without requiring a separate 'npm run plugin:generate' follow-up. The generate pipeline is the canonical way to keep these in sync, and running it locally with both files would produce the same result. Only line-start bullet patterns (^\s*-\s+\*\*...\*\*\s+—\s+) are rewritten; em dashes in prose sentences are left alone, matching the issue's scope ("All bullet-point descriptions currently use ' — ' as the separator"). Closes microsoft#1320 (part 2).
## Pre-Release 3.3.101 ### ✨ Features - add removed maturity tier and retire owasp-docker (#1444) - add evaluation dataset creator (#1279) - align RAI planner with guide, remove scoring, improve UX (#1287) - add PSGallery staleness check and BOM cleanup (#1379) - ISA-95 network planner agent (#1177) - auto-generate collection.md with maturity filtering (#1316) - add folder-consistency check and standardize WARN outp… (#1350) - add synth-data-generate prompt to data-science collection (#1419) - add canonical deck workflow and customer-card rendering for design thinking (#1413) - add Figma MCP integration for DT artifact export (#1222) - introduce `owasp-docker` (#1245) - replace hve-core-specific references with portable discovery-based language (#1335) - introduce `owasp-cicd` (#1246) - add secure-by-design knowledge skill (#1223) - introduce `owasp-infrastructure` (#1244) - introduce `owasp-mcp` (#1207) - add OutputPath parameter to Invoke-LinkLanguageCheck.ps1 (#1229) - add -OutputPath parameter to Validate-SkillStructure.ps1 (#1225) - add maintainer-only skip-review label guard (#1293) - add extension collections overview and integrate into getting started flow (#950) - add agentic workflows for automated issue triage, implementation, PR review, dependency review, and doc-staleness detection (#1219) - consolidate package-lock.json version sync into Update-VersionFiles.ps1 (#1240) - add standards code review agent and full review orchestrator (#1174) - standardize pytest-mock as Python mocking framework (#1170) - add Jira backlog workflows and Jira/GitLab skills (#978) - add centralized version bump script and supply-chain attestation (#1183) ### 🐛 Bug Fixes - pin PowerShell-Yaml to 0.4.7 across all install sites (#1378) - close fork-PR/workflow-file-PR secret-strip gap and normalize upload-artifact version (#1421) - replace stream-based lookahead with array indexing in list-changed-files.sh (#1376) - centralize ISO 8601 timestamp regex in CIHelpers (#1343) - update stale documentation date in release-process.md (#1363) - pin basic-ftp to 5.3.0 to resolve GHSA-rp42-5vxx-qpwr (#1374) - add bot filter to dependency PR review workflow (#1362) - resolve pip-audit findings in powerpoint, gitlab, and jira skill lock files (#1360) - standardize Timestamp JSON key casing across all lint result files (#1314) - add synchronize trigger to PR Review workflow (#1323) - standardize timestamp in Validate-SkillStructure.ps1 to use Get-StandardTimestamp (#1280) - add parallel subagent dispatch and structured JSON contracts to code-review-full (#1304) - standardize timestamp in SecurityHelpers.psm1 to use Get-StandardTimestamp (#1284) - standardize timestamps in Test-DependencyPinning.ps1 and SecurityClasses.psm1 (#1282) - derive collection artifact counts from YAML at build time (#1275) - standardize timestamp in FrontmatterValidation.psm1 to use Get-StandardTimestamp (#1285) - standardize timestamp in Markdown-Link-Check.ps1 to use Get-StandardTimestamp (#1283) - escape hyphens in Mermaid diagram on Collections page (#1262) - add summary timestamp to PSScriptAnalyzer output (#1211) - fix plugin compatibility and robustness for coding-standards code review agents (#1289) - standardize timestamp in Test-CopyrightHeaders.ps1 to use Get-StandardTimestamp (#1278) - standardize timestamp in Invoke-YamlLint.ps1 to use Get-StandardTimestamp (#1270) - standardize timestamp in Invoke-LinkLanguageCheck.ps1 to use Get-StandardTimestamp (#1264) - fix dependency-review path filters and sparse-checkout cone mode (#1259) - replace invalid bare tool names with official tool identifiers (#1198) - fix broken links and remove orphaned reference in code review docs (#1257) - exclude Python env dirs from skill validation warnings (#1255) - pin happy-dom and serialize-javascript to resolve Dependabot vulnerabilities (#1253) - remove Mermaid diagram and add missing collection cards (#1247) - disable MCP servers by default to prevent token limit errors (#1144) - sync package-lock.json after pre-release version bump (#1236) - separate mermaid node declarations and add dynamic diagram generation with tests (#1215) - replace anchor links in meeting-analyst with bold text references (#1201) - remove recursive symlinks in jira and gitlab skill directories (#1233) - validate-installation scripts now check .github/skills directory (#1010) (#1206) - resolve npm audit vulnerabilities via dependency overrides (#1200) - add post-release triggers to scorecard workflow (#1186) - add missing .md extensions to relative links in agent documentation (#1180) ### 📚 Documentation - broaden Security Review description beyond OWASP (#1385) - document maintainer advisory mode and skip-review label guard (#1386) - document ExcludePaths/OutputPath for Invoke-LinkLanguageCheck (#1383) - CLI getting-started: clarify plugin install commands as alternatives (-all vs base) (#1251) ### ♻️ Refactoring - align agent and prompt folder names to collection identifier (#1210) ### 🔧 Maintenance - pin PSScriptAnalyzer to 1.25.0 and sync stale workflow version comments (#1389) - bump lxml from 6.0.2 to 6.1.0 in /.github/skills/experimental/powerpoint (#1424) - bump @vscode/vsce from 3.7.1 to 3.9.1 in the npm-dependencies group (#1390) - bump the github-actions group across 1 directory with 7 updates (#1391) - bump follow-redirects from 1.15.11 to 1.16.0 in /docs/docusaurus (#1356) - upgrade Node.js from 20 to 24 and bump cspell to v10 (#1353) - bump basic-ftp from 5.2.0 to 5.2.1 (#1324) - update github/gh-aw-actions requirement to 536ea1bad8c6715d098a9dc1afea8d403733acfe in the github-actions group across 1 directory (#1298) - update security instruction attributions and compliance (#1294) - bump the npm-dependencies group with 2 updates (#1297) - pre-release 3.3.41 (#1252) - streamline RAI Planner phase structure and documentation (#1273) - bump happy-dom from 20.8.8 to 20.8.9 in /docs/docusaurus (#1237) - pre-release 3.3.27 (#1191) - bump pygments from 2.19.2 to 2.20.0 in /.github/skills/gitlab/gitlab (#1234) - bump path-to-regexp from 0.1.12 to 0.1.13 in /docs/docusaurus (#1226) - bump the github-actions group with 4 updates (#1231) - add missing folders and alphabetize location lists (#1193) - bump brace-expansion (#1224) - bump handlebars from 4.7.8 to 4.7.9 in /docs/docusaurus (#1217) - bump brace-expansion from 5.0.3 to 5.0.5 in /docs/docusaurus (#1213) - pre-release 3.3.10 (#1187) - bump markdownlint-cli2 from 0.21.0 to 0.22.0 in the npm-dependencies group (#1175) - bump the github-actions group with 3 updates (#1176) - pre-release 3.3.1 (#1165) --- *Managed automatically by pre-release workflow.* Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
4 participants
Pull Request
Description
In alignment with phase 2 discussed in #480 (comment), this PR introduces the OWASP CICD Top 10 skill to hve-core and the security reviewer agent.
Related Issue(s)
Closes #1243
Type of Change
Select all that apply:
Code & Documentation:
Infrastructure & Configuration:
AI Artifacts:
prompt-builderagent and addressed all feedback.github/instructions/*.instructions.md).github/prompts/*.prompt.md).github/agents/*.agent.md).github/skills/*/SKILL.md)Other:
.ps1,.sh,.py)Testing
To be able to test the
owasp-cicdskill using the security reviewer agent you will need a repository containing cicd configuration.Security Revieweragent or invoke the agent via the/security-revewinstructionanalyse the code and produce a vulnerability reportcodebase-profiler.agent.mdpicks up that the repository contains cicd configuration (like github workflow) and thus uses theowasp-cicdskill then that's all you need.owasp-cicdis used, in your prompt addtargetSkill=owasp-cicdYou should see in the output report the
owasp-cicdskill being referenced and used.Checklist
Required Checks
AI Artifact Contributions
/prompt-analyzeto review contributionprompt-builderreviewRequired Automated Checks
The following validation commands must pass before merging:
npm run lint:mdnpm run spell-checknpm run lint:frontmatternpm run validate:skillsnpm run lint:md-linksnpm run lint:psnpm run plugin:generateSecurity Considerations