diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 75dc3db..d90871c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -71,27 +71,7 @@ jobs: - working-directory: skills/discover-environment run: pytest tests/ -v -o "testpaths=tests" - agent-bom-scan: - runs-on: ubuntu-latest - needs: lint - continue-on-error: true - steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 - with: - python-version: "3.11" - - run: pip install agent-bom - - name: Scan skills source code - run: agent-bom code skills/ -f json -o agent-bom-results.json --fail-on-severity critical || true - - name: Upload results - if: always() - uses: actions/upload-artifact@v4 - with: - name: agent-bom-scan-results - path: agent-bom-results.json - if-no-files-found: ignore - - agent-bom-skills-audit: + agent-bom: runs-on: ubuntu-latest needs: lint continue-on-error: true @@ -101,14 +81,27 @@ jobs: with: python-version: "3.11" - run: pip install agent-bom + - name: Scan code for AI components + run: agent-bom code skills/ -f json -o code-scan.json || true - name: Audit skill definitions - run: agent-bom skills scan skills/ -f json -o skills-audit.json || true - - name: Upload results + run: agent-bom skills scan skills/ -f json -o skills-audit.json --verbose || true + - name: Scan filesystem for packages and CVEs + run: agent-bom fs skills/ -f json -o fs-scan.json || true + - name: Print results summary + if: always() + run: | + echo "=== Code Scan ===" && cat code-scan.json 2>/dev/null | python3 -m json.tool 2>/dev/null || echo "No results" + echo "=== Skills Audit ===" && cat skills-audit.json 2>/dev/null | python3 -m json.tool 2>/dev/null || echo "No results" + echo "=== FS Scan ===" && cat fs-scan.json 2>/dev/null | python3 -m json.tool 2>/dev/null || echo "No results" + - name: Upload scan artifacts if: always() uses: actions/upload-artifact@v4 with: - name: agent-bom-skills-audit - path: skills-audit.json + name: agent-bom-results + path: | + code-scan.json + skills-audit.json + fs-scan.json if-no-files-found: ignore validate-cloudformation: @@ -145,7 +138,6 @@ jobs: - run: bandit -r skills/ -c pyproject.toml --severity-level medium || true - name: Check for hardcoded secrets run: | - # Scan source code only (exclude tests — test fixtures use fake keys) ! grep -rn "AKIA[A-Z0-9]\{16\}" skills/*/src/ --include="*.py" || exit 1 ! grep -rn "sk-[a-zA-Z0-9]\{20,\}" skills/*/src/ --include="*.py" || exit 1 ! grep -rn "ghp_[a-zA-Z0-9]\{36\}" skills/*/src/ --include="*.py" || exit 1 diff --git a/README.md b/README.md index 3a8c4b4..4a04d16 100644 --- a/README.md +++ b/README.md @@ -23,52 +23,20 @@ Production-grade cloud security benchmarks and automation — CIS checks for AWS ## Architecture — IAM Departures Remediation ```mermaid -flowchart TD - subgraph HR["HR Data Sources"] - WD["Workday API"] - SF["Snowflake SQL"] - DB["Databricks Unity"] - CH["ClickHouse SQL"] - end - - subgraph SEC["AWS Security OU Account"] - REC["Reconciler\nSHA-256 change detect"] - S3["S3 Manifest\nKMS encrypted"] - EB["EventBridge\nS3 PutObject trigger"] - - subgraph SFN["Step Function Pipeline"] - L1["Parser Lambda\nvalidate · grace period · rehire filter"] - L2["Worker Lambda\n13-step IAM cleanup"] - end - - AUDIT["Audit Trail\nDynamoDB + S3"] - end - - subgraph TGT["Target Accounts · STS AssumeRole"] - T1["Revoke credentials"] - T2["Strip permissions"] - T3["Delete IAM user"] - end - - subgraph CROSS["Cross-Cloud Workers"] - AZ["Azure Entra\n6 steps"] - GCP["GCP IAM\n4+2 steps"] - SNF["Snowflake\n6 steps"] - DBX["Databricks SCIM\n4 steps"] - end +flowchart LR + HR["HR Sources\nWorkday · Snowflake\nDatabricks · ClickHouse"] + REC["Reconciler\nSHA-256 diff"] + SFN["Step Function\nParser → Worker"] + TGT["IAM Cleanup\n13 steps · 5 clouds"] + AUDIT["Audit\nDDB + S3"] - WD & SF & DB & CH --> REC - REC -->|change detected| S3 - S3 --> EB --> L1 --> L2 - L2 --> T1 --> T2 --> T3 - L2 --> AZ & GCP & SNF & DBX - L2 --> AUDIT + HR --> REC --> SFN --> TGT --> AUDIT style HR fill:#1e293b,stroke:#475569,color:#e2e8f0 - style SEC fill:#0f172a,stroke:#334155,color:#e2e8f0 + style REC fill:#164e63,stroke:#22d3ee,color:#e2e8f0 style SFN fill:#164e63,stroke:#22d3ee,color:#e2e8f0 style TGT fill:#1e3a5f,stroke:#60a5fa,color:#e2e8f0 - style CROSS fill:#1a2e35,stroke:#2dd4bf,color:#e2e8f0 + style AUDIT fill:#1e1b4b,stroke:#a78bfa,color:#e2e8f0 ``` ## Architecture — CSPM CIS Benchmarks @@ -126,35 +94,18 @@ flowchart LR ## Architecture — Vulnerability Remediation Pipeline ```mermaid -flowchart TD - SCAN["Scan Input\nSARIF / JSON"] - S3["S3 Findings\nKMS encrypted"] - EB["EventBridge"] - - subgraph SFN["Step Function"] - TRIAGE["Triage Lambda\nEPSS + KEV + CVSS"] - PATCH["Patcher Lambda"] - end - - P0["P0 · KEV / CVSS 9+\n1h SLA"] - P1["P1 · CVSS 7+ EPSS 0.7+\n4h SLA"] - P2["P2 · CVSS 4+ / EPSS 0.3+\n72h SLA"] - - subgraph FIX["Remediation"] - DEP["Dependency Upgrade\n7 ecosystems"] - CRED["Credential Rotation"] - QUAR["MCP Quarantine"] - end - - AUDIT["Audit + Notify"] - VERIFY["Re-scan"] +flowchart LR + SCAN["Scan Findings\nSARIF / JSON"] + TRIAGE["Triage\nEPSS · KEV · CVSS\nP0→P3 SLAs"] + FIX["Remediate\nUpgrade · Rotate · Quarantine"] + AUDIT["Audit + Verify"] - SCAN --> S3 --> EB --> TRIAGE - TRIAGE --> P0 & P1 & P2 --> PATCH - PATCH --> DEP & CRED & QUAR --> AUDIT --> VERIFY + SCAN --> TRIAGE --> FIX --> AUDIT - style SFN fill:#164e63,stroke:#22d3ee,color:#e2e8f0 + style SCAN fill:#1e293b,stroke:#475569,color:#e2e8f0 + style TRIAGE fill:#164e63,stroke:#22d3ee,color:#e2e8f0 style FIX fill:#1a2e35,stroke:#2dd4bf,color:#e2e8f0 + style AUDIT fill:#1e1b4b,stroke:#a78bfa,color:#e2e8f0 ``` ## Security Model