From 7a03dc1470fd7293bd59c4d7d1822152bacea10c Mon Sep 17 00:00:00 2001 From: Wegz Date: Wed, 8 Apr 2026 23:14:49 -0400 Subject: [PATCH 1/2] fix(ci): correct agent-bom CLI flags + add fs scan + print results MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: - agent-bom code: removed --fail-on-severity (not a valid flag) - agent-bom skills scan: added --verbose for full output - Both jobs now cat results to CI log for visibility Added: - agent-bom-fs-scan: filesystem package + CVE scan of skills/ directory - All 3 agent-bom jobs echo results to stdout so findings are visible in CI logs, not just artifacts 3 agent-bom CI jobs: 1. code scan — SAST for AI components, prompts, tools 2. skills audit — trust, risk, provenance on SKILL.md files 3. fs scan — package dependencies, CVEs --- .github/workflows/ci.yml | 47 ++++++++++++++++++++++++++++++++-------- 1 file changed, 38 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 75dc3db..b5d75c8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -71,7 +71,7 @@ jobs: - working-directory: skills/discover-environment run: pytest tests/ -v -o "testpaths=tests" - agent-bom-scan: + agent-bom-code-scan: runs-on: ubuntu-latest needs: lint continue-on-error: true @@ -81,14 +81,17 @@ jobs: with: python-version: "3.11" - run: pip install agent-bom - - name: Scan skills source code - run: agent-bom code skills/ -f json -o agent-bom-results.json --fail-on-severity critical || true - - name: Upload results + - name: SAST scan — AI components, prompts, tools + run: | + agent-bom code skills/ -f json -o agent-bom-code.json || true + echo "=== agent-bom code scan results ===" + cat agent-bom-code.json 2>/dev/null || echo "No output produced" + - name: Upload code scan results if: always() uses: actions/upload-artifact@v4 with: - name: agent-bom-scan-results - path: agent-bom-results.json + name: agent-bom-code-scan + path: agent-bom-code.json if-no-files-found: ignore agent-bom-skills-audit: @@ -101,9 +104,12 @@ jobs: with: python-version: "3.11" - run: pip install agent-bom - - name: Audit skill definitions - run: agent-bom skills scan skills/ -f json -o skills-audit.json || true - - name: Upload results + - name: Skills audit — trust, risk, provenance + run: | + agent-bom skills scan skills/ -f json -o skills-audit.json --verbose || true + echo "=== agent-bom skills audit results ===" + cat skills-audit.json 2>/dev/null || echo "No output produced" + - name: Upload skills audit results if: always() uses: actions/upload-artifact@v4 with: @@ -111,6 +117,29 @@ jobs: path: skills-audit.json if-no-files-found: ignore + agent-bom-fs-scan: + runs-on: ubuntu-latest + needs: lint + continue-on-error: true + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-python@v5 + with: + python-version: "3.11" + - run: pip install agent-bom + - name: Filesystem scan — packages, dependencies, CVEs + run: | + agent-bom fs skills/ -f json -o agent-bom-fs.json || true + echo "=== agent-bom fs scan results ===" + cat agent-bom-fs.json 2>/dev/null || echo "No output produced" + - name: Upload fs scan results + if: always() + uses: actions/upload-artifact@v4 + with: + name: agent-bom-fs-scan + path: agent-bom-fs.json + if-no-files-found: ignore + validate-cloudformation: runs-on: ubuntu-latest needs: lint From da9ba86c13ac0ee4b2820e4031f308721ec63758 Mon Sep 17 00:00:00 2001 From: Wegz Date: Wed, 8 Apr 2026 23:19:36 -0400 Subject: [PATCH 2/2] fix: simplify diagrams + consolidate agent-bom into one CI job MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Diagrams: - IAM departures: simplified from 15 boxes to 5 clean nodes (LR flow) - Vuln remediation: simplified from 12 boxes to 4 clean nodes (LR flow) - All diagrams now render cleanly on GitHub — no cramped text, no edge spaghetti CI: - Consolidated 3 agent-bom jobs into 1: code scan + skills audit + fs scan - Results printed to CI log AND uploaded as single artifact bundle - One pip install, one job, three scans --- .github/workflows/ci.yml | 71 ++++++++------------------------- README.md | 85 +++++++++------------------------------- 2 files changed, 35 insertions(+), 121 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b5d75c8..d90871c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -71,7 +71,7 @@ jobs: - working-directory: skills/discover-environment run: pytest tests/ -v -o "testpaths=tests" - agent-bom-code-scan: + agent-bom: runs-on: ubuntu-latest needs: lint continue-on-error: true @@ -81,63 +81,27 @@ jobs: with: python-version: "3.11" - run: pip install agent-bom - - name: SAST scan — AI components, prompts, tools - run: | - agent-bom code skills/ -f json -o agent-bom-code.json || true - echo "=== agent-bom code scan results ===" - cat agent-bom-code.json 2>/dev/null || echo "No output produced" - - name: Upload code scan results + - name: Scan code for AI components + run: agent-bom code skills/ -f json -o code-scan.json || true + - name: Audit skill definitions + run: agent-bom skills scan skills/ -f json -o skills-audit.json --verbose || true + - name: Scan filesystem for packages and CVEs + run: agent-bom fs skills/ -f json -o fs-scan.json || true + - name: Print results summary if: always() - uses: actions/upload-artifact@v4 - with: - name: agent-bom-code-scan - path: agent-bom-code.json - if-no-files-found: ignore - - agent-bom-skills-audit: - runs-on: ubuntu-latest - needs: lint - continue-on-error: true - steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 - with: - python-version: "3.11" - - run: pip install agent-bom - - name: Skills audit — trust, risk, provenance - run: | - agent-bom skills scan skills/ -f json -o skills-audit.json --verbose || true - echo "=== agent-bom skills audit results ===" - cat skills-audit.json 2>/dev/null || echo "No output produced" - - name: Upload skills audit results - if: always() - uses: actions/upload-artifact@v4 - with: - name: agent-bom-skills-audit - path: skills-audit.json - if-no-files-found: ignore - - agent-bom-fs-scan: - runs-on: ubuntu-latest - needs: lint - continue-on-error: true - steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 - with: - python-version: "3.11" - - run: pip install agent-bom - - name: Filesystem scan — packages, dependencies, CVEs run: | - agent-bom fs skills/ -f json -o agent-bom-fs.json || true - echo "=== agent-bom fs scan results ===" - cat agent-bom-fs.json 2>/dev/null || echo "No output produced" - - name: Upload fs scan results + echo "=== Code Scan ===" && cat code-scan.json 2>/dev/null | python3 -m json.tool 2>/dev/null || echo "No results" + echo "=== Skills Audit ===" && cat skills-audit.json 2>/dev/null | python3 -m json.tool 2>/dev/null || echo "No results" + echo "=== FS Scan ===" && cat fs-scan.json 2>/dev/null | python3 -m json.tool 2>/dev/null || echo "No results" + - name: Upload scan artifacts if: always() uses: actions/upload-artifact@v4 with: - name: agent-bom-fs-scan - path: agent-bom-fs.json + name: agent-bom-results + path: | + code-scan.json + skills-audit.json + fs-scan.json if-no-files-found: ignore validate-cloudformation: @@ -174,7 +138,6 @@ jobs: - run: bandit -r skills/ -c pyproject.toml --severity-level medium || true - name: Check for hardcoded secrets run: | - # Scan source code only (exclude tests — test fixtures use fake keys) ! grep -rn "AKIA[A-Z0-9]\{16\}" skills/*/src/ --include="*.py" || exit 1 ! grep -rn "sk-[a-zA-Z0-9]\{20,\}" skills/*/src/ --include="*.py" || exit 1 ! grep -rn "ghp_[a-zA-Z0-9]\{36\}" skills/*/src/ --include="*.py" || exit 1 diff --git a/README.md b/README.md index 3a8c4b4..4a04d16 100644 --- a/README.md +++ b/README.md @@ -23,52 +23,20 @@ Production-grade cloud security benchmarks and automation — CIS checks for AWS ## Architecture — IAM Departures Remediation ```mermaid -flowchart TD - subgraph HR["HR Data Sources"] - WD["Workday API"] - SF["Snowflake SQL"] - DB["Databricks Unity"] - CH["ClickHouse SQL"] - end - - subgraph SEC["AWS Security OU Account"] - REC["Reconciler\nSHA-256 change detect"] - S3["S3 Manifest\nKMS encrypted"] - EB["EventBridge\nS3 PutObject trigger"] - - subgraph SFN["Step Function Pipeline"] - L1["Parser Lambda\nvalidate · grace period · rehire filter"] - L2["Worker Lambda\n13-step IAM cleanup"] - end - - AUDIT["Audit Trail\nDynamoDB + S3"] - end - - subgraph TGT["Target Accounts · STS AssumeRole"] - T1["Revoke credentials"] - T2["Strip permissions"] - T3["Delete IAM user"] - end - - subgraph CROSS["Cross-Cloud Workers"] - AZ["Azure Entra\n6 steps"] - GCP["GCP IAM\n4+2 steps"] - SNF["Snowflake\n6 steps"] - DBX["Databricks SCIM\n4 steps"] - end +flowchart LR + HR["HR Sources\nWorkday · Snowflake\nDatabricks · ClickHouse"] + REC["Reconciler\nSHA-256 diff"] + SFN["Step Function\nParser → Worker"] + TGT["IAM Cleanup\n13 steps · 5 clouds"] + AUDIT["Audit\nDDB + S3"] - WD & SF & DB & CH --> REC - REC -->|change detected| S3 - S3 --> EB --> L1 --> L2 - L2 --> T1 --> T2 --> T3 - L2 --> AZ & GCP & SNF & DBX - L2 --> AUDIT + HR --> REC --> SFN --> TGT --> AUDIT style HR fill:#1e293b,stroke:#475569,color:#e2e8f0 - style SEC fill:#0f172a,stroke:#334155,color:#e2e8f0 + style REC fill:#164e63,stroke:#22d3ee,color:#e2e8f0 style SFN fill:#164e63,stroke:#22d3ee,color:#e2e8f0 style TGT fill:#1e3a5f,stroke:#60a5fa,color:#e2e8f0 - style CROSS fill:#1a2e35,stroke:#2dd4bf,color:#e2e8f0 + style AUDIT fill:#1e1b4b,stroke:#a78bfa,color:#e2e8f0 ``` ## Architecture — CSPM CIS Benchmarks @@ -126,35 +94,18 @@ flowchart LR ## Architecture — Vulnerability Remediation Pipeline ```mermaid -flowchart TD - SCAN["Scan Input\nSARIF / JSON"] - S3["S3 Findings\nKMS encrypted"] - EB["EventBridge"] - - subgraph SFN["Step Function"] - TRIAGE["Triage Lambda\nEPSS + KEV + CVSS"] - PATCH["Patcher Lambda"] - end - - P0["P0 · KEV / CVSS 9+\n1h SLA"] - P1["P1 · CVSS 7+ EPSS 0.7+\n4h SLA"] - P2["P2 · CVSS 4+ / EPSS 0.3+\n72h SLA"] - - subgraph FIX["Remediation"] - DEP["Dependency Upgrade\n7 ecosystems"] - CRED["Credential Rotation"] - QUAR["MCP Quarantine"] - end - - AUDIT["Audit + Notify"] - VERIFY["Re-scan"] +flowchart LR + SCAN["Scan Findings\nSARIF / JSON"] + TRIAGE["Triage\nEPSS · KEV · CVSS\nP0→P3 SLAs"] + FIX["Remediate\nUpgrade · Rotate · Quarantine"] + AUDIT["Audit + Verify"] - SCAN --> S3 --> EB --> TRIAGE - TRIAGE --> P0 & P1 & P2 --> PATCH - PATCH --> DEP & CRED & QUAR --> AUDIT --> VERIFY + SCAN --> TRIAGE --> FIX --> AUDIT - style SFN fill:#164e63,stroke:#22d3ee,color:#e2e8f0 + style SCAN fill:#1e293b,stroke:#475569,color:#e2e8f0 + style TRIAGE fill:#164e63,stroke:#22d3ee,color:#e2e8f0 style FIX fill:#1a2e35,stroke:#2dd4bf,color:#e2e8f0 + style AUDIT fill:#1e1b4b,stroke:#a78bfa,color:#e2e8f0 ``` ## Security Model