fix(ci): correct agent-bom CLI flags + add fs scan

.github/workflows/ci.yml

@@ -71,27 +71,7 @@ jobs:
       - working-directory: skills/discover-environment
         run: pytest tests/ -v -o "testpaths=tests"
 
-  agent-bom-scan:
-    runs-on: ubuntu-latest
-    needs: lint
-    continue-on-error: true
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
-        with:
-          python-version: "3.11"
-      - run: pip install agent-bom
-      - name: Scan skills source code
-        run: agent-bom code skills/ -f json -o agent-bom-results.json --fail-on-severity critical || true
-      - name: Upload results
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: agent-bom-scan-results
-          path: agent-bom-results.json
-          if-no-files-found: ignore
-
-  agent-bom-skills-audit:
+  agent-bom:
     runs-on: ubuntu-latest
     needs: lint
     continue-on-error: true
@@ -101,14 +81,27 @@ jobs:
         with:
           python-version: "3.11"
       - run: pip install agent-bom
+      - name: Scan code for AI components
+        run: agent-bom code skills/ -f json -o code-scan.json || true
       - name: Audit skill definitions
-        run: agent-bom skills scan skills/ -f json -o skills-audit.json || true
-      - name: Upload results
+        run: agent-bom skills scan skills/ -f json -o skills-audit.json --verbose || true
+      - name: Scan filesystem for packages and CVEs
+        run: agent-bom fs skills/ -f json -o fs-scan.json || true
+      - name: Print results summary
+        if: always()
+        run: |
+          echo "=== Code Scan ===" && cat code-scan.json 2>/dev/null | python3 -m json.tool 2>/dev/null || echo "No results"
+          echo "=== Skills Audit ===" && cat skills-audit.json 2>/dev/null | python3 -m json.tool 2>/dev/null || echo "No results"
+          echo "=== FS Scan ===" && cat fs-scan.json 2>/dev/null | python3 -m json.tool 2>/dev/null || echo "No results"
+      - name: Upload scan artifacts
         if: always()
         uses: actions/upload-artifact@v4
         with:
-          name: agent-bom-skills-audit
-          path: skills-audit.json
+          name: agent-bom-results
+          path: |
+            code-scan.json
+            skills-audit.json
+            fs-scan.json
           if-no-files-found: ignore
 
   validate-cloudformation:
@@ -145,7 +138,6 @@ jobs:
       - run: bandit -r skills/ -c pyproject.toml --severity-level medium || true
       - name: Check for hardcoded secrets
         run: |
-          # Scan source code only (exclude tests — test fixtures use fake keys)
           ! grep -rn "AKIA[A-Z0-9]\{16\}" skills/*/src/ --include="*.py" || exit 1
           ! grep -rn "sk-[a-zA-Z0-9]\{20,\}" skills/*/src/ --include="*.py" || exit 1
           ! grep -rn "ghp_[a-zA-Z0-9]\{36\}" skills/*/src/ --include="*.py" || exit 1

README.md

@@ -23,52 +23,20 @@ Production-grade cloud security benchmarks and automation — CIS checks for AWS
 ## Architecture — IAM Departures Remediation
 
 ```mermaid
-flowchart TD
-    subgraph HR["HR Data Sources"]
-        WD["Workday API"]
-        SF["Snowflake SQL"]
-        DB["Databricks Unity"]
-        CH["ClickHouse SQL"]
-    end
-
-    subgraph SEC["AWS Security OU Account"]
-        REC["Reconciler\nSHA-256 change detect"]
-        S3["S3 Manifest\nKMS encrypted"]
-        EB["EventBridge\nS3 PutObject trigger"]
-
-        subgraph SFN["Step Function Pipeline"]
-            L1["Parser Lambda\nvalidate · grace period · rehire filter"]
-            L2["Worker Lambda\n13-step IAM cleanup"]
-        end
-
-        AUDIT["Audit Trail\nDynamoDB + S3"]
-    end
-
-    subgraph TGT["Target Accounts · STS AssumeRole"]
-        T1["Revoke credentials"]
-        T2["Strip permissions"]
-        T3["Delete IAM user"]
-    end
-
-    subgraph CROSS["Cross-Cloud Workers"]
-        AZ["Azure Entra\n6 steps"]
-        GCP["GCP IAM\n4+2 steps"]
-        SNF["Snowflake\n6 steps"]
-        DBX["Databricks SCIM\n4 steps"]
-    end
+flowchart LR
+    HR["HR Sources\nWorkday · Snowflake\nDatabricks · ClickHouse"]
+    REC["Reconciler\nSHA-256 diff"]
+    SFN["Step Function\nParser → Worker"]
+    TGT["IAM Cleanup\n13 steps · 5 clouds"]
+    AUDIT["Audit\nDDB + S3"]
 
-    WD & SF & DB & CH --> REC
-    REC -->|change detected| S3
-    S3 --> EB --> L1 --> L2
-    L2 --> T1 --> T2 --> T3
-    L2 --> AZ & GCP & SNF & DBX
-    L2 --> AUDIT
+    HR --> REC --> SFN --> TGT --> AUDIT
 
     style HR fill:#1e293b,stroke:#475569,color:#e2e8f0
-    style SEC fill:#0f172a,stroke:#334155,color:#e2e8f0
+    style REC fill:#164e63,stroke:#22d3ee,color:#e2e8f0
     style SFN fill:#164e63,stroke:#22d3ee,color:#e2e8f0
     style TGT fill:#1e3a5f,stroke:#60a5fa,color:#e2e8f0
-    style CROSS fill:#1a2e35,stroke:#2dd4bf,color:#e2e8f0
+    style AUDIT fill:#1e1b4b,stroke:#a78bfa,color:#e2e8f0
 ```
 
 ## Architecture — CSPM CIS Benchmarks
@@ -126,35 +94,18 @@ flowchart LR
 ## Architecture — Vulnerability Remediation Pipeline
 
 ```mermaid
-flowchart TD
-    SCAN["Scan Input\nSARIF / JSON"]
-    S3["S3 Findings\nKMS encrypted"]
-    EB["EventBridge"]
-
-    subgraph SFN["Step Function"]
-        TRIAGE["Triage Lambda\nEPSS + KEV + CVSS"]
-        PATCH["Patcher Lambda"]
-    end
-
-    P0["P0 · KEV / CVSS 9+\n1h SLA"]
-    P1["P1 · CVSS 7+ EPSS 0.7+\n4h SLA"]
-    P2["P2 · CVSS 4+ / EPSS 0.3+\n72h SLA"]
-
-    subgraph FIX["Remediation"]
-        DEP["Dependency Upgrade\n7 ecosystems"]
-        CRED["Credential Rotation"]
-        QUAR["MCP Quarantine"]
-    end
-
-    AUDIT["Audit + Notify"]
-    VERIFY["Re-scan"]
+flowchart LR
+    SCAN["Scan Findings\nSARIF / JSON"]
+    TRIAGE["Triage\nEPSS · KEV · CVSS\nP0→P3 SLAs"]
+    FIX["Remediate\nUpgrade · Rotate · Quarantine"]
+    AUDIT["Audit + Verify"]
 
-    SCAN --> S3 --> EB --> TRIAGE
-    TRIAGE --> P0 & P1 & P2 --> PATCH
-    PATCH --> DEP & CRED & QUAR --> AUDIT --> VERIFY
+    SCAN --> TRIAGE --> FIX --> AUDIT
 
-    style SFN fill:#164e63,stroke:#22d3ee,color:#e2e8f0
+    style SCAN fill:#1e293b,stroke:#475569,color:#e2e8f0
+    style TRIAGE fill:#164e63,stroke:#22d3ee,color:#e2e8f0
     style FIX fill:#1a2e35,stroke:#2dd4bf,color:#e2e8f0
+    style AUDIT fill:#1e1b4b,stroke:#a78bfa,color:#e2e8f0
 ```
 
 ## Security Model