feat: K8s + container skills, tests for all skills, example configs

.github/workflows/ci.yml

@@ -71,6 +71,30 @@ jobs:
       - working-directory: skills/discover-environment
         run: pytest tests/ -v -o "testpaths=tests"
 
+  test-k8s-security:
+    runs-on: ubuntu-latest
+    needs: lint
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - run: pip install pytest
+      - working-directory: skills/k8s-security-benchmark
+        run: pytest tests/ -v -o "testpaths=tests"
+
+  test-container-security:
+    runs-on: ubuntu-latest
+    needs: lint
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - run: pip install pytest
+      - working-directory: skills/container-security
+        run: pytest tests/ -v -o "testpaths=tests"
+
   agent-bom:
     runs-on: ubuntu-latest
     needs: lint

CLAUDE.md

@@ -12,6 +12,8 @@ skills/
   cspm-azure-cis-benchmark/     — CIS Azure Foundations v2.1 (19 checks + 5 AI Foundry)
   model-serving-security/       — Model serving security benchmark (16 checks)
   gpu-cluster-security/         — GPU cluster security benchmark (13 checks)
+  k8s-security-benchmark/       — Kubernetes security benchmark (10 checks)
+  container-security/           — Container image + runtime security (8 checks)
   discover-environment/         — Cloud environment discovery with MITRE ATT&CK/ATLAS overlay
   vuln-remediation-pipeline/    — Auto-remediate supply chain vulnerabilities
 ```

README.md

@@ -3,9 +3,7 @@
 [![CI](https://github.com/msaad00/cloud-security/actions/workflows/ci.yml/badge.svg)](https://github.com/msaad00/cloud-security/actions/workflows/ci.yml)
 [![License: Apache 2.0](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](LICENSE)
 [![Python 3.11+](https://img.shields.io/badge/python-3.11+-blue.svg)](https://www.python.org/downloads/)
-[![Scanned by agent-bom](https://img.shields.io/badge/scanned%20by-agent--bom-10b981)](https://github.com/msaad00/agent-bom)
-
-Production-grade cloud security benchmarks and automation — CIS checks for AWS/GCP/Azure, model serving security, GPU cluster hardening, IAM remediation, and vulnerability response pipelines. Each skill is compliance-mapped, tested, and ready to deploy.
+Production-grade cloud security benchmarks and automation — CIS checks for AWS/GCP/Azure, Kubernetes and container hardening, model serving security, GPU cluster security, IAM remediation, and vulnerability response pipelines. Each skill is compliance-mapped, tested, and ready to deploy.
 
 ## Skills
 
@@ -16,6 +14,8 @@ Production-grade cloud security benchmarks and automation — CIS checks for AWS
 | [cspm-azure-cis-benchmark](skills/cspm-azure-cis-benchmark/) | Azure | 24 | CIS Azure Foundations v2.1 + AI Foundry security |
 | [model-serving-security](skills/model-serving-security/) | Any | 16 | Model endpoint auth, rate limiting, data egress, safety layers |
 | [gpu-cluster-security](skills/gpu-cluster-security/) | Any | 13 | GPU runtime isolation, driver CVEs, InfiniBand, tenant isolation |
+| [k8s-security-benchmark](skills/k8s-security-benchmark/) | Any | 10 | Pod security, RBAC, network policies, secrets, image pinning |
+| [container-security](skills/container-security/) | Any | 8 | Dockerfile best practices, image security, runtime isolation |
 | [discover-environment](skills/discover-environment/) | Multi-cloud | — | Map cloud resources to security graph with MITRE ATT&CK/ATLAS overlays |
 | [iam-departures-remediation](skills/iam-departures-remediation/) | Multi-cloud | — | Auto-remediate IAM for departed employees across 5 clouds |
 | [vuln-remediation-pipeline](skills/vuln-remediation-pipeline/) | AWS | — | Auto-remediate supply chain vulns with EPSS triage |
@@ -155,16 +155,10 @@ flowchart LR
 
 ## CI/CD Pipeline
 
-This repo is scanned by [agent-bom](https://github.com/msaad00/agent-bom) in CI — dogfooding the scanner against its own security skills.
-
 | CI Job | What |
 |--------|------|
 | Lint | ruff check + format |
-| Test (IAM) | pytest — parser + worker Lambdas |
-| Test (Model Serving) | pytest — 31 checks |
-| Test (GPU Cluster) | pytest — 31 checks |
-| **agent-bom scan** | **SAST + secret detection → SARIF → GitHub Security tab** |
-| **agent-bom skills audit** | **SKILL.md security review → SARIF → GitHub Security tab** |
+| Tests | pytest per skill (IAM, model-serving, GPU, K8s, container, discover) |
 | CloudFormation | cfn-lint validation |
 | Terraform | terraform validate |
 | Security | bandit + hardcoded secret grep |
@@ -179,35 +173,26 @@ cd cloud-security
 pip install boto3
 python skills/cspm-aws-cis-benchmark/src/checks.py --region us-east-1
 
-# Model serving security audit
-python skills/model-serving-security/src/checks.py serving-config.json
+# Model serving security (with example config)
+python skills/model-serving-security/src/checks.py skills/model-serving-security/examples/insecure-serving.json
+
+# GPU cluster security (with example config)
+python skills/gpu-cluster-security/src/checks.py skills/gpu-cluster-security/examples/insecure-cluster.json
+
+# K8s security benchmark
+python skills/k8s-security-benchmark/src/checks.py skills/k8s-security-benchmark/examples/secure-cluster.json
 
-# GPU cluster security audit
-python skills/gpu-cluster-security/src/checks.py cluster-config.json
+# Container security
+python skills/container-security/src/checks.py skills/container-security/examples/secure-image.json
 
 # Run tests
 pip install pytest boto3 moto
-cd skills/iam-departures-remediation && pytest tests/test_parser_lambda.py tests/test_worker_lambda.py -v
-
-# Scan with agent-bom
-pip install agent-bom
-agent-bom skills scan skills/
-agent-bom code skills/
+pytest skills/model-serving-security/tests/ -v -o "testpaths=tests"
+pytest skills/gpu-cluster-security/tests/ -v -o "testpaths=tests"
+pytest skills/k8s-security-benchmark/tests/ -v -o "testpaths=tests"
+pytest skills/container-security/tests/ -v -o "testpaths=tests"
 ```
 
-## Integration with agent-bom
-
-This repo provides the automations. [agent-bom](https://github.com/msaad00/agent-bom) provides continuous scanning:
-
-| agent-bom Feature | Use Case |
-|--------------------|----------|
-| `cis_benchmark` | Built-in CIS for AWS/GCP/Azure/Snowflake |
-| `code` | SAST scan of Lambda/skill source code |
-| `skills scan` | Audit SKILL.md for security risks |
-| `blast_radius` | Map impact of orphaned credentials |
-| `compliance` | 15-framework compliance posture |
-| `graph` | Visualize dependencies + attack paths |
-
 ## Contributing
 
 See [CONTRIBUTING.md](CONTRIBUTING.md).

skills/container-security/SKILL.md

@@ -0,0 +1,76 @@
+---
+name: container-security
+description: >-
+  Audit container image and runtime security. Checks Dockerfile best practices,
+  image configuration, secrets exposure, base image selection, and runtime
+  isolation. Works with Dockerfile analysis, image config JSON, or runtime
+  dumps. Use when the user mentions container security, Docker hardening,
+  image scanning, Dockerfile audit, or CIS Docker benchmark.
+license: Apache-2.0
+compatibility: >-
+  Requires Python 3.11+. No Docker daemon needed — works with config files.
+  Optional: PyYAML for YAML parsing. Read-only — no image pulls or execution.
+metadata:
+  author: msaad00
+  homepage: https://github.com/msaad00/cloud-security
+  source: https://github.com/msaad00/cloud-security/tree/main/skills/container-security
+  version: 0.1.0
+  frameworks:
+    - CIS Docker Benchmark
+    - NIST CSF 2.0
+  cloud: any
+---
+
+# Container Security Benchmark
+
+8 automated checks across 3 domains — Dockerfile best practices, image
+security, and runtime isolation. Each check mapped to CIS Docker Benchmark
+and NIST CSF 2.0.
+
+## Architecture
+
+```mermaid
+flowchart LR
+    IMG["Container Config\nDockerfile · Image JSON\nRuntime dumps"]
+    BENCH["checks.py\n8 checks · 3 domains"]
+    OUT["JSON / Console"]
+
+    IMG --> BENCH --> OUT
+
+    style IMG fill:#1e293b,stroke:#475569,color:#e2e8f0
+    style BENCH fill:#164e63,stroke:#22d3ee,color:#e2e8f0
+```
+
+## Controls
+
+| # | Check | Severity | CIS Docker |
+|---|-------|----------|-----------|
+| CTR-1.1 | No root user | HIGH | 4.1 |
+| CTR-1.2 | No :latest base image | MEDIUM | 4.2 |
+| CTR-1.3 | HEALTHCHECK defined | LOW | 4.6 |
+| CTR-2.1 | No secrets in env vars | CRITICAL | 4.5 |
+| CTR-2.2 | Minimal base image | MEDIUM | 4.3 |
+| CTR-2.3 | COPY instead of ADD | LOW | 4.9 |
+| CTR-3.1 | Read-only root filesystem | MEDIUM | 5.12 |
+| CTR-3.2 | Resource limits set | MEDIUM | 5.14 |
+
+## Usage
+
+```bash
+python src/checks.py container-config.json
+python src/checks.py config.yaml --section dockerfile
+python src/checks.py config.json --output json
+```
+
+## Security Guardrails
+
+- **Read-only**: Analyzes config files. No Docker daemon interaction.
+- **No image pulls**: Does not pull, build, or execute container images.
+- **Human-in-the-loop**: Assessment automated, Dockerfile changes require human.
+
+## Tests
+
+```bash
+cd skills/container-security
+pytest tests/ -v -o "testpaths=tests"
+```

skills/container-security/examples/secure-image.json

@@ -0,0 +1,19 @@
+{
+  "_comment": "Example: hardened container — all 8 checks pass",
+  "images": [
+    {
+      "name": "myapp",
+      "base_image": "python:3.11-alpine",
+      "user": "1000",
+      "healthcheck": {"test": ["CMD", "curl", "-f", "http://localhost:8080/health"]},
+      "env": ["NODE_ENV=production", "LOG_LEVEL=info"]
+    }
+  ],
+  "containers": [
+    {
+      "name": "myapp",
+      "security_context": {"readOnlyRootFilesystem": true},
+      "resources": {"limits": {"cpu": "500m", "memory": "256Mi"}}
+    }
+  ]
+}