diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 402f7e7..410ed50 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -8,6 +8,7 @@ on:
permissions:
contents: read
+ security-events: write
jobs:
lint:
@@ -58,6 +59,46 @@ jobs:
- working-directory: skills/gpu-cluster-security
run: pytest tests/ -v -o "testpaths=tests"
+ agent-bom-scan:
+ runs-on: ubuntu-latest
+ needs: lint
+ continue-on-error: true
+ steps:
+ - uses: actions/checkout@v4
+ - uses: actions/setup-python@v5
+ with:
+ python-version: "3.11"
+ - run: pip install agent-bom
+ - name: Scan skills source code
+ run: agent-bom code skills/ -f json -o agent-bom-results.json --fail-on-severity critical || true
+ - name: Upload results
+ if: always()
+ uses: actions/upload-artifact@v4
+ with:
+ name: agent-bom-scan-results
+ path: agent-bom-results.json
+ if-no-files-found: ignore
+
+ agent-bom-skills-audit:
+ runs-on: ubuntu-latest
+ needs: lint
+ continue-on-error: true
+ steps:
+ - uses: actions/checkout@v4
+ - uses: actions/setup-python@v5
+ with:
+ python-version: "3.11"
+ - run: pip install agent-bom
+ - name: Audit skill definitions
+ run: agent-bom skills scan skills/ -f json -o skills-audit.json || true
+ - name: Upload results
+ if: always()
+ uses: actions/upload-artifact@v4
+ with:
+ name: agent-bom-skills-audit
+ path: skills-audit.json
+ if-no-files-found: ignore
+
validate-cloudformation:
runs-on: ubuntu-latest
needs: lint
diff --git a/README.md b/README.md
index a3a6075..ad39e9f 100644
--- a/README.md
+++ b/README.md
@@ -3,363 +3,295 @@
[](https://github.com/msaad00/cloud-security/actions/workflows/ci.yml)
[](LICENSE)
[](https://www.python.org/downloads/)
+[](https://github.com/msaad00/agent-bom)
-Production-ready cloud security automations — deployable code, CIS benchmark assessments, multi-cloud identity remediation, and compliance-mapped skills for AI agents.
+Production-grade cloud security benchmarks and automation — CIS checks for AWS/GCP/Azure, model serving security, GPU cluster hardening, IAM remediation, and vulnerability response pipelines. Each skill is compliance-mapped, tested, and ready to deploy.
## Skills
-| Skill | Cloud | Status | Description |
+| Skill | Scope | Checks | Description |
|-------|-------|--------|-------------|
-| [iam-departures-remediation](skills/iam-departures-remediation/) | AWS + 4 clouds | Production | Auto-remediate IAM for departed employees — 4 HR sources, 5 cloud targets, 13-step cleanup |
-| [cspm-aws-cis-benchmark](skills/cspm-aws-cis-benchmark/) | AWS | Production | CIS AWS Foundations v3.0 — 18 automated checks across IAM, Storage, Logging, Networking |
-| [cspm-gcp-cis-benchmark](skills/cspm-gcp-cis-benchmark/) | GCP | Production | CIS GCP Foundations v3.0 — 20 controls + 5 Vertex AI security checks |
-| [cspm-azure-cis-benchmark](skills/cspm-azure-cis-benchmark/) | Azure | Production | CIS Azure Foundations v2.1 — 19 controls + 5 AI Foundry security checks |
-| [model-serving-security](skills/model-serving-security/) | Any | Production | Model serving security benchmark — 16 checks across auth, rate limiting, data egress, container isolation, TLS, safety layers |
-| [gpu-cluster-security](skills/gpu-cluster-security/) | Any | Production | GPU cluster security benchmark — 13 checks across runtime isolation, driver CVEs, InfiniBand, tenant isolation, DCGM |
-| [vuln-remediation-pipeline](skills/vuln-remediation-pipeline/) | AWS | Production | Auto-remediate supply chain vulns — EPSS triage, dependency PRs, credential rotation, MCP quarantine |
+| [cspm-aws-cis-benchmark](skills/cspm-aws-cis-benchmark/) | AWS | 18 | CIS AWS Foundations v3.0 — IAM, Storage, Logging, Networking |
+| [cspm-gcp-cis-benchmark](skills/cspm-gcp-cis-benchmark/) | GCP | 25 | CIS GCP Foundations v3.0 + Vertex AI security |
+| [cspm-azure-cis-benchmark](skills/cspm-azure-cis-benchmark/) | Azure | 24 | CIS Azure Foundations v2.1 + AI Foundry security |
+| [model-serving-security](skills/model-serving-security/) | Any | 16 | Model endpoint auth, rate limiting, data egress, safety layers |
+| [gpu-cluster-security](skills/gpu-cluster-security/) | Any | 13 | GPU runtime isolation, driver CVEs, InfiniBand, tenant isolation |
+| [iam-departures-remediation](skills/iam-departures-remediation/) | Multi-cloud | — | Auto-remediate IAM for departed employees across 5 clouds |
+| [vuln-remediation-pipeline](skills/vuln-remediation-pipeline/) | AWS | — | Auto-remediate supply chain vulns with EPSS triage |
## Architecture — IAM Departures Remediation
```mermaid
flowchart TD
- subgraph HR["External HR Data Sources"]
- WD[Workday API]
- SF[Snowflake SQL]
- DB[Databricks Unity]
- CH[ClickHouse SQL]
+ subgraph HR["HR Data Sources"]
+ WD["Workday API"]
+ SF["Snowflake SQL"]
+ DB["Databricks Unity"]
+ CH["ClickHouse SQL"]
end
- subgraph SEC["AWS Organization — Security OU Account"]
- REC[Reconciler
SHA-256 change detect]
- S3[S3 Manifest Bucket
KMS encrypted, versioned]
- EB[EventBridge Rule
S3 PutObject trigger]
+ subgraph SEC["AWS Security OU Account"]
+ REC["Reconciler\nSHA-256 change detect"]
+ S3["S3 Manifest\nKMS encrypted"]
+ EB["EventBridge\nS3 PutObject trigger"]
- subgraph SFN["Step Function"]
- L1[Lambda 1 — Parser
validate, grace period,
rehire filter]
- L2[Lambda 2 — Worker
13-step IAM cleanup]
+ subgraph SFN["Step Function Pipeline"]
+ L1["Parser Lambda\nvalidate · grace period · rehire filter"]
+ L2["Worker Lambda\n13-step IAM cleanup"]
end
- subgraph TGT["Target Accounts via STS AssumeRole"]
- IAM[1. Revoke credentials]
- STRIP[2. Strip permissions]
- DEL[3. Delete IAM user]
- end
+ AUDIT["Audit Trail\nDynamoDB + S3"]
+ end
- AUDIT[Audit Trail
DynamoDB + S3 + warehouse]
+ subgraph TGT["Target Accounts · STS AssumeRole"]
+ T1["Revoke credentials"]
+ T2["Strip permissions"]
+ T3["Delete IAM user"]
end
subgraph CROSS["Cross-Cloud Workers"]
- AZ[Azure Entra — 6 steps]
- GCP[GCP IAM — 4+2 steps]
- SNF[Snowflake — 6 steps]
- DBX[Databricks SCIM — 4 steps]
+ AZ["Azure Entra\n6 steps"]
+ GCP["GCP IAM\n4+2 steps"]
+ SNF["Snowflake\n6 steps"]
+ DBX["Databricks SCIM\n4 steps"]
end
- WD --> REC
- SF --> REC
- DB --> REC
- CH --> REC
+ WD & SF & DB & CH --> REC
REC -->|change detected| S3
- S3 --> EB
- EB --> L1
- L1 --> L2
- L2 --> IAM --> STRIP --> DEL
- L2 --> AZ
- L2 --> GCP
- L2 --> SNF
- L2 --> DBX
+ S3 --> EB --> L1 --> L2
+ L2 --> T1 --> T2 --> T3
+ L2 --> AZ & GCP & SNF & DBX
L2 --> AUDIT
style HR fill:#1e293b,stroke:#475569,color:#e2e8f0
style SEC fill:#0f172a,stroke:#334155,color:#e2e8f0
- style SFN fill:#172554,stroke:#3b82f6,color:#e2e8f0
- style TGT fill:#7f1d1d,stroke:#ef4444,color:#e2e8f0
- style CROSS fill:#14532d,stroke:#22c55e,color:#e2e8f0
+ style SFN fill:#164e63,stroke:#22d3ee,color:#e2e8f0
+ style TGT fill:#1e3a5f,stroke:#60a5fa,color:#e2e8f0
+ style CROSS fill:#1a2e35,stroke:#2dd4bf,color:#e2e8f0
```
## Architecture — CSPM CIS Benchmarks
```mermaid
flowchart LR
- subgraph CLOUD["Cloud Account / Project / Subscription"]
- IAM[IAM / Identity]
- STR[Storage / Buckets]
- LOG[Logging + Audit]
- NET[Network / Firewall]
- AI[AI / ML Services]
+ subgraph CLOUD["Cloud Account · read-only"]
+ IAM["IAM / Identity"]
+ STR["Storage"]
+ LOG["Logging + Audit"]
+ NET["Networking"]
+ AI["AI / ML Services"]
end
- CHK[checks.py
read-only SDK calls
no write permissions]
+ CHK["checks.py\nread-only SDK calls\nno write permissions"]
- IAM --> CHK
- STR --> CHK
- LOG --> CHK
- NET --> CHK
- AI --> CHK
+ IAM & STR & LOG & NET & AI --> CHK
- CHK --> JSON[JSON
per-control results]
- CHK --> CON[Console
pass/fail summary]
- CHK --> SARIF[SARIF
GitHub Security tab]
+ CHK --> JSON["JSON"]
+ CHK --> CON["Console"]
+ CHK --> SARIF["SARIF"]
style CLOUD fill:#1e293b,stroke:#475569,color:#e2e8f0
- style CHK fill:#172554,stroke:#3b82f6,color:#e2e8f0
+ style CHK fill:#164e63,stroke:#22d3ee,color:#e2e8f0
```
-## Architecture — Vulnerability Remediation Pipeline
+## Architecture — Model Serving Security
```mermaid
-flowchart TD
- SCAN[agent-bom scan
SARIF / JSON output]
- S3[S3 Findings Bucket
KMS encrypted]
- EB[EventBridge Rule]
-
- subgraph SFN["Step Function"]
- TRIAGE[Lambda 1 — Triage
EPSS + KEV + policy filter]
- PATCH[Lambda 2 — Patcher
per-ecosystem fix]
+flowchart LR
+ subgraph CONFIG["Serving Configuration"]
+ GW["API Gateway"]
+ K8S["K8s Manifests"]
+ CLD["Cloud Serving\nSageMaker · Vertex · Azure ML"]
end
- subgraph ACTIONS["Remediation Actions"]
- DEP[Dependency Upgrade
7 ecosystems
PR or direct apply]
- CRED[Credential Rotation
Secrets Manager / Vault]
- QUAR[MCP Server Quarantine
config rewrite + proxy deny]
+ subgraph CHECKS["16 checks · 6 domains"]
+ AUTH["Auth & RBAC"]
+ RL["Rate Limiting"]
+ EGR["Data Egress"]
+ ISO["Container Isolation"]
+ TLS["TLS & Network"]
+ SAF["Safety Layers"]
end
- NOTIFY[Notify
Slack / Teams / PagerDuty]
- AUDITDB[DynamoDB Audit Trail]
- VERIFY[Re-scan to confirm fix]
-
- SCAN --> S3
- S3 --> EB
- EB --> TRIAGE
- TRIAGE -->|P0: immediate| PATCH
- TRIAGE -->|P1: urgent 4h| PATCH
- TRIAGE -->|P2: standard 72h| PATCH
- TRIAGE -->|P3: backlog| NOTIFY
- PATCH --> DEP
- PATCH --> CRED
- PATCH --> QUAR
- PATCH --> AUDITDB
- PATCH --> NOTIFY
- NOTIFY --> VERIFY
-
- style SFN fill:#172554,stroke:#3b82f6,color:#e2e8f0
- style ACTIONS fill:#14532d,stroke:#22c55e,color:#e2e8f0
-```
-
-## What's Inside
-
-### iam-departures-remediation
-
-Fully deployable automation that reconciles HR termination data against cloud IAM and safely removes departed-employee access.
+ GW & K8S & CLD --> AUTH & RL & EGR & ISO & TLS & SAF
+ AUTH & RL & EGR & ISO & TLS & SAF --> OUT["JSON / Console"]
-**Pipeline**: HR source -> Reconciler -> S3 manifest -> EventBridge -> Step Function -> Parser Lambda -> Worker Lambda -> Target Accounts
-
-
-Components
-
-| Component | Path | What It Does |
-|-----------|------|-------------|
-| **Reconciler** | `src/reconciler/` | Ingests from 4 HR sources, SHA-256 change detection, KMS-encrypted S3 export |
-| **Parser Lambda** | `src/lambda_parser/` | Validates manifest, grace period checks, rehire filtering, IAM existence verification |
-| **Worker Lambda** | `src/lambda_worker/` | 13-step IAM dependency cleanup + deletion, cross-account STS |
-| **Multi-Cloud Workers** | `src/lambda_worker/clouds/` | Azure Entra, GCP IAM, Snowflake, Databricks SCIM |
-| **CloudFormation** | `infra/cloudformation.yaml` | Full stack: roles, Lambdas, Step Function, S3, DynamoDB |
-| **StackSets** | `infra/cross_account_stackset.yaml` | Org-wide cross-account remediation role |
-| **IAM Policies** | `infra/iam_policies/` | Least-privilege policy documents per component |
-| **Terraform** | `infra/terraform/` | HCL alternative to CloudFormation |
-| **Tests** | `tests/` | Unit tests covering parser, worker, reconciler, cross-cloud |
-
-
-
-### cspm-aws-cis-benchmark
-
-18 automated checks against CIS AWS Foundations v3.0. Each control mapped to NIST CSF 2.0 and ISO 27001:2022.
-
-```bash
-python skills/cspm-aws-cis-benchmark/src/checks.py --region us-east-1
+ style CONFIG fill:#1e293b,stroke:#475569,color:#e2e8f0
+ style CHECKS fill:#164e63,stroke:#22d3ee,color:#e2e8f0
```
-
-Controls covered
+## Architecture — GPU Cluster Security
-| Section | # Checks | Key Controls |
-|---------|----------|-------------|
-| IAM | 7 | Root MFA, user MFA, stale creds, key rotation, password policy, root keys, inline policies |
-| Storage | 4 | S3 encryption, logging, public access block, versioning |
-| Logging | 4 | CloudTrail multi-region, log validation, trail S3 not public, CloudWatch alarms |
-| Networking | 3 | No unrestricted SSH/RDP, VPC flow logs |
+```mermaid
+flowchart LR
+ subgraph CLUSTER["GPU Cluster Configuration"]
+ PODS["Pods & Containers"]
+ NODES["GPU Nodes\nDrivers · CUDA"]
+ IB["InfiniBand / RDMA"]
+ NS["Namespaces & Quotas"]
+ end
-
+ subgraph CHECKS["13 checks · 6 domains"]
+ RT["Runtime Isolation"]
+ DRV["Driver & CUDA"]
+ NET["Network Segmentation"]
+ STO["Storage & SHM"]
+ TEN["Tenant Isolation"]
+ OBS["Observability"]
+ end
-### cspm-gcp-cis-benchmark
+ PODS --> RT
+ NODES --> DRV
+ IB --> NET
+ NS --> TEN & STO
-20 CIS GCP Foundations v3.0 controls + 5 Vertex AI security checks.
+ RT & DRV & NET & STO & TEN & OBS --> OUT["JSON / Console"]
-```bash
-python skills/cspm-gcp-cis-benchmark/src/checks.py --project my-project-id
+ style CLUSTER fill:#1e293b,stroke:#475569,color:#e2e8f0
+ style CHECKS fill:#164e63,stroke:#22d3ee,color:#e2e8f0
```
-
-Controls covered
-
-| Section | # Checks | Key Controls |
-|---------|----------|-------------|
-| IAM | 7 | No Gmail accounts, MFA, no SA keys, key rotation, default SA, SSH keys, impersonation |
-| Storage | 4 | Uniform access, retention, no public buckets, CMEK |
-| Logging | 4 | Audit logs, log sinks, retention, alert policies |
-| Networking | 5 | No default VPC, no open SSH/RDP, flow logs, Private Google Access, TLS 1.2+ |
-| Vertex AI | 5 | Endpoint auth, VPC-SC, CMEK training data, model audit, no public endpoints |
-
-
-
-### cspm-azure-cis-benchmark
-
-19 CIS Azure Foundations v2.1 controls + 5 Azure AI Foundry security checks.
-
-```bash
-python skills/cspm-azure-cis-benchmark/src/checks.py --subscription-id SUB_ID
-```
+## Architecture — Vulnerability Remediation Pipeline
-
-Controls covered
+```mermaid
+flowchart TD
+ SCAN["Scan Input\nSARIF / JSON"]
+ S3["S3 Findings\nKMS encrypted"]
+ EB["EventBridge"]
-| Section | # Checks | Key Controls |
-|---------|----------|-------------|
-| Identity | 7 | MFA, Conditional Access, guest privileges, custom roles, legacy auth, PIM |
-| Storage | 4 | Encryption, HTTPS-only, no public blobs, deny-by-default network rules |
-| Logging | 4 | Activity log retention, diagnostic settings, RBAC alerts, Monitor log profile |
-| Networking | 4 | No open SSH/RDP, NSG flow logs, Network Watcher |
-| AI Foundry | 5 | Managed identity auth, private endpoints, CMK, content safety, diagnostic logging |
+ subgraph SFN["Step Function"]
+ TRIAGE["Triage Lambda\nEPSS + KEV + CVSS"]
+ PATCH["Patcher Lambda"]
+ end
-
+ P0["P0 · KEV / CVSS 9+\n1h SLA"]
+ P1["P1 · CVSS 7+ EPSS 0.7+\n4h SLA"]
+ P2["P2 · CVSS 4+ / EPSS 0.3+\n72h SLA"]
-### vuln-remediation-pipeline
+ subgraph FIX["Remediation"]
+ DEP["Dependency Upgrade\n7 ecosystems"]
+ CRED["Credential Rotation"]
+ QUAR["MCP Quarantine"]
+ end
-Auto-remediate supply chain vulnerabilities found by [agent-bom](https://github.com/msaad00/agent-bom) — from scan findings to patched dependencies, rotated credentials, and quarantined MCP servers.
+ AUDIT["Audit + Notify"]
+ VERIFY["Re-scan"]
-```bash
-# Scan and export findings for the pipeline
-agent-bom scan -f sarif -o findings.sarif --enrich --fail-on-kev
+ SCAN --> S3 --> EB --> TRIAGE
+ TRIAGE --> P0 & P1 & P2 --> PATCH
+ PATCH --> DEP & CRED & QUAR --> AUDIT --> VERIFY
-# Upload to S3 trigger bucket
-aws s3 cp findings.sarif s3://vuln-remediation-findings/incoming/
+ style SFN fill:#164e63,stroke:#22d3ee,color:#e2e8f0
+ style FIX fill:#1a2e35,stroke:#2dd4bf,color:#e2e8f0
```
-
-Triage tiers
-
-| Tier | Criteria | SLA | Action |
-|------|----------|-----|--------|
-| P0 | CISA KEV or CVSS >= 9.0 | 1h | Auto-patch + quarantine if needed |
-| P1 | CVSS >= 7.0 AND EPSS > 0.7 | 4h | Auto-patch, PR if risky |
-| P2 | CVSS >= 4.0 OR EPSS > 0.3 | 72h | Create PR for review |
-| P3 | CVSS < 4.0 AND EPSS < 0.3 | 30d | Notify, add to backlog |
-
-
-
## Security Model
```mermaid
flowchart LR
subgraph ZT["Zero Trust"]
- A1[Cross-account scoped
by PrincipalOrgID]
- A2[STS AssumeRole
per account]
- A3[VPC isolation]
+ A1["Cross-account scoped\nby PrincipalOrgID"]
+ A2["STS AssumeRole\nper account"]
+ A3["VPC isolation"]
end
subgraph LP["Least Privilege"]
- B1[Parser: read-only IAM]
- B2[Worker: scoped write
per component]
- B3[CSPM: read-only
audits only]
+ B1["Parser: read-only"]
+ B2["Worker: scoped write"]
+ B3["CSPM: read-only"]
+ B4["Model/GPU: read-only"]
end
subgraph DD["Defense in Depth"]
- C1[Deny policies on
root, break-glass,
emergency accounts]
- C2[KMS encryption
everywhere]
- C3[Dual audit:
DDB + S3 + warehouse]
+ C1["Deny policies on\nprotected accounts"]
+ C2["KMS encryption\neverywhere"]
+ C3["Dual audit trail\nDDB + S3"]
end
- style ZT fill:#172554,stroke:#3b82f6,color:#e2e8f0
- style LP fill:#14532d,stroke:#22c55e,color:#e2e8f0
- style DD fill:#7f1d1d,stroke:#ef4444,color:#e2e8f0
+ style ZT fill:#1e293b,stroke:#60a5fa,color:#e2e8f0
+ style LP fill:#1a2e35,stroke:#2dd4bf,color:#e2e8f0
+ style DD fill:#1e1b4b,stroke:#a78bfa,color:#e2e8f0
```
## Compliance Framework Mapping
-| Framework | Controls Covered | Where |
-|-----------|-----------------|-------|
-| **CIS AWS Foundations v3.0** | 18 controls (IAM, S3, CloudTrail, VPC) | `cspm-aws-cis-benchmark/` |
-| **CIS GCP Foundations v3.0** | 20 controls + 5 Vertex AI | `cspm-gcp-cis-benchmark/` |
-| **CIS Azure Foundations v2.1** | 19 controls + 5 AI Foundry | `cspm-azure-cis-benchmark/` |
-| **MITRE ATT&CK** | T1078.004, T1098.001, T1087.004, T1531, T1552, T1195.002, T1210 | Lambda docstrings |
-| **NIST CSF 2.0** | PR.AC-1, PR.AC-4, DE.CM-3, RS.MI-2 | Lambda docstrings |
-| **CIS Controls v8** | 5.3, 6.1, 6.2, 6.5, 7.1, 7.2, 7.3, 7.4, 16.1 | Worker + Patcher Lambdas |
-| **SOC 2 TSC** | CC6.1, CC6.2, CC6.3, CC7.1 | Worker + Triage Lambdas |
-| **ISO 27001:2022** | A.5.15-A.8.24 (12 controls) | CSPM check scripts |
-| **PCI DSS 4.0** | 2.2, 7.1, 8.3, 10.1 | CSPM check scripts |
-| **OWASP LLM Top 10** | LLM-05, LLM-07, LLM-08 | vuln-remediation-pipeline |
-| **OWASP MCP Top 10** | MCP-04 | vuln-remediation-pipeline |
-
-## Multi-Cloud Support
-
-| Cloud | Skill | Cleanup / Check Steps | API |
-|-------|-------|----------------------|-----|
-| **AWS IAM** | iam-departures + cspm-aws | 13-step cleanup + 18 CIS checks | boto3 |
-| **Azure** | iam-departures + cspm-azure | 6-step Entra cleanup + 19 CIS checks | msgraph-sdk, azure-mgmt |
-| **GCP** | iam-departures + cspm-gcp | 4+2 step cleanup + 20 CIS checks | google-cloud-iam |
-| **Snowflake** | iam-departures | 6 steps (disable, drop roles, revoke, drop user) | SQL DDL |
-| **Databricks** | iam-departures | 4 steps (deactivate, remove groups, revoke tokens, delete) | SCIM API |
+| Framework | Controls | Skills |
+|-----------|----------|--------|
+| **CIS AWS Foundations v3.0** | 18 controls | cspm-aws |
+| **CIS GCP Foundations v3.0** | 20 + 5 Vertex AI | cspm-gcp |
+| **CIS Azure Foundations v2.1** | 19 + 5 AI Foundry | cspm-azure |
+| **MITRE ATT&CK** | T1078, T1098, T1087, T1195, T1203, T1530, T1599, T1610, T1611 | iam-departures, gpu-cluster |
+| **MITRE ATLAS** | AML.T0010, T0024, T0025, T0042, T0048, T0051 | model-serving |
+| **NIST CSF 2.0** | PR.AC, PR.DS, DE.CM, DE.AE, RS.MI, ID.RA | All skills |
+| **CIS Controls v8** | 5.3, 6.1, 6.2, 6.5, 7.1–7.4, 8.2, 8.5, 13.1, 13.6, 16.1 | iam-departures, vuln-remediation, gpu-cluster |
+| **SOC 2 TSC** | CC6.1–CC6.3, CC7.1 | iam-departures, vuln-remediation |
+| **ISO 27001:2022** | A.5.15–A.8.24 | cspm-aws, cspm-gcp, cspm-azure |
+| **PCI DSS 4.0** | 2.2, 7.1, 8.3, 10.1 | cspm skills |
+| **OWASP LLM Top 10** | LLM-05, LLM-07, LLM-08 | vuln-remediation, model-serving |
+| **OWASP MCP Top 10** | MCP-04 | vuln-remediation |
+
+## CI/CD Pipeline
+
+This repo is scanned by [agent-bom](https://github.com/msaad00/agent-bom) in CI — dogfooding the scanner against its own security skills.
+
+| CI Job | What |
+|--------|------|
+| Lint | ruff check + format |
+| Test (IAM) | pytest — parser + worker Lambdas |
+| Test (Model Serving) | pytest — 31 checks |
+| Test (GPU Cluster) | pytest — 31 checks |
+| **agent-bom scan** | **SAST + secret detection → SARIF → GitHub Security tab** |
+| **agent-bom skills audit** | **SKILL.md security review → SARIF → GitHub Security tab** |
+| CloudFormation | cfn-lint validation |
+| Terraform | terraform validate |
+| Security | bandit + hardcoded secret grep |
## Quick Start
```bash
-# Clone
git clone https://github.com/msaad00/cloud-security.git
cd cloud-security
-# Run AWS CIS benchmark
+# AWS CIS benchmark
pip install boto3
python skills/cspm-aws-cis-benchmark/src/checks.py --region us-east-1
-# Run GCP CIS benchmark
-pip install google-cloud-iam google-cloud-storage google-cloud-compute
-python skills/cspm-gcp-cis-benchmark/src/checks.py --project my-project
+# Model serving security audit
+python skills/model-serving-security/src/checks.py serving-config.json
-# Run Azure CIS benchmark
-pip install azure-identity azure-mgmt-authorization azure-mgmt-storage azure-mgmt-monitor azure-mgmt-network
-python skills/cspm-azure-cis-benchmark/src/checks.py --subscription-id SUB_ID
+# GPU cluster security audit
+python skills/gpu-cluster-security/src/checks.py cluster-config.json
-# Run IAM departures tests
-cd skills/iam-departures-remediation
-pip install boto3 moto pytest
-pytest tests/ -v
+# Run tests
+pip install pytest boto3 moto
+cd skills/iam-departures-remediation && pytest tests/test_parser_lambda.py tests/test_worker_lambda.py -v
-# Validate with agent-bom
+# Scan with agent-bom
pip install agent-bom
agent-bom skills scan skills/
+agent-bom code skills/
```
## Integration with agent-bom
-This repo provides the security automations. [agent-bom](https://github.com/msaad00/agent-bom) provides continuous scanning and compliance validation:
+This repo provides the automations. [agent-bom](https://github.com/msaad00/agent-bom) provides continuous scanning:
| agent-bom Feature | Use Case |
|--------------------|----------|
-| `cis_benchmark` | Built-in CIS checks for AWS/GCP/Azure/Snowflake (continuous monitoring) |
-| `scan --aws` | Discover Lambda dependencies, check for CVEs |
-| `blast_radius` | Map impact of orphaned IAM credentials |
-| `compliance` | 15-framework compliance posture check |
-| `policy_check` | Policy-as-code gates for CI/CD |
-| `skills scan` | Scan skill files for security risks |
-| `graph` | Visualize cloud resource dependencies + attack paths |
+| `cis_benchmark` | Built-in CIS for AWS/GCP/Azure/Snowflake |
+| `code` | SAST scan of Lambda/skill source code |
+| `skills scan` | Audit SKILL.md for security risks |
+| `blast_radius` | Map impact of orphaned credentials |
+| `compliance` | 15-framework compliance posture |
+| `graph` | Visualize dependencies + attack paths |
## Contributing
-See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines on adding new skills.
+See [CONTRIBUTING.md](CONTRIBUTING.md).
## Security
-See [SECURITY.md](SECURITY.md) for vulnerability reporting policy.
+See [SECURITY.md](SECURITY.md).
## License
diff --git a/skills/cspm-azure-cis-benchmark/SKILL.md b/skills/cspm-azure-cis-benchmark/SKILL.md
index 16b848e..429cfa4 100644
--- a/skills/cspm-azure-cis-benchmark/SKILL.md
+++ b/skills/cspm-azure-cis-benchmark/SKILL.md
@@ -59,7 +59,7 @@ flowchart TD
style AZ fill:#1e293b,stroke:#475569,color:#e2e8f0
style CHK fill:#172554,stroke:#3b82f6,color:#e2e8f0
- style AIF fill:#14532d,stroke:#22c55e,color:#e2e8f0
+ style AIF fill:#1a2e35,stroke:#2dd4bf,color:#e2e8f0
```
## Security Guardrails
diff --git a/skills/cspm-gcp-cis-benchmark/SKILL.md b/skills/cspm-gcp-cis-benchmark/SKILL.md
index cf1bcf3..0f19c03 100644
--- a/skills/cspm-gcp-cis-benchmark/SKILL.md
+++ b/skills/cspm-gcp-cis-benchmark/SKILL.md
@@ -58,7 +58,7 @@ flowchart TD
style GCP fill:#1e293b,stroke:#475569,color:#e2e8f0
style CHK fill:#172554,stroke:#3b82f6,color:#e2e8f0
- style VAI fill:#14532d,stroke:#22c55e,color:#e2e8f0
+ style VAI fill:#1a2e35,stroke:#2dd4bf,color:#e2e8f0
```
## Security Guardrails
diff --git a/skills/iam-departures-remediation/SKILL.md b/skills/iam-departures-remediation/SKILL.md
index b538b1b..8db8b06 100644
--- a/skills/iam-departures-remediation/SKILL.md
+++ b/skills/iam-departures-remediation/SKILL.md
@@ -71,7 +71,7 @@ flowchart TD
L2 --> AUDIT
style SFN fill:#172554,stroke:#3b82f6,color:#e2e8f0
- style REC fill:#7f1d1d,stroke:#ef4444,color:#e2e8f0
+ style REC fill:#1e3a5f,stroke:#60a5fa,color:#e2e8f0
```
## Security Guardrails
diff --git a/skills/vuln-remediation-pipeline/SKILL.md b/skills/vuln-remediation-pipeline/SKILL.md
index b0d12bf..4769f3c 100644
--- a/skills/vuln-remediation-pipeline/SKILL.md
+++ b/skills/vuln-remediation-pipeline/SKILL.md
@@ -83,8 +83,8 @@ flowchart TD
PATCH --> AUDIT --> VERIFY
style SFN fill:#172554,stroke:#3b82f6,color:#e2e8f0
- style FIX fill:#14532d,stroke:#22c55e,color:#e2e8f0
- style P0 fill:#7f1d1d,stroke:#ef4444,color:#e2e8f0
+ style FIX fill:#1a2e35,stroke:#2dd4bf,color:#e2e8f0
+ style P0 fill:#1e3a5f,stroke:#60a5fa,color:#e2e8f0
```
## Security Guardrails