feat: discover-environment skill + diagram fixes + agent-bom CI

.github/workflows/ci.yml

@@ -59,6 +59,18 @@ jobs:
       - working-directory: skills/gpu-cluster-security
         run: pytest tests/ -v -o "testpaths=tests"
 
+  test-discover-environment:
+    runs-on: ubuntu-latest
+    needs: lint
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - run: pip install pytest
+      - working-directory: skills/discover-environment
+        run: pytest tests/ -v -o "testpaths=tests"
+
   agent-bom-scan:
     runs-on: ubuntu-latest
     needs: lint

CLAUDE.md

@@ -12,6 +12,7 @@ skills/
   cspm-azure-cis-benchmark/     — CIS Azure Foundations v2.1 (19 checks + 5 AI Foundry)
   model-serving-security/       — Model serving security benchmark (16 checks)
   gpu-cluster-security/         — GPU cluster security benchmark (13 checks)
+  discover-environment/         — Cloud environment discovery with MITRE ATT&CK/ATLAS overlay
   vuln-remediation-pipeline/    — Auto-remediate supply chain vulnerabilities
 ```
 

README.md

@@ -16,6 +16,7 @@ Production-grade cloud security benchmarks and automation — CIS checks for AWS
 | [cspm-azure-cis-benchmark](skills/cspm-azure-cis-benchmark/) | Azure | 24 | CIS Azure Foundations v2.1 + AI Foundry security |
 | [model-serving-security](skills/model-serving-security/) | Any | 16 | Model endpoint auth, rate limiting, data egress, safety layers |
 | [gpu-cluster-security](skills/gpu-cluster-security/) | Any | 13 | GPU runtime isolation, driver CVEs, InfiniBand, tenant isolation |
+| [discover-environment](skills/discover-environment/) | Multi-cloud | — | Map cloud resources to security graph with MITRE ATT&CK/ATLAS overlays |
 | [iam-departures-remediation](skills/iam-departures-remediation/) | Multi-cloud | — | Auto-remediate IAM for departed employees across 5 clouds |
 | [vuln-remediation-pipeline](skills/vuln-remediation-pipeline/) | AWS | — | Auto-remediate supply chain vulns with EPSS triage |
 
@@ -98,57 +99,28 @@ flowchart LR
 
 ```mermaid
 flowchart LR
-    subgraph CONFIG["Serving Configuration"]
-        GW["API Gateway"]
-        K8S["K8s Manifests"]
-        CLD["Cloud Serving\nSageMaker · Vertex · Azure ML"]
-    end
-
-    subgraph CHECKS["16 checks · 6 domains"]
-        AUTH["Auth & RBAC"]
-        RL["Rate Limiting"]
-        EGR["Data Egress"]
-        ISO["Container Isolation"]
-        TLS["TLS & Network"]
-        SAF["Safety Layers"]
-    end
+    CONFIG["Serving Config\nAPI Gateway · K8s · Cloud ML"]
+    BENCH["checks.py\n16 checks · 6 domains\nAuth · Rate Limit · Egress\nRuntime · TLS · Safety"]
+    OUT["JSON / Console"]
 
-    GW & K8S & CLD --> AUTH & RL & EGR & ISO & TLS & SAF
-    AUTH & RL & EGR & ISO & TLS & SAF --> OUT["JSON / Console"]
+    CONFIG --> BENCH --> OUT
 
     style CONFIG fill:#1e293b,stroke:#475569,color:#e2e8f0
-    style CHECKS fill:#164e63,stroke:#22d3ee,color:#e2e8f0
+    style BENCH fill:#164e63,stroke:#22d3ee,color:#e2e8f0
 ```
 
 ## Architecture — GPU Cluster Security
 
 ```mermaid
 flowchart LR
-    subgraph CLUSTER["GPU Cluster Configuration"]
-        PODS["Pods & Containers"]
-        NODES["GPU Nodes\nDrivers · CUDA"]
-        IB["InfiniBand / RDMA"]
-        NS["Namespaces & Quotas"]
-    end
-
-    subgraph CHECKS["13 checks · 6 domains"]
-        RT["Runtime Isolation"]
-        DRV["Driver & CUDA"]
-        NET["Network Segmentation"]
-        STO["Storage & SHM"]
-        TEN["Tenant Isolation"]
-        OBS["Observability"]
-    end
-
-    PODS --> RT
-    NODES --> DRV
-    IB --> NET
-    NS --> TEN & STO
+    CLUSTER["Cluster Config\nPods · Nodes · InfiniBand\nNamespaces · Storage"]
+    BENCH["checks.py\n13 checks · 6 domains\nRuntime · Driver · Network\nStorage · Tenant · Observability"]
+    OUT["JSON / Console"]
 
-    RT & DRV & NET & STO & TEN & OBS --> OUT["JSON / Console"]
+    CLUSTER --> BENCH --> OUT
 
     style CLUSTER fill:#1e293b,stroke:#475569,color:#e2e8f0
-    style CHECKS fill:#164e63,stroke:#22d3ee,color:#e2e8f0
+    style BENCH fill:#164e63,stroke:#22d3ee,color:#e2e8f0
 ```
 
 ## Architecture — Vulnerability Remediation Pipeline

skills/discover-environment/SKILL.md

@@ -0,0 +1,230 @@
+---
+name: discover-environment
+description: >-
+  Discover cloud infrastructure and map it to a security graph with MITRE ATT&CK
+  and ATLAS technique overlays. Outputs graph JSON with nodes (resources, IAM,
+  services, network) and edges (relationships, attack vectors). Supports AWS,
+  GCP, Azure, or static config input. Use when the user mentions environment
+  discovery, cloud inventory, infrastructure mapping, attack surface mapping,
+  cloud resource graph, or MITRE technique mapping.
+license: Apache-2.0
+compatibility: >-
+  Requires Python 3.11+. Cloud discovery needs respective SDKs (boto3 for AWS,
+  google-cloud-* for GCP, azure-* for Azure). Static config mode needs no SDKs.
+  Read-only — uses only viewer/audit permissions. No write access.
+metadata:
+  author: msaad00
+  version: 0.1.0
+  frameworks:
+    - MITRE ATT&CK
+    - MITRE ATLAS
+    - NIST CSF 2.0
+  cloud: multi
+---
+
+# Cloud Environment Discovery
+
+Maps cloud infrastructure to a security graph with MITRE ATT&CK and ATLAS
+technique overlays. Each resource becomes a graph node, each relationship
+an edge. Attack techniques are mapped as edges from technique nodes to
+vulnerable resources.
+
+## When to Use
+
+- Map cloud attack surface before a security assessment
+- Visualize IAM → service → storage → network relationships
+- Overlay MITRE ATT&CK techniques on infrastructure for threat modeling
+- Export cloud inventory as graph JSON for any visualization tool
+- Feed into agent-bom's unified graph for cross-platform posture view
+- Periodic environment drift detection (compare graph snapshots)
+
+## Architecture
+
+```mermaid
+flowchart TD
+    subgraph PROVIDERS["Discovery Sources"]
+        AWS["AWS\nboto3 · SecurityAudit"]
+        GCP["GCP\ngoogle-cloud · Viewer"]
+        AZ["Azure\nazure-mgmt · Reader"]
+        CFG["Static Config\nJSON / YAML"]
+    end
+
+    subgraph DISCOVER["discover.py · read-only"]
+        IAM["IAM Users\nRoles · Service Accounts"]
+        COMP["Compute\nLambda · Functions · VMs"]
+        STOR["Storage\nS3 · GCS · Blob"]
+        NET["Network\nVPC · SG · Firewall"]
+    end
+
+    subgraph MITRE["MITRE Overlay"]
+        ATT["ATT&CK\n9 techniques"]
+        ATLAS["ATLAS\n6 techniques"]
+    end
+
+    AWS & GCP & AZ & CFG --> IAM & COMP & STOR & NET
+    IAM & COMP & STOR & NET --> OUT["Graph JSON\nnodes + edges + stats"]
+    ATT & ATLAS -->|exploitable_via| OUT
+
+    style PROVIDERS fill:#1e293b,stroke:#475569,color:#e2e8f0
+    style DISCOVER fill:#164e63,stroke:#22d3ee,color:#e2e8f0
+    style MITRE fill:#1e1b4b,stroke:#a78bfa,color:#e2e8f0
+```
+
+## What Gets Discovered
+
+### AWS (requires boto3 + SecurityAudit policy)
+
+| Resource | Entity Type | MITRE Techniques |
+|----------|-------------|-----------------|
+| IAM Users | user | T1078.004, T1098.001 |
+| IAM Roles | service_account | T1078.004, T1548.005 |
+| Access Keys | credential | — |
+| S3 Buckets | cloud_resource | T1530, T1537 |
+| Lambda Functions | server | T1648, T1195.002 |
+| VPCs | cloud_resource | T1599 |
+| Security Groups | cloud_resource | T1562.007 |
+
+### GCP (requires google-cloud SDKs + Viewer role)
+
+| Resource | Entity Type |
+|----------|-------------|
+| Service Accounts | service_account |
+| Cloud Storage Buckets | cloud_resource |
+| (Extensible for Compute, GKE, Vertex AI) | — |
+
+### Azure (requires azure SDKs + Reader role)
+
+| Resource | Entity Type |
+|----------|-------------|
+| Resource Groups | cloud_resource |
+| Resources (all types) | cloud_resource |
+| (Extensible for Entra ID, AKS, AI Studio) | — |
+
+## MITRE ATT&CK Techniques Mapped
+
+| Technique | ID | Resources Affected |
+|-----------|-----|-------------------|
+| Valid Accounts: Cloud | T1078.004 | IAM users, roles, instances |
+| Additional Cloud Credentials | T1098.001 | IAM users |
+| Temp Elevated Access | T1548.005 | IAM roles |
+| Data from Cloud Storage | T1530 | S3, GCS, Blob |
+| Transfer to Cloud Account | T1537 | S3, GCS, Blob |
+| Serverless Execution | T1648 | Lambda, Cloud Functions |
+| Supply Chain: Software | T1195.002 | Lambda, Cloud Functions |
+| Network Boundary Bridging | T1599 | VPCs |
+| Impair Cloud Firewall | T1562.007 | Security groups, NSGs |
+| Deploy Container | T1610 | EC2, Compute Engine |
+
+## MITRE ATLAS Techniques Mapped
+
+| Technique | ID | Resources Affected |
+|-----------|-----|-------------------|
+| Inference API Access | AML.T0024 | Model endpoints |
+| Denial of ML Service | AML.T0042 | Model endpoints |
+| Poison Training Data | AML.T0020 | Training jobs |
+| ML Supply Chain | AML.T0010 | Training jobs, model artifacts |
+| Exfiltrate Training Data | AML.T0025 | Model artifacts |
+
+## Usage
+
+```bash
+# AWS discovery
+pip install boto3
+python src/discover.py aws --region us-east-1
+
+# AWS with profile
+python src/discover.py aws --region us-west-2 --profile production
+
+# GCP discovery
+pip install google-cloud-iam google-cloud-storage google-cloud-resource-manager
+python src/discover.py gcp --project my-project-id
+
+# Azure discovery
+pip install azure-identity azure-mgmt-resource
+python src/discover.py azure --subscription-id SUB_ID
+
+# Static config (no SDK needed)
+python src/discover.py config --config environment.json
+
+# Save output
+python src/discover.py aws -o environment-graph.json
+```
+
+## Output Format
+
+The graph JSON is standalone — no agent-bom dependency. Any tool can consume it.
+
+```json
+{
+  "scan_id": "uuid",
+  "provider": "aws",
+  "region": "us-east-1",
+  "discovered_at": "2026-04-09T00:00:00+00:00",
+  "nodes": [
+    {
+      "id": "aws:iam_user:admin",
+      "entity_type": "user",
+      "label": "admin",
+      "attributes": {"arn": "arn:aws:iam::123456789012:user/admin"},
+      "compliance_tags": ["MITRE-T1078.004", "MITRE-T1098.001"],
+      "dimensions": {"cloud_provider": "aws"}
+    }
+  ],
+  "edges": [
+    {
+      "source": "mitre:T1078.004",
+      "target": "aws:iam_user:admin",
+      "relationship": "exploitable_via",
+      "evidence": {"technique": "T1078.004", "tactic": "Initial Access"}
+    }
+  ],
+  "stats": {
+    "total_nodes": 42,
+    "total_edges": 67,
+    "node_types": {"user": 5, "service_account": 12, "cloud_resource": 25},
+    "relationship_types": {"contains": 30, "owns": 5, "uses": 8, "exploitable_via": 24}
+  }
+}
+```
+
+## Static Config Format
+
+When cloud SDK access is not available:
+
+```json
+{
+  "provider": "static",
+  "resources": [
+    {"id": "vpc-1", "type": "cloud_resource", "name": "Production VPC", "dimensions": {"cloud_provider": "aws"}},
+    {"id": "user-1", "type": "iam_user", "name": "deploy-bot"}
+  ],
+  "relationships": [
+    {"source": "vpc-1", "target": "user-1", "type": "contains"}
+  ]
+}
+```
+
+## Security Guardrails
+
+- **Read-only**: Uses SecurityAudit (AWS), Viewer (GCP), Reader (Azure). Zero write permissions.
+- **No credentials stored**: Cloud credentials from environment/profile only. Never logged or cached.
+- **No data exfiltration**: Graph output stays local. No external API calls beyond cloud SDK.
+- **Safe to run in production**: Cannot modify any cloud resources.
+- **Idempotent**: Run as often as needed. Snapshot comparison for drift detection.
+
+## Human-in-the-Loop Policy
+
+| Action | Automation Level | Reason |
+|--------|-----------------|--------|
+| **Discover resources** | Fully automated | Read-only, no side effects |
+| **Generate graph JSON** | Fully automated | Local output |
+| **Modify IAM/network** | Human required | Infrastructure changes have blast radius |
+| **Remediate findings** | Human required | Use iam-departures or vuln-remediation skills |
+
+## Tests
+
+```bash
+cd skills/discover-environment
+pytest tests/ -v -o "testpaths=tests"
+# 15 tests: graph model, MITRE mapping, static config, stats
+```