Skip to content

Commit deffcc1

Browse files
Kamal SrinivasanKamal Srinivasan
authored andcommitted
Security Skills for AI Coding Agents v1.0
25 structured security skills across 10 domains + 5 role bundles. Grounded in OWASP, NIST, MITRE ATT&CK, CIS Controls. Skills: appsec (5), ai-security (6), identity (5), cloud (5), vuln-management (4), compliance (5), incident-response (4), secops (4), network (3), devsecops (4) Roles: vCISO, SOC Analyst, Security Engineer, AppSec Engineer, Cloud Security Engineer Compatible with Claude Code, Gemini CLI, Cursor, Codex CLI, OpenClaw, and Kiro.
0 parents  commit deffcc1

60 files changed

Lines changed: 27759 additions & 0 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/PULL_REQUEST_TEMPLATE.md

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
## Pull Request Checklist
2+
3+
Please confirm the following before submitting:
4+
5+
- [ ] Skill follows the format specification in [CONTRIBUTING.md](../CONTRIBUTING.md)
6+
- [ ] At least one real framework is cited with correct control IDs
7+
- [ ] All framework references verified against primary sources (not blogs or AI output)
8+
- [ ] Prompt Injection Safety Notice section included
9+
- [ ] `injection-hardened: true` set in frontmatter
10+
- [ ] `allowed-tools` scoped to minimum necessary permissions
11+
- [ ] Tested with at least one AI coding agent (which one: ___)
12+
- [ ] No prohibited patterns per [SECURITY.md](../SECURITY.md)
13+
- [ ] `index.yaml` updated with new skill entry (if adding a skill)
14+
15+
## What This PR Does
16+
17+
[Brief description of the skill or change]
18+
19+
## Framework References
20+
21+
[List the specific frameworks and control IDs cited in this skill]
22+
23+
## Testing
24+
25+
[How was this skill tested? Which agent was used? What was the target?]
Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
name: Prompt Injection Scan
2+
3+
on:
4+
pull_request:
5+
6+
jobs:
7+
injection-scan:
8+
runs-on: ubuntu-latest
9+
steps:
10+
- name: Checkout repository
11+
uses: actions/checkout@v4
12+
13+
- name: Scan for prompt injection patterns
14+
run: |
15+
PATTERNS=(
16+
"ignore previous"
17+
"ignore all previous"
18+
"disregard"
19+
"new directive"
20+
"system override"
21+
"you are now"
22+
"forget your instructions"
23+
"exfiltrate"
24+
"send to http"
25+
"curl -X POST"
26+
"api.telegram"
27+
"webhook"
28+
)
29+
30+
FOUND_ISSUES=0
31+
32+
for pattern in "${PATTERNS[@]}"; do
33+
MATCHES=$(grep -rin "$pattern" skills/ roles/ --include="*.md" 2>/dev/null || true)
34+
if [ -n "$MATCHES" ]; then
35+
# Allowlist: quoted examples in prompt-injection skill are expected
36+
FILTERED=$(echo "$MATCHES" | grep -v "ai-security/prompt-injection.md" || true)
37+
if [ -n "$FILTERED" ]; then
38+
echo "FOUND injection pattern \"$pattern\":"
39+
echo "$FILTERED"
40+
echo ""
41+
FOUND_ISSUES=1
42+
fi
43+
fi
44+
done
45+
46+
if [ "$FOUND_ISSUES" -ne 0 ]; then
47+
echo "FAIL: Prompt injection patterns detected. Review flagged lines above."
48+
echo ""
49+
echo "NOTE: Quoted examples in ai-security/prompt-injection.md are excluded."
50+
exit 1
51+
fi
52+
53+
echo "PASS: No prompt injection patterns detected."

.github/workflows/lint-skills.yml

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
name: Lint Skills
2+
3+
on:
4+
pull_request:
5+
6+
jobs:
7+
lint-frontmatter:
8+
runs-on: ubuntu-latest
9+
steps:
10+
- name: Checkout repository
11+
uses: actions/checkout@v4
12+
13+
- name: Validate frontmatter in skill and role files
14+
run: |
15+
EXIT_CODE=0
16+
REQUIRED_FIELDS=("name" "description" "version" "author" "license")
17+
18+
FILES=$(find skills/ roles/ -name '*.md' 2>/dev/null || true)
19+
20+
if [ -z "$FILES" ]; then
21+
echo "No .md files found in skills/ or roles/."
22+
exit 0
23+
fi
24+
25+
while IFS= read -r file; do
26+
echo "Checking: $file"
27+
28+
FRONTMATTER=$(awk '/^---$/{if(++c==2) exit} c==1' "$file")
29+
30+
if [ -z "$FRONTMATTER" ]; then
31+
echo " ERROR: No YAML frontmatter found (missing --- delimiters)"
32+
EXIT_CODE=1
33+
continue
34+
fi
35+
36+
for field in "${REQUIRED_FIELDS[@]}"; do
37+
if ! echo "$FRONTMATTER" | grep -qE "^${field}:"; then
38+
echo " ERROR: Missing required field: $field"
39+
EXIT_CODE=1
40+
fi
41+
done
42+
done <<< "$FILES"
43+
44+
if [ "$EXIT_CODE" -ne 0 ]; then
45+
echo ""
46+
echo "FAIL: One or more files have missing required frontmatter fields."
47+
exit 1
48+
fi
49+
50+
echo ""
51+
echo "All frontmatter checks passed."
Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,63 @@
1+
name: Validate Index
2+
3+
on:
4+
pull_request:
5+
push:
6+
branches:
7+
- main
8+
9+
jobs:
10+
validate-index:
11+
runs-on: ubuntu-latest
12+
steps:
13+
- name: Checkout repository
14+
uses: actions/checkout@v4
15+
16+
- name: Install yq
17+
run: |
18+
sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
19+
sudo chmod +x /usr/local/bin/yq
20+
21+
- name: Validate all indexed files exist
22+
run: |
23+
EXIT_CODE=0
24+
25+
# Check skill files
26+
SKILL_FILES=$(yq eval '.skills[].file' index.yaml)
27+
echo "Checking skill files listed in index.yaml..."
28+
while IFS= read -r filepath; do
29+
if [ -z "$filepath" ] || [ "$filepath" = "null" ]; then
30+
continue
31+
fi
32+
if [ ! -f "$filepath" ]; then
33+
echo "MISSING: $filepath"
34+
EXIT_CODE=1
35+
else
36+
echo "OK: $filepath"
37+
fi
38+
done <<< "$SKILL_FILES"
39+
40+
# Check role files
41+
ROLE_FILES=$(yq eval '.roles[].file' index.yaml)
42+
echo ""
43+
echo "Checking role files listed in index.yaml..."
44+
while IFS= read -r filepath; do
45+
if [ -z "$filepath" ] || [ "$filepath" = "null" ]; then
46+
continue
47+
fi
48+
if [ ! -f "$filepath" ]; then
49+
echo "MISSING: $filepath"
50+
EXIT_CODE=1
51+
else
52+
echo "OK: $filepath"
53+
fi
54+
done <<< "$ROLE_FILES"
55+
56+
if [ "$EXIT_CODE" -ne 0 ]; then
57+
echo ""
58+
echo "FAIL: One or more files listed in index.yaml do not exist."
59+
exit 1
60+
fi
61+
62+
echo ""
63+
echo "All indexed files are present."

.gitignore

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
# OS files
2+
.DS_Store
3+
Thumbs.db
4+
5+
# Editor files
6+
.vscode/
7+
.idea/
8+
*.swp
9+
*.swo
10+
11+
# Plan file (internal reference, not published)
12+
skillsrepo.md

0 commit comments

Comments
 (0)