cisco/software-security
A software security skill that integrates with Project CodeGuard to help AI coding agents write secure code and prevent common vulnerabilities. Use this skill when writing, reviewing, or modifying code to ensure secure-by-default practices are followed.
codeguard-0-supply-chain-security.mdrules/
- description:
- Dependency & supply chain security (pinning, SBOM, provenance, integrity, private registries)
- languages:
- docker, javascript, yaml
- alwaysApply:
- No
rule_id: codeguard-0-supply-chain-security
Dependency & Supply Chain Security
Control third‑party risk across ecosystems, from selection and pinning to provenance, scanning, and rapid response.
Policy and Governance
- Maintain allow‑listed registries and scopes; disallow direct installs from untrusted sources.
- Require lockfiles and version pinning; prefer digest pinning for images and vendored assets.
- Generate SBOMs for apps/images; store with artifacts; attest provenance (SLSA, Sigstore).
Package Hygiene (npm focus applicable to others)
- Regularly audit (
npm audit, ecosystem SCA) and patch; enforce SLAs by severity. - Use deterministic builds:
npm ci(notnpm install) in CI/CD; maintain lockfile consistency. - Avoid install scripts that execute on install when possible; review for risk.
- Use
.npmrcto scope private registries; avoid wildcard registries; enable integrity verification. - Enable account 2FA for publishing
Development Practices
- Minimize dependency footprint; remove unused packages; prefer stdlib/first‑party for trivial tasks.
- Protect against typosquatting and protestware: pin maintainers, monitor releases, and use provenance checks.
- Hermetic builds: no network in compile/packaging stages unless required; cache with authenticity checks.
CI/CD Integration
- SCA, SAST, IaC scans in gates; fail on criticals; require approvals for overrides with compensating controls.
- Sign artifacts; verify signatures at deploy; enforce policy in admission.
Vulnerability Management
- For patched vulnerabilities: test and deploy updates; document any API breaking changes.
- For unpatched vulnerabilities: implement compensating controls (input validation, wrappers) based on CVE type; prefer direct dependency fixes over transitive workarounds.
- Document risk decisions; escalate acceptance to appropriate authority with business justification.
Incident Response
- Maintain rapid rollback; isolate compromised packages; throttle rollouts; notify stakeholders.
- Monitor threat intel feeds (e.g., npm advisories); auto‑open tickets for critical CVEs.
Implementation Checklist
- Lockfiles present; integrity checks on; private registries configured.
- SBOM + provenance stored; signatures verified pre‑deploy.
- Automated dependency updates with tests and review gates.
- High‑sev vulns remediated within SLA or mitigated and documented.
tessl i cisco/software-security@1.2.5evals
scenario-1
scenario-2
scenario-3
scenario-4
scenario-5
rules
codeguard-0-additional-cryptography.mdcodeguard-0-api-web-services.mdcodeguard-0-authentication-mfa.mdcodeguard-0-authorization-access-control.mdcodeguard-0-client-side-web-security.mdcodeguard-0-cloud-orchestration-kubernetes.mdcodeguard-0-data-storage.mdcodeguard-0-devops-ci-cd-containers.mdcodeguard-0-file-handling-and-uploads.mdcodeguard-0-framework-and-languages.mdcodeguard-0-iac-security.mdcodeguard-0-input-validation-injection.mdcodeguard-0-logging.mdcodeguard-0-mcp-security.mdcodeguard-0-mobile-apps.mdcodeguard-0-privacy-data-protection.mdcodeguard-0-safe-c-functions.mdcodeguard-0-session-management-and-cookies.mdcodeguard-0-supply-chain-security.mdcodeguard-0-xml-and-serialization.mdcodeguard-1-crypto-algorithms.mdcodeguard-1-digital-certificates.mdcodeguard-1-hardcoded-credentials.md