adaptive-enforcement-lab
113 verified skills
open-source-project-templates
Production-ready templates for CONTRIBUTING.md, SECURITY.md, and GitHub issue forms. OpenSSF Best Practices Badge compliant, copy-paste ready, with realistic SLAs.
testing
phase-2-automation-weeks-5-8
Automation phase SDLC hardening overview. CI/CD gates, SBOM generation, vulnerability scanning, SLSA provenance, and automated evidence collection for secure software supply chain enforcement.
tools
runtime-deployment-admission-control-with-kyverno
Deploy Kyverno admission control as final safety net before production. Install admission webhooks, policy reporters, and continuous compliance background scans.
development
argo-events
Build event-driven Kubernetes automation with Argo Events. Connect external systems to reactive workflows using EventSources, EventBus, and Sensors.
tools
error-handling-patterns
Master when to fail fast vs degrade gracefully. Production-tested error handling strategies for GitHub Actions, CI/CD pipelines, and platform automation.
tools
matrix-filtering-and-deduplication
Reduce matrix builds from 47 jobs to 3 with path filtering, deduplication, and dynamic generation. Run only what changed and eliminate redundant combinations.
development
secure-by-design-pattern-library
Secure-by-design architecture patterns for Kubernetes. Zero trust, defense in depth, least privilege, and fail-secure patterns with implementation examples and threat models.
development
work-avoidance-techniques
Layer work avoidance checks from existence to content to semantic comparison. Each technique catches different skip scenarios for maximum automation efficiency.
tools
hardened-ci-workflow
Production-ready CI workflow examples with all security patterns applied. SHA pinning, minimal permissions, secret scanning, and language-specific variants.
testing
risk-prioritization-framework-for-engineers
Risk prioritization framework for engineers. CVSS interpretation, exploitability analysis, blast radius calculation, and decision trees for patch management and vulnerability remediation.
development
secret-scanning-integration
GitHub secret scanning configuration, push protection, custom pattern definitions, and response playbook for detected credentials in GitHub Actions workflows.
tools
workload-identity-federation-implementation
Workload Identity Federation implementation guide. GKE setup, IAM bindings, ServiceAccount configuration, migration from service account keys, and troubleshooting patterns.
documentation
jwt-authentication
Generate JWTs for GitHub App authentication. Direct JWT generation for app-level operations, installation discovery, and bootstrapping workflows.
tools
testing-strategies
Build confidence with comprehensive CLI testing. Unit tests catch logic bugs with fakes, integration tests verify API contracts, E2E tests validate workflows.
tools
command-architecture
Design CLI commands that work independently and compose well for automation. Orchestrator pattern coordinates, subcommands execute discrete tasks.
tools
framework-selection
Choose the right Go CLI framework for Kubernetes-native tools. Decision matrix compares Cobra, urfave/cli, and Kong for ecosystem alignment and features.
tools
go-cli-architecture
Build Kubernetes-native CLIs in Go with type safety, testability, and complex orchestration logic for deployment tools and cluster automation.
tools
kubernetes-integration
Integrate Go CLIs with Kubernetes using client-go. Automatic config detection works on laptops, CI runners, and cluster pods with minimal RBAC setup.
tools
modular-release-pipelines
Automate version management and changelog generation with smart builds. Only build changed components using GitHub App tokens and release-please integration.
development
packaging
Package Go CLIs as minimal secure containers with distroless base images. Static binaries, non-root users, read-only filesystems for production.
tools
release-please-configuration
Configure automated versioning with release-please. Set up semantic versioning, changelog generation, and monorepo support using GitHub App token authentication.
documentation
versioned-documentation
Deploy version-tagged documentation alongside releases using MkDocs Material, mike, and release-please for automated version alignment with software builds.
development
incident-response-playbook-templates
Incident response playbook templates for Kubernetes. Detection, containment, remediation, and post-incident procedures with decision trees and validation steps.
testing
opa-policy-templates
OPA Gatekeeper policy templates overview. 20 production-ready constraint templates for pod security, image validation, RBAC, and resource governance.
development
phase-3-runtime-weeks-9-12
Runtime enforcement phase overview. Policy-as-code with Kyverno, resource limits, image source verification, security context enforcement, and policy observability for production Kubernetes hardening.
development
required-status-checks
CI/CD pipelines as merge gates. Tests, security scans, and linting must pass before code reaches production. Automated validation that satisfies auditors.
development
slsa-provenance-toolchain-integration
SLSA provenance for Go, Node.js, and Python: binary builds, package publishing, container images, and dependency verification with cryptographic integrity proofs.
tools
chaos-experiment-design
Chaos experiment design methodology. Hypothesis formation, success criteria definition, blast radius control, validation patterns, and SLI monitoring for effective chaos engineering.
development
efficiency-patterns
Optimize automation with idempotency and work avoidance. Safe retries plus skipping unnecessary operations maximize efficiency in CI/CD and platform engineering.
tools
file-distribution
Automated file distribution across multiple repositories with three-stage workflow. Discovery, parallel distribution, and summary reporting for consistent updates.
business
implementation-patterns
Five idempotency patterns for automation: check-before-act, upsert, force overwrite, unique identifiers, and tombstones. Choose based on constraints and APIs.
tools
patterns
Battle-tested automation patterns for GitHub Actions, Argo, and Kubernetes. Build resilient, idempotent workflows that scale with hub-and-spoke design.
tools
scheduled-workflows
CronWorkflow patterns for scheduled automation: time-based execution, concurrency policies, orchestration pipelines, and GitHub Actions integration for DevSecOps.
tools
tombstone-marker-files
Leave markers indicating operations completed. Track progress across complex multi-step workflows. Perfect for resumable operations and distributed systems.
tools
workflow-composition
Build complex pipelines from reusable workflow components. Compose parent-child workflows, orchestrate multi-stage automation, and eliminate copy-paste YAML.
tools
ephemeral-runner-patterns
Disposable runner patterns for GitHub Actions. Container-based, VM-based, and ARC deployment strategies with complete state isolation between jobs.
devops
gke-security-hardening-guide
GKE security hardening guide with Pulumi. Private clusters, Workload Identity, Binary Authorization, network policies, IAM configuration, and runtime security enforcement.
testing
secure
Find and fix security issues before they become incidents. Vulnerability scanning, SBOM generation, supply chain security, and secure authentication workflows.
testing
storing-credentials
Securely store GitHub App credentials across different environments. GitHub Actions secrets, external CI, Kubernetes, and automated rotation patterns.
testing
kyverno-resource-governance-templates
Kyverno resource governance policies enforcing CPU/memory limits, HPA requirements, and storage constraints for Kubernetes workloads.
development
third-party-action-risk-assessment
Structured framework for evaluating GitHub Actions security before adoption. Trust tiers, risk assessment checklist, and decision tree for action evaluation.
development
implementation-roadmap
Phased rollout plan for SDLC hardening. Foundation to runtime enforcement in 90 days. Prioritized by risk and audit importance.
testing
kyverno-generation-templates
Kyverno generation policy templates that auto-create supporting resources like NetworkPolicies, ResourceQuotas, and PodDisruptionBudgets for new workloads and namespaces.
testing
kyverno-mutation-templates
Kyverno mutation policies that auto-inject labels, sidecars, and configuration into Kubernetes workloads at admission time.
testing
action-pinning-overview
Why pinning GitHub Actions to SHA-256 commits matters for supply chain security. Attack vectors from unpinned actions and comparison of tag vs SHA pinning.
testing
architecture-patterns
Fundamental patterns for building maintainable, scalable systems: separation of concerns, distributed orchestration, and zero-downtime migration strategies.
development
argo-events-setup-guide
Deploy event-driven automation with EventSource, EventBus, and Sensor configuration. Complete setup guide for production Argo Events on Kubernetes clusters.
tools
argo-workflows-patterns
Production Argo Workflows patterns: reusable templates, error handling, concurrency control, composition, and scheduled automation for Kubernetes operators.
tools
branch-protection-enforcement-patterns
Comprehensive branch protection configuration patterns with enforcement automation. Security tiers, IaC at scale, GitHub App enforcement, audit reporting, and bypass controls.
tools
complete-workflow-examples
Copy-paste hardened CI/CD workflows with SHA-pinned actions, minimal GITHUB_TOKEN permissions, OIDC authentication, and comprehensive security scanning for GitHub Actions.
testing
concurrency-control
Prevent workflow conflicts with mutex synchronization, semaphores for limited parallelism, and TTL strategies for automatic cleanup of completed workflows.
tools
environment-protection-patterns
Deployment protection with environment protection rules, required reviewers, wait timers, and approval gates for production deployments.
devops
error-handling
Handle token failures, API rate limits, and permission errors in GitHub Actions workflows with retry logic, validation checks, and actionable error messages.
development
github-core-app-setup
Configure organization-level GitHub Apps for secure cross-repository automation. Machine identity, audit trails, and enterprise-grade authentication.
tools
idempotency
Build automation that survives reruns. Idempotent operations let you rerun workflows without fear of duplicates, corruption, or cascading failures in CI/CD.
tools
gke-cluster-configuration
Private GKE cluster setup, Workload Identity, and Shielded Nodes with Binary Authorization using Terraform.
devops
hardened-release-workflow
Production-ready release workflow examples with signed releases, SLSA provenance, artifact attestations, and minimal permissions.
testing
installation-token-generation
Generate short-lived installation tokens from GitHub App credentials with actions/create-github-app-token. Organization-scoped and repository-scoped patterns for automated cross-repo workflows.
tools
kyverno-basics
Install Kyverno, create validation policies, and understand audit vs enforce modes for Kubernetes admission control.
testing
kyverno-network-security-templates
Kyverno network security policies that enforce NetworkPolicy requirements, Ingress rules, and Service restrictions in Kubernetes.
testing
kyverno-pod-security-templates
Kyverno pod security policies enforcing Pod Security Standards, privilege restrictions, and security profiles for Kubernetes workloads.
testing
matrix-distribution
Parallelize operations across dynamic target lists using GitHub Actions matrix strategies with failure isolation, rate limiting, and conditional logic.
data-ai
network-security
Secure GKE networking with VPC-native IP allocation, zero-trust network policies, Private Service Connect endpoints, and Cloud Armor DDoS protection layers.
development
oauth-user-authentication
OAuth flows for user-context operations. Web application patterns, device flow for CLI tools, and token refresh strategies for GitHub Apps.
tools
oidc-federation-patterns
Secretless authentication to cloud providers using OpenID Connect federation. GCP, Azure, and cloud-agnostic examples with subject claim patterns and trust policies.
development
opa-pod-security-templates
OPA pod security policies preventing privileged containers, restricting Linux capabilities, and enforcing security contexts in Kubernetes.
testing
opa-resource-governance-templates
OPA resource governance policies enforcing CPU/memory limits, ResourceQuota compliance, LimitRange validation, and storage constraints.
development
openssf-scorecard-achievement-guide
Complete OpenSSF Scorecard achievement guide. Understand all 18 security checks, fix false positives, navigate controversial recommendations, and progress from 7 to 10/10.
testing
phase-1-foundation-weeks-1-4
Deploy pre-commit hooks for secrets detection, branch protection with required reviews, commit signature verification, and org-wide distribution strategies.
devops
phase-4-advanced-month-4
Audit evidence collection and compliance validation. Automated archival, OpenSSF Scorecard monitoring, SLSA verification, and continuous proof of controls.
testing
policy-as-code-operations
Manage Kyverno policy lifecycle from creation to enforcement. Add policies safely, monitor compliance, handle exceptions, and maintain GitOps-driven operations.
development
policy-as-code-template-library
Production-ready policy template library: 48 battle-tested policies (28 Kyverno + 20 OPA). Pod security, image validation, RBAC, resource governance, network security, and CI/CD integration.
development
reliability-patterns
Build resilient event systems with retry strategies, dead letter queues, and EventBus persistence. Handle failures gracefully in production deployments.
development
runtime-security
Pod Security Standards and admission controllers for GKE. Runtime monitoring with Falco and behavioral analysis to detect anomalous workload activity.
testing
sdlc-hardening-implementation-roadmap
Deploy defense-in-depth SDLC hardening across four phases: pre-commit hooks, CI/CD gates, runtime enforcement, and continuous audit evidence collection systems.
testing
secret-rotation-patterns
Automated secret rotation for GitHub Actions. Schedule recommendations, zero-downtime strategies, and notification patterns for credential lifecycle management.
tools
security-scanning-workflows
Comprehensive security scanning examples with SAST (CodeQL), dependency scanning, container vulnerability detection (Trivy), and SARIF upload to GitHub Security tab.
development
self-hosted-runner-hardening
Comprehensive hardening steps for self-hosted GitHub Actions runners. OS-level security, network isolation, credential protection, and audit logging.
testing
self-hosted-runner-security-overview
Understanding the threat model for self-hosted GitHub Actions runners. GitHub-hosted vs self-hosted comparison and secure deployment patterns.
testing
separation-of-concerns-pattern-overview
Single-responsibility components with clear boundaries. Orchestration separate from execution. Build maintainable systems through component isolation.
development
slsa-implementation-playbook
Complete SLSA implementation playbook: clarify SLSA vs SBOM confusion, classify runner configurations, implement verification workflows, and adopt incrementally from Level 1 to Level 3.
tools
strangler-fig
Incremental migration from legacy systems. Run old and new in parallel, gradually shift traffic, rollback at any point. Zero downtime, production-validated.
testing
token-lifecycle-management
Token expiration handling, refresh strategies, and caching patterns for long-running workflows. Manage installation token lifecycle and rate limits in GitHub Actions.
tools
troubleshooting
Debug event flows systematically from EventSource to Workflow. Use diagnostic commands and logging levels to isolate failures in production event systems.
development
work-avoidance
Skip work when outcomes won't change. Detect unchanged content, existing resources, and cached outputs to prevent unnecessary PRs, builds, and processing cycles.
development
work-avoidance-in-github-actions
Skip unnecessary CI/CD operations before execution. Detect unchanged content, cached builds, and irrelevant paths to reduce workflow costs and execution time.
development
workflowtemplate-patterns
WorkflowTemplate foundations: versioned, reusable automation building blocks with parameter contracts, error handling, volumes, and RBAC for production workflows.
tools
workflow-trigger-security
Secure GitHub Actions trigger patterns for pull requests, forks, and reusable workflows. Preventing privilege escalation and code injection through trigger misconfiguration.
development
runner-group-management
Runner group organization strategies for GitHub Actions. Repository access restrictions, workflow controls, and security boundaries for self-hosted runners.
testing
go-security-tooling
Standard Go security toolkit: race detector, golangci-lint, Trivy, govulncheck. Zero cost, seamless integration, and OpenSSF-certified security workflow patterns.
tools
common-operations
Implement idiomatic Kubernetes operations with label selectors, strategic merge patches, and proper error handling for production-grade CLI tooling.
tools
event-routing
Control event flow from EventSources to triggers. Master filtering, transformation, and multi-action capabilities for sophisticated event-driven automation.
tools
secret-management-overview
Understanding GitHub Actions secret types, storage hierarchy, and threat model. Secure patterns for managing credentials, tokens, and sensitive configuration.
data-ai
kyverno-policy-templates
Kyverno policy templates overview. 28 production-ready policies for pod security, image validation, resource limits, network security, mutation, and generation.
testing
hub-and-spoke
Centralized orchestration with distributed execution. One coordinator spawns many workers in parallel. Scale horizontally without changing hub logic.
tools
fail-fast
Detect and halt on precondition failures before expensive operations begin. Validate inputs, permissions, and state upfront in CI/CD and automation workflows.
tools
actions-integration
Integrate GitHub Core Apps with Actions workflows for org-scoped automation. Generate tokens, access APIs, and implement cross-repository operations patterns.
tools
build
Production-grade Go CLI patterns, automated release workflows with Release Please, versioned docs, and coverage enforcement for DevSecOps build pipelines.
tools
iam-configuration
Least-privilege IAM roles for GKE nodes and workloads. Workload Identity Federation for external authentication and comprehensive audit logging for visibility.
testing
kyverno-image-validation-templates
Kyverno image validation: registry allowlists, digests, signatures, and CVE scanning gates for K8s supply chain security.
testing
reusable-workflow-security
Secure reusable workflow patterns for GitHub Actions. Input validation, secret inheritance, caller restrictions, and SHA pinning for workflow composition.
testing
enforce
Make security mandatory through automation. Branch protection, pre-commit hooks, status checks, policy-as-code, and SLSA provenance for SOC 2 compliance.
tools
opa-image-security-templates
OPA image security policies for container registry allowlisting, digest enforcement, and signature verification in Kubernetes.
testing
jmespath-for-kyverno
Master JMESPath for Kyverno policies. Query nested resources, build complex conditions, and validate Kubernetes workloads with production-tested patterns.
development
github-actions-security-patterns-hub
Complete security patterns for GitHub Actions covering action pinning, GITHUB_TOKEN permissions, third-party action risks, secret management, and runner security.
testing
github-actions-security-cheat-sheet
Quick reference for GitHub Actions security patterns. Copy-paste snippets for action pinning, token permissions, secrets, runners, and workflow hardening.
testing
chaos-engineering-for-kubernetes
Chaos engineering for Kubernetes with Chaos Mesh and LitmusChaos. Pod deletion, network chaos, resource chaos, blast radius control, and validation patterns for reliability testing.
testing
github-token-permissions-overview
Understanding GITHUB_TOKEN scope, default permissions, and implementing least-privilege principle for GitHub Actions workflows.
testing
hardened-deployment-workflow
Production-ready deployment workflow examples with OIDC authentication, environment protection, approval gates, and rollback patterns.
devops
graceful-degradation
Build tiered fallback systems that degrade performance, not availability. Cache layers, API resilience, and automatic failover patterns for platform reliability.
development
opa-rbac-templates
OPA RBAC policies preventing cluster-admin privilege escalation, restricting privileged verbs, and blocking wildcard permissions.
testing
prerequisite-checks
Consolidate all precondition validation into a dedicated gate phase. Check tools, permissions, state, and resources before executing deployment or automation tasks.
tools
ci-integration-automated-policy-enforcement
Block non-compliant manifests at merge time using policy-platform container in CI. Automate Kyverno validation across environments with zero configuration drift.
testing