Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

adaptive-enforcement-lab/kyverno-mutation-templates

Name: kyverno-mutation-templates
Author: adaptive-enforcement-lab

plugins/enforce/skills/kyverno-mutation-templates/SKILL.md

npx skillsauth add adaptive-enforcement-lab/claude-skills kyverno-mutation-templates

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Kyverno Mutation Templates

When to Use This Skill

Mutation policies modify resources at admission time, before they're persisted to etcd. This approach enforces standards without blocking deployments or requiring manual manifest updates.

Implementation

See the full implementation guide in the source documentation.

Techniques

Common Patterns

Conditional Mutations

Only mutate resources that match specific criteria:

Namespace-scoped mutations (dev vs prod)
Label-based mutations (inject monitoring only for app.kubernetes.io/monitored=true)
Resource type mutations (different rules for Deployments vs StatefulSets)

Mutation Conflicts

When multiple policies mutate the same field:

Last-write-wins - Policies execute in alphabetical order by name
Merge strategies - Use patchStrategicMerge or patchesJson6902 for predictable merging
Exclusions - Use exclude blocks to prevent conflicting mutations

Security Boundaries

Never mutate security-critical fields:

Security contexts (runAsUser, capabilities, privileged)
Resource limits (mutations can escalate privileges)
Host paths or volumes (mutations can grant filesystem access)

Use validation policies for security boundaries. Use mutations for operational standards.

Examples

See examples.md for code examples.

Related Patterns

Kyverno Templates Overview
Kyverno Generation Templates
Kyverno Image Security

References

Source Documentation
AEL Enforce

adaptive-enforcement-lab/kyverno-mutation-templates

plugins/enforce/skills/kyverno-mutation-templates/SKILL.md

Kyverno mutation policies that auto-inject labels, sidecars, and configuration into Kubernetes workloads at admission time.

testing

Updated Mar 27, 2026

$ install --global

skillsauth

npx skillsauth add adaptive-enforcement-lab/claude-skills kyverno-mutation-templates

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Mar 29, 2026, 10:32 AM36.3s5 files scanned

SKILL.md

name:: kyverno-mutation-templates
description:: >-

Kyverno Mutation Templates

When to Use This Skill

Mutation policies modify resources at admission time, before they're persisted to etcd. This approach enforces standards without blocking deployments or requiring manual manifest updates.

Implementation

See the full implementation guide in the source documentation.

Techniques

Common Patterns

Conditional Mutations

Only mutate resources that match specific criteria:

Namespace-scoped mutations (dev vs prod)
Label-based mutations (inject monitoring only for app.kubernetes.io/monitored=true)
Resource type mutations (different rules for Deployments vs StatefulSets)

Mutation Conflicts

When multiple policies mutate the same field:

Last-write-wins - Policies execute in alphabetical order by name
Merge strategies - Use patchStrategicMerge or patchesJson6902 for predictable merging
Exclusions - Use exclude blocks to prevent conflicting mutations

Security Boundaries

Never mutate security-critical fields:

Security contexts (runAsUser, capabilities, privileged)
Resource limits (mutations can escalate privileges)
Host paths or volumes (mutations can grant filesystem access)

Use validation policies for security boundaries. Use mutations for operational standards.

Examples

See examples.md for code examples.

Related Patterns

Kyverno Templates Overview
Kyverno Generation Templates
Kyverno Image Security

References

Source Documentation
AEL Enforce

Related Skills

adaptive-enforcement-lab/workload-identity-federation-implementation

documentation

VerifiedTrustedCommunity

Workload Identity Federation implementation guide. GKE setup, IAM bindings, ServiceAccount configuration, migration from service account keys, and troubleshooting patterns.

SKILL.mdUpdated Mar 27, 2026

adaptive-enforcement-lab/workload-identity-federation-implementation

adaptive-enforcement-lab/workflow-trigger-security

development

VerifiedTrustedCommunity

Secure GitHub Actions trigger patterns for pull requests, forks, and reusable workflows. Preventing privilege escalation and code injection through trigger misconfiguration.

SKILL.mdUpdated Mar 27, 2026

adaptive-enforcement-lab/workflow-trigger-security

adaptive-enforcement-lab/third-party-action-risk-assessment

development

VerifiedTrustedCommunity

Structured framework for evaluating GitHub Actions security before adoption. Trust tiers, risk assessment checklist, and decision tree for action evaluation.

SKILL.mdUpdated Mar 27, 2026

adaptive-enforcement-lab/third-party-action-risk-assessment

adaptive-enforcement-lab/storing-credentials

testing

VerifiedTrustedCommunity

Securely store GitHub App credentials across different environments. GitHub Actions secrets, external CI, Kubernetes, and automated rotation patterns.

SKILL.mdUpdated Mar 27, 2026

adaptive-enforcement-lab/storing-credentials

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/adaptive-enforcement-lab/claude-skills.git

# Copy into Claude Code skills folder (global)
cp -r claude-skills/plugins/enforce/skills/kyverno-mutation-templates ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

adaptive-enforcement-lab/claude-skills

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT