Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

sawrus/pipeline-security

Name: pipeline-security
Author: sawrus

areas/devops/ci-cd/skills/pipeline-security/SKILL.md

npx skillsauth add sawrus/agent-guides pipeline-security

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Skill: Pipeline Security

Expertise: OIDC cloud auth, least-privilege workflow permissions, secret scanning, keyless artifact signing, SLSA provenance, and admission policy checks.

When to load

When designing or hardening CI/CD pipelines for production deployments, especially where compliance or high-risk workloads are involved.

Security Outcomes (definition of done)

Pipeline uses OIDC federation (no long-lived cloud keys in CI secrets).
Artifacts are signed keylessly and verified with identity constraints.
Provenance + SBOM are generated and validated before deploy.
Workflows use minimal GitHub/GitLab permissions.
Runtime admission policies block unsigned/unattested artifacts.

OIDC Authentication (no long-lived credentials)

jobs:
  deploy:
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: aws-actions/configure-aws-credentials@<pinned-sha>
        with:
          role-to-assume: arn:aws:iam::123456789012:role/github-actions-deploy
          aws-region: us-east-1

Constrain trust policy by repo, ref, and workflow identity.
Prefer short session duration and environment-scoped roles.

Minimal Permissions Model

permissions:
  contents: read
  id-token: write
  packages: write

Deny by default; explicitly request only required scopes.
Split build and deploy into separate jobs with separate permissions.

Keyless Signing + Verification

# Sign immutable artifact digest
cosign sign --yes registry.example.com/team/service@sha256:<digest>

# Verify identity and issuer in deploy gate
cosign verify \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate-identity-regexp 'https://github.com/myorg/myrepo/\.github/workflows/.+@refs/tags/v.+' \
  registry.example.com/team/service@sha256:<digest>

Provenance + SBOM Requirements

Generate SLSA provenance attestation for each release artifact.
Generate CycloneDX/SPDX SBOM for exact artifact digest.
Store attestation/SBOM references in release metadata.
Block deploy if attestation/SBOM is missing or invalid.

Secret and Dependency Controls

Run secret scanning (trufflehog/gitleaks) on PR and main.
Run dependency review with severity threshold and license policy.
Fail pipeline on critical policy violations; do not “warn-only” for production paths.

Runner Hardening

Ephemeral runners preferred (one job per VM/pod).
No privileged mode unless explicitly justified.
Restrict network egress to required registries/APIs.
Never persist cloud credentials or kubeconfig on runner disk.

Policy-as-Code Integration

Enforce cluster admission checks for:
- signed image;
- digest-only reference;
- valid provenance for production namespaces.
Keep exception path explicit: owner + expiry + compensating controls.

sawrus/pipeline-security

areas/devops/ci-cd/skills/pipeline-security/SKILL.md

Secure CI/CD pipelines with keyless signing, OIDC federation, provenance attestations, policy enforcement, and hardened runners.

12 stars

testing

Updated Apr 18, 2026

$ install --global

skillsauth

npx skillsauth add sawrus/agent-guides pipeline-security

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 18, 2026, 4:19 AM42.0s1 file scanned

SKILL.md

name:: pipeline-security
type:: skill
description:: Secure CI/CD pipelines with keyless signing, OIDC federation, provenance attestations, policy enforcement, and hardened runners.
allowed-tools:: Read, Write, Edit

Skill: Pipeline Security

Expertise: OIDC cloud auth, least-privilege workflow permissions, secret scanning, keyless artifact signing, SLSA provenance, and admission policy checks.

When to load

When designing or hardening CI/CD pipelines for production deployments, especially where compliance or high-risk workloads are involved.

Security Outcomes (definition of done)

Pipeline uses OIDC federation (no long-lived cloud keys in CI secrets).
Artifacts are signed keylessly and verified with identity constraints.
Provenance + SBOM are generated and validated before deploy.
Workflows use minimal GitHub/GitLab permissions.
Runtime admission policies block unsigned/unattested artifacts.

OIDC Authentication (no long-lived credentials)

jobs:
  deploy:
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: aws-actions/configure-aws-credentials@<pinned-sha>
        with:
          role-to-assume: arn:aws:iam::123456789012:role/github-actions-deploy
          aws-region: us-east-1

Constrain trust policy by repo, ref, and workflow identity.
Prefer short session duration and environment-scoped roles.

Minimal Permissions Model

permissions:
  contents: read
  id-token: write
  packages: write

Deny by default; explicitly request only required scopes.
Split build and deploy into separate jobs with separate permissions.

Keyless Signing + Verification

# Sign immutable artifact digest
cosign sign --yes registry.example.com/team/service@sha256:<digest>

# Verify identity and issuer in deploy gate
cosign verify \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate-identity-regexp 'https://github.com/myorg/myrepo/\.github/workflows/.+@refs/tags/v.+' \
  registry.example.com/team/service@sha256:<digest>

Provenance + SBOM Requirements

Generate SLSA provenance attestation for each release artifact.
Generate CycloneDX/SPDX SBOM for exact artifact digest.
Store attestation/SBOM references in release metadata.
Block deploy if attestation/SBOM is missing or invalid.

Secret and Dependency Controls

Run secret scanning (trufflehog/gitleaks) on PR and main.
Run dependency review with severity threshold and license policy.
Fail pipeline on critical policy violations; do not “warn-only” for production paths.

Runner Hardening

Ephemeral runners preferred (one job per VM/pod).
No privileged mode unless explicitly justified.
Restrict network egress to required registries/APIs.
Never persist cloud credentials or kubeconfig on runner disk.

Policy-as-Code Integration

Enforce cluster admission checks for:
- signed image;
- digest-only reference;
- valid provenance for production namespaces.
Keep exception path explicit: owner + expiry + compensating controls.

Related Skills

sawrus/qa_expert

testing

VerifiedTrustedCommunity

QA Expert for writing E2E tests, test scenarios, test plans, and ensuring test coverage quality.

12SKILL.mdUpdated Apr 18, 2026

sawrus/design_expert

development

VerifiedTrustedCommunity

Expert UI/UX design intelligence for creating distinctive, high-craft, and mobile-first interfaces. Focuses on premium aesthetics, touch-first ergonomics, and Flutter performance.

12SKILL.mdUpdated Apr 18, 2026

sawrus/code_review_expert

development

VerifiedTrustedCommunity

Code Review Expert for static analysis, security auditing, architecture review, and ensuring code quality standards.

12SKILL.mdUpdated Apr 18, 2026

sawrus/code_review_expert

sawrus/babysit-pr

development

VerifiedTrustedCommunity

Babysit a GitHub pull request after creation by continuously polling review comments, CI checks/workflow runs, and mergeability state until the PR is merged/closed or user help is required. Diagnose failures, retry likely flaky failures up to 3 times, auto-fix/push branch-related issues when appropriate, and keep watching open PRs so fresh review feedback is surfaced promptly. Use when the user asks Codex to monitor a PR, watch CI, handle review comments, or keep an eye on failures and feedback on an open PR.

12SKILL.mdUpdated Apr 18, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/sawrus/agent-guides.git

# Copy into Claude Code skills folder (global)
cp -r agent-guides/areas/devops/ci-cd/skills/pipeline-security ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

sawrus/agent-guides

12 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT