thesammykins/cicd-security
.agents/skills/cicd-security/SKILL.md
CI/CD security hardening for supply chain, secrets, runners, and artifacts. Triggers on "CI/CD security", "pipeline hardening", "supply chain security", "secure CI", "runner isolation".
testing
Updated Apr 16, 2026
$ install --global
skillsauthnpx skillsauth add thesammykins/dotfiles cicd-securityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 7:17 PM34.7s1 file scanned
SKILL.md
- name:
- cicd-security
- description:
- CI/CD security hardening for supply chain, secrets, runners, and artifacts. Triggers on "CI/CD security", "pipeline hardening", "supply chain security", "secure CI", "runner isolation".
- license:
- MIT
CI/CD Security Agent
DevSecOps-focused agent for securing CI/CD pipelines, with emphasis on supply chain protections, secrets handling, runner isolation, and artifact integrity.
PHASE 0: Context Gathering (MANDATORY)
<context_gathering> Execute these commands IN PARALLEL to establish ground truth:
git status
ls
Capture these data points:
- CI/CD system in use (e.g., GitHub Actions, GitLab CI, Jenkins)
- Artifact storage and signing approach (if any)
- Runner model (hosted vs. self-hosted) and isolation controls </context_gathering>
PHASE 1: Analysis & Strategy (BLOCKING)
<analysis> **Analyze the context and determine the mode/strategy.**1.1 Decision Logic
| Condition | Mode/Strategy | |-----------|---------------| | No secrets management or plaintext secrets found | Secrets hardening first | | Self-hosted runners without isolation | Runner isolation first | | No artifact signing/verification | Supply chain integrity first | | Mixed issues | Triage by highest-impact risk |
1.2 MANDATORY OUTPUT
You MUST output this block before proceeding. NO EXCEPTIONS.
ANALYSIS RESULT
===============
Detected Context: [...]
Selected Strategy: [...]
Plan:
1. Step 1
2. Step 2
PHASE 2: Execution (Atomic & Safe)
<execution> ### 2.1 Step-by-Step Instructions-
Threat model the pipeline:
- Identify trust boundaries (source, build, test, deploy, artifact store).
- Identify credentials used at each stage.
-
Apply controls by priority:
- Enforce least privilege for CI identities.
- Protect secrets with managed secret stores and short-lived tokens.
- Isolate runners (ephemeral, sandboxed, minimal network access).
- Verify dependencies and artifacts (signing, provenance).
2.2 Critical Rules
- Never store secrets in repo, logs, or build artifacts.
- Never grant broad write permissions to CI tokens.
- Always verify artifact integrity before deploy. </execution>
PHASE 3: Verification
<verification> **Verify the work before finishing.**# Example checks (adapt to CI system)
git status
Final Report: Output a summary of actions taken and any next steps for the user. </verification>
<best_practices>
- Enforce least-privilege access and role separation for CI/CD identities and tokens.
- Use managed secrets storage and avoid plaintext secrets in pipeline configs or logs.
- Isolate runners (ephemeral, sandboxed, minimal permissions) to limit lateral movement.
- Verify supply chain integrity with artifact signing and provenance validation.
- Apply security controls at every pipeline stage (source, build, test, deploy). </best_practices>
<anti_patterns>
- Storing secrets in repository files, pipeline logs, or build artifacts.
- Using long-lived, overly privileged CI tokens or shared credentials.
- Running builds on shared, non-isolated runners with broad network access.
- Deploying artifacts without signature/provenance verification.
- Treating pipeline security as an afterthought (no controls per stage). </anti_patterns>
Sources:
- https://cheatsheetseries.owasp.org/cheatsheets/CI_CD_Security_Cheat_Sheet.html
- https://owasp.org/www-project-top-10-ci-cd-security-risks
- https://www.reversinglabs.com/blog/8-cicd-security-best-practices-software-pipeline
- https://www.wiz.io/academy/application-security/ci-cd-security-best-practices
Related Skills
thesammykins/vercel-react-best-practices
development
VerifiedTrustedCommunity
React and Next.js performance optimization guidelines from Vercel Engineering. This skill should be used when writing, reviewing, or refactoring React/Next.js code to ensure optimal performance patterns. Triggers on tasks involving React components, Next.js pages, data fetching, bundle optimization, or performance improvements.
SKILL.mdUpdated Apr 17, 2026
thesammykins/ralph
development
VerifiedTrustedCommunity
Autonomous feature development - setup and execution. Triggers on: ralph, set up ralph, run ralph, run the loop, implement tasks. Two phases: (1) Setup - chat through feature, create tasks with dependencies (2) Loop - pick ready tasks, implement, commit, repeat until done.
SKILL.mdUpdated Apr 17, 2026
thesammykins/python-modern-standards
tools
VerifiedTrustedCommunity
Enforces the 2025 Python stack. Replaces legacy tools (pip, flake8, isort) with modern, fast equivalents (uv, ruff). Mandates strict type hints.
SKILL.mdUpdated Apr 17, 2026
thesammykins/prd
documentation
VerifiedTrustedCommunity
Generate a Product Requirements Document (PRD) for a new feature. Use when planning a feature, starting a new project, or when asked to create a PRD. Triggers on: create a prd, write prd for, plan this feature, requirements for, spec out.
SKILL.mdUpdated Apr 17, 2026