AgentSkillsCN

security

在进行安全审查、渗透测试、威胁建模、合规性工作,或事件响应时,可使用本技能。当用户提及“安全审计”、“漏洞”、“渗透测试”、“pentest”、“OWASP”、“CVE”、“安全审查”、“威胁模型”、“零信任”、“SOC 2”、“HIPAA”、“GDPR”、“合规性”、“事件响应”、“SBOM”、“供应链安全”、“密钥管理”,或“认证安全”时,本技能即可触发。

SKILL.md
--- frontmatter
name: security
description: Use this skill when doing security reviews, penetration testing, threat modeling, compliance work, or incident response. Activates on mentions of security audit, vulnerability, penetration test, pentest, OWASP, CVE, security review, threat model, zero trust, SOC 2, HIPAA, GDPR, compliance, incident response, SBOM, supply chain security, secrets management, or authentication security.

Security Operations

Secure systems from design through deployment and incident response.

Quick Reference

Security Architecture Principles

Zero Trust Model:

  1. Never trust, always verify
  2. Assume breach
  3. Verify explicitly
  4. Least privilege access
  5. Micro-segmentation

SLSA Framework (Supply Chain):

  • Level 1: Documentation
  • Level 2: Hosted build, signed provenance
  • Level 3: Hardened builds, 2-person review
  • Level 4: Hermetic, reproducible builds

Threat Modeling (STRIDE)

ThreatExampleMitigation
SpoofingFake identityStrong auth, MFA
TamperingModified dataIntegrity checks, signing
RepudiationDeny actionsAudit logs, non-repudiation
Information DisclosureData leakEncryption, access control
Denial of ServiceOverloadRate limiting, scaling
Elevation of PrivilegeUnauthorized accessLeast privilege, RBAC

Code Security Review Checklist

markdown
## OWASP Top 10 (2021)

- [ ] A01: Broken Access Control
- [ ] A02: Cryptographic Failures
- [ ] A03: Injection (SQL, NoSQL, OS, LDAP)
- [ ] A04: Insecure Design
- [ ] A05: Security Misconfiguration
- [ ] A06: Vulnerable Components
- [ ] A07: Auth Failures
- [ ] A08: Software/Data Integrity Failures
- [ ] A09: Logging/Monitoring Failures
- [ ] A10: SSRF

Secrets Management

Never commit secrets. Use environment-based injection:

yaml
# Kubernetes External Secrets
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: api-keys
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: vault-backend
    kind: ClusterSecretStore
  target:
    name: api-keys
  data:
    - secretKey: OPENAI_API_KEY
      remoteRef:
        key: secret/data/api-keys
        property: openai

SBOM Generation

bash
# Generate SBOM with Syft
syft packages dir:. -o spdx-json > sbom.spdx.json

# Scan for vulnerabilities with Grype
grype sbom:sbom.spdx.json --fail-on high

Container Security

dockerfile
# Secure Dockerfile patterns
FROM cgr.dev/chainguard/node:latest AS build
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production

FROM cgr.dev/chainguard/node:latest
WORKDIR /app
COPY --from=build /app/node_modules ./node_modules
COPY . .
USER nonroot
CMD ["node", "server.js"]

Scan images:

bash
trivy image myapp:latest --severity HIGH,CRITICAL

Runtime Security (eBPF)

Tetragon for kernel-level enforcement:

yaml
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: sensitive-file-access
spec:
  kprobes:
    - call: "fd_install"
      selectors:
        - matchArgs:
            - index: 1
              operator: "Prefix"
              values: ["/etc/shadow", "/etc/passwd"]
      action: NotifyEnforcer

Falco for threat detection:

yaml
- rule: Shell Spawned in Container
  desc: Detect shell spawned in a container
  condition: >
    spawned_process and container and
    proc.name in (shell_binaries)
  output: >
    Shell spawned in container
    (user=%user.name container=%container.name shell=%proc.name)
  priority: WARNING

Compliance Automation

Vanta/Drata Integration:

  • Continuous monitoring of 35+ frameworks
  • Automated evidence collection
  • Risk flagging and remediation tracking

Key Frameworks:

  • SOC 2 Type II
  • ISO 27001
  • HIPAA
  • GDPR
  • PCI DSS

Incident Response Playbook

markdown
## Phase 1: Detection & Analysis (MTTD < 5 min)

1. Alert triggered → Acknowledge in SOAR
2. Gather initial IOCs (IPs, hashes, usernames)
3. Determine scope and severity
4. Escalate if P1/P2

## Phase 2: Containment (MTTR < 1 hour)

1. Isolate affected systems
2. Block malicious IPs/domains
3. Disable compromised accounts
4. Preserve evidence (disk images, logs)

## Phase 3: Eradication

1. Remove malware/backdoors
2. Patch vulnerabilities
3. Reset credentials
4. Verify clean state

## Phase 4: Recovery

1. Restore from clean backups
2. Monitor for re-infection
3. Gradual service restoration
4. Validate functionality

## Phase 5: Lessons Learned

1. Timeline reconstruction
2. Root cause analysis
3. Update playbooks
4. Security improvements

Penetration Testing Checklist

markdown
## Reconnaissance

- [ ] DNS enumeration
- [ ] Subdomain discovery
- [ ] Port scanning
- [ ] Service fingerprinting

## Web Application

- [ ] Authentication bypass
- [ ] Session management
- [ ] Input validation
- [ ] Access control
- [ ] Business logic

## Infrastructure

- [ ] Network segmentation
- [ ] Privilege escalation
- [ ] Lateral movement
- [ ] Data exfiltration paths

Agents

  • security-architect - Threat modeling, secure design, compliance
  • incident-responder - Incident handling, forensics, recovery

Deep Dives

Examples