AgentSkillsCN

owasp-cicd-top-10

OWASP云原生应用安全十大风险——针对容器、编排系统及云原生应用的安全防护、检测与修复。适用于不安全的配置、注入攻击、身份认证、CI/CD与供应链安全、机密信息管理、网络策略优化等场景。注:官方列表仅收录6大风险,该项目已归档。

SKILL.md
--- frontmatter
name: owasp-cicd-top-10
description: "OWASP Top 10 CI/CD Security Risks - prevention, detection, and remediation for pipeline security. Use when securing or reviewing CI/CD - flow control, IAM, dependency chain, poisoned pipeline execution, PBAC, credential hygiene, system config, third-party services, artifact integrity, logging and visibility."

OWASP Top 10 CI/CD Security Risks

This skill encodes the OWASP Top 10 CI/CD Security Risks for secure pipeline design and review. References are loaded per risk. Based on OWASP Top 10 CI/CD Security Risks 2022.

When to Read Which Reference

RiskRead
CICD-SEC-1 Insufficient Flow Controlreferences/cicd-sec-1-flow-control.md
CICD-SEC-2 Inadequate IAMreferences/cicd-sec-2-iam.md
CICD-SEC-3 Dependency Chain Abusereferences/cicd-sec-3-dependency-chain-abuse.md
CICD-SEC-4 Poisoned Pipeline Executionreferences/cicd-sec-4-poisoned-pipeline-execution.md
CICD-SEC-5 Insufficient PBACreferences/cicd-sec-5-pbac.md
CICD-SEC-6 Insufficient Credential Hygienereferences/cicd-sec-6-credential-hygiene.md
CICD-SEC-7 Insecure System Configurationreferences/cicd-sec-7-insecure-system-config.md
CICD-SEC-8 Ungoverned 3rd Party Servicesreferences/cicd-sec-8-third-party-services.md
CICD-SEC-9 Improper Artifact Integrity Validationreferences/cicd-sec-9-artifact-integrity.md
CICD-SEC-10 Insufficient Logging and Visibilityreferences/cicd-sec-10-logging-visibility.md

Quick Patterns

  • Enforce approval and branching for pipeline execution; apply least-privilege IAM. Verify dependency and artifact integrity; secure credentials; audit third-party usage; enable logging and alerting.

Quick Reference / Examples

TaskApproach
Protect main branchRequire PR reviews, signed commits, branch protection. See CICD-SEC-1.
Secure pipeline IAMLeast privilege, short-lived tokens, no shared creds. See CICD-SEC-2.
Verify dependenciesLock versions, audit, verify checksums. See CICD-SEC-3.
Protect credentialsUse secrets manager, rotate, never log. See CICD-SEC-6.
Sign artifactsSign images/packages, verify before deploy. See CICD-SEC-9.

Safe - GitHub branch protection:

yaml
# .github/settings.yml (or repo settings)
branches:
  - name: main
    protection:
      required_pull_request_reviews:
        required_approving_review_count: 1
      required_status_checks:
        strict: true

Safe - short-lived OIDC credentials (GitHub Actions):

yaml
permissions:
  id-token: write
  contents: read

steps:
  - uses: aws-actions/configure-aws-credentials@v4
    with:
      role-to-assume: arn:aws:iam::123456789:role/GitHubActionsRole
      aws-region: us-east-1

Unsafe - long-lived secrets:

yaml
env:
  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_KEY }}  # Prefer OIDC over static keys

Workflow

Load the reference for the risk you are addressing. See OWASP Top 10 CI/CD Security Risks for the official list.