ワンクリックで
ci-cd-security
CI/CD pipeline security, supply chain security, SLSA compliance, artifact signing, dependency scanning
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
CI/CD pipeline security, supply chain security, SLSA compliance, artifact signing, dependency scanning
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
Identity and access management: RBAC, least privilege, MFA, quarterly reviews per ISO 27001 A.5.15, A.8.2, A.8.3
Business continuity and disaster recovery: 30-day retention, quarterly restore tests, RTO/RPO targets per ISO 27001 A.17
Political psychology, cognitive biases, group dynamics, leadership analysis, decision-making patterns for Swedish political intelligence
Risk-based data and asset classification framework: PUBLIC, INTERNAL, CONFIDENTIAL, RESTRICTED aligned with ISO 27001 A.5.12 and CIA triad
Unified compliance verification across ISO 27001, NIST CSF, CIS Controls, NIS2, EU CRA, GDPR, SOC 2, PCI DSS, and HIPAA for cybersecurity consulting
Cryptographic controls implementation: TLS 1.3, AES-256-GCM, bcrypt, RSA-4096, key management per NIST FIPS 140-2 and ISO 27001 A.8.24
| name | ci-cd-security |
| description | CI/CD pipeline security, supply chain security, SLSA compliance, artifact signing, dependency scanning |
| license | Apache-2.0 |
Secure the CIA platform's CI/CD pipelines against supply chain attacks, ensure artifact integrity, and maintain compliance with SLSA (Supply-chain Levels for Software Artifacts) requirements. Covers GitHub Actions hardening, dependency scanning, and build provenance.
Do NOT use for:
# Always use minimum required permissions
permissions:
contents: read
actions: read
security-events: write # Only if needed for CodeQL
# Pin actions to full SHA, not tags
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
with:
distribution: 'temurin'
java-version: '25'
permissions at job level — minimize token scope::add-mask:: for dynamic valuesCODEOWNERS for workflow files — require review for changes# Good: Use GitHub Secrets
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# Bad: Never hardcode or log secrets
# run: echo ${{ secrets.TOKEN }} # NEVER DO THIS
| Level | Requirement | CIA Status |
|---|---|---|
| SLSA 1 | Build process documented | ✅ GitHub Actions |
| SLSA 2 | Hosted build, signed provenance | ✅ GitHub-hosted runners |
| SLSA 3 | Hardened build, non-falsifiable provenance | 🔄 In progress |
# Multi-layer dependency scanning
- name: OWASP Dependency Check
run: mvn dependency-check:check -DfailBuildOnCVSS=7
- name: GitHub Dependency Review
uses: actions/dependency-review-action@v4
with:
fail-on-severity: high
- name: Dependabot Auto-merge (patch only)
# Configured in .github/dependabot.yml
- name: Generate SBOM
run: |
mvn org.cyclonedx:cyclonedx-maven-plugin:makeBom
# Output: target/bom.json (CycloneDX format)
- name: Attest SBOM
uses: actions/attest-sbom@v1
with:
subject-path: 'target/*.jar'
sbom-path: 'target/bom.json'
<!-- Maven settings for reproducible builds -->
<properties>
<project.build.outputTimestamp>2024-01-01T00:00:00Z</project.build.outputTimestamp>
</properties>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<configuration>
<archive>
<manifest>
<addDefaultImplementationEntries>true</addDefaultImplementationEntries>
</manifest>
</archive>
</configuration>
</plugin>
- name: Generate artifact attestation
uses: actions/attest-build-provenance@v1
with:
subject-path: 'target/citizen-intelligence-agency-*.war'
mvn dependency-check:checkgh-advisory-database tool| Update Type | Auto-merge | Review Required |
|---|---|---|
| Patch (x.x.PATCH) | ✅ If tests pass | No |
| Minor (x.MINOR.x) | ❌ | Yes |
| Major (MAJOR.x.x) | ❌ | Yes + security review |
jobs:
build:
runs-on: ubuntu-latest # Use GitHub-hosted runners
# Never use self-hosted runners for public repos without hardening
steps:
- name: Harden Runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit # Monitor outbound connections
| Control | Requirement |
|---|---|
| ISO 27001 A.8.25 | Secure development lifecycle |
| ISO 27001 A.8.31 | Separation of dev/test/prod |
| NIST CSF PR.IP-1 | Configuration management |
| CIS Control 16 | Application software security |
| SLSA L2 | Signed provenance, hosted build |