원클릭으로
ci-cd-security
CI/CD pipeline security, supply chain security, SLSA compliance, artifact signing, dependency scanning
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
CI/CD pipeline security, supply chain security, SLSA compliance, artifact signing, dependency scanning
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Identity and access management: RBAC, least privilege, MFA, quarterly reviews per ISO 27001 A.5.15, A.8.2, A.8.3
Business continuity and disaster recovery: 30-day retention, quarterly restore tests, RTO/RPO targets per ISO 27001 A.17
Political psychology, cognitive biases, group dynamics, leadership analysis, decision-making patterns for Swedish political intelligence
Risk-based data and asset classification framework: PUBLIC, INTERNAL, CONFIDENTIAL, RESTRICTED aligned with ISO 27001 A.5.12 and CIA triad
Unified compliance verification across ISO 27001, NIST CSF, CIS Controls, NIS2, EU CRA, GDPR, SOC 2, PCI DSS, and HIPAA for cybersecurity consulting
Cryptographic controls implementation: TLS 1.3, AES-256-GCM, bcrypt, RSA-4096, key management per NIST FIPS 140-2 and ISO 27001 A.8.24
| name | ci-cd-security |
| description | CI/CD pipeline security, supply chain security, SLSA compliance, artifact signing, dependency scanning |
| license | Apache-2.0 |
Secure the CIA platform's CI/CD pipelines against supply chain attacks, ensure artifact integrity, and maintain compliance with SLSA (Supply-chain Levels for Software Artifacts) requirements. Covers GitHub Actions hardening, dependency scanning, and build provenance.
Do NOT use for:
# Always use minimum required permissions
permissions:
contents: read
actions: read
security-events: write # Only if needed for CodeQL
# Pin actions to full SHA, not tags
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
with:
distribution: 'temurin'
java-version: '25'
permissions at job level — minimize token scope::add-mask:: for dynamic valuesCODEOWNERS for workflow files — require review for changes# Good: Use GitHub Secrets
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# Bad: Never hardcode or log secrets
# run: echo ${{ secrets.TOKEN }} # NEVER DO THIS
| Level | Requirement | CIA Status |
|---|---|---|
| SLSA 1 | Build process documented | ✅ GitHub Actions |
| SLSA 2 | Hosted build, signed provenance | ✅ GitHub-hosted runners |
| SLSA 3 | Hardened build, non-falsifiable provenance | 🔄 In progress |
# Multi-layer dependency scanning
- name: OWASP Dependency Check
run: mvn dependency-check:check -DfailBuildOnCVSS=7
- name: GitHub Dependency Review
uses: actions/dependency-review-action@v4
with:
fail-on-severity: high
- name: Dependabot Auto-merge (patch only)
# Configured in .github/dependabot.yml
- name: Generate SBOM
run: |
mvn org.cyclonedx:cyclonedx-maven-plugin:makeBom
# Output: target/bom.json (CycloneDX format)
- name: Attest SBOM
uses: actions/attest-sbom@v1
with:
subject-path: 'target/*.jar'
sbom-path: 'target/bom.json'
<!-- Maven settings for reproducible builds -->
<properties>
<project.build.outputTimestamp>2024-01-01T00:00:00Z</project.build.outputTimestamp>
</properties>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<configuration>
<archive>
<manifest>
<addDefaultImplementationEntries>true</addDefaultImplementationEntries>
</manifest>
</archive>
</configuration>
</plugin>
- name: Generate artifact attestation
uses: actions/attest-build-provenance@v1
with:
subject-path: 'target/citizen-intelligence-agency-*.war'
mvn dependency-check:checkgh-advisory-database tool| Update Type | Auto-merge | Review Required |
|---|---|---|
| Patch (x.x.PATCH) | ✅ If tests pass | No |
| Minor (x.MINOR.x) | ❌ | Yes |
| Major (MAJOR.x.x) | ❌ | Yes + security review |
jobs:
build:
runs-on: ubuntu-latest # Use GitHub-hosted runners
# Never use self-hosted runners for public repos without hardening
steps:
- name: Harden Runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit # Monitor outbound connections
| Control | Requirement |
|---|---|
| ISO 27001 A.8.25 | Secure development lifecycle |
| ISO 27001 A.8.31 | Separation of dev/test/prod |
| NIST CSF PR.IP-1 | Configuration management |
| CIS Control 16 | Application software security |
| SLSA L2 | Signed provenance, hosted build |