com um clique
catpilot-ai-guardrails
catpilot-ai-guardrails contém 10 skills coletadas de catpilotai, com cobertura ocupacional por repositório e páginas de detalhe dentro do site.
Skills neste repositório
Catpilot's universal AI-coding-agent security baseline. Always-on guardrails across nine components: cloud CLI mutations, database state changes, local CLI destruction, Docker container builds, hardcoded secrets, secrets management, supply-chain integrity, PII / test-data hygiene, and language-agnostic secure-coding patterns (SQL injection, command injection, XSS, path traversal, insecure deserialization, eval-class APIs, SSRF). Apply on every code generation, file write, and shell command. Born from real production incidents.
Block the language-agnostic classes of injection and arbitrary-code-execution failures — SQL via string concatenation, command injection via shell-true subprocess calls, XSS via `innerHTML`/`document.write`, path traversal via unvalidated filenames, insecure deserialization (`pickle`, unsafe `yaml.load`, PHP `unserialize`, Java `ObjectInputStream`, Ruby `Marshal`), dynamic code execution (`eval`, `Function`, `setTimeout(string)`), TypeScript `as any` escape hatches, and SSRF via unvalidated outbound URLs.
Block real customer data from appearing in test fixtures, code comments, documentation, debug output, or shared transcripts. Require synthetic generators (`faker`, `@faker-js/faker`, provider test cards), reserved test ranges (555 phone numbers, `@example.com` emails, RFC 5737 IPs), and redaction of PII/PHI/PCI from logs and error messages. Refuse to copy production rows into development environments under any framing.
Block typosquats, unpinned dependencies, floating GitHub Actions tags, `curl | bash` installs, unverified agent skills/MCP servers, and post-install scripts from unknown publishers before they reach a developer machine, a CI runner, or a production image. Require lockfile-based installs, SHA-pinned third-party actions, registry-namespace verification, and provenance checks (Sigstore, npm provenance, GitHub attestations) for any code that will run.
Govern how secrets are stored, scoped, distributed, rotated, and surfaced to running code — never committed `.env` files, never echoed in CI logs, never embedded in URLs or error messages, never shared across environments. Complements `secret-blocking` (which detects hardcoded patterns at write time) by enforcing the lifecycle around already-secured secrets — `.gitignore` hygiene, CI log redaction, vault-backed access, scoped credentials per environment, and a documented response when exposure happens.
Block container runtime escape paths, root-by-default images, build-time secrets baked into layers, and supply-chain risks from floating base tags before they reach a registry or a host. Require non-root `USER`, digest-pinned base images, BuildKit secret mounts (never `ENV`/`ARG` for secrets), `--no-install-recommends` + cache cleanup, and refuse `--privileged`, `--net=host`, `--pid=host`, host root bind-mounts, and `chmod 777` inside containers.
Block irreversible filesystem operations, history-destroying git commands on shared branches, network exposure to non-loopback interfaces, world-readable credential paths, and credential exfiltration patterns before they run on a developer or CI machine. Covers `rm`/`find -delete`/`dd`/`chmod -R`, `git push --force`/`reset --hard`/`clean -fd` on protected branches, `--bind 0.0.0.0` services, and patterns that pipe `~/.ssh`, `~/.aws`, or environment variables into external requests.
Require preview-before-modify, row-count disclosure, transactional execution, and rollback preparation before any SQL or ORM operation that mutates data or schema. Block destructive statements without a WHERE clause, schema drops without confirmation, prod migrations without dry-run, and raw string interpolation into queries. Covers PostgreSQL, MySQL, SQL Server, SQLite, and ORM equivalents.
Require query-before-modify, full-command display, explicit confirmation, and rollback preparation before any cloud CLI invocation that mutates infrastructure. Covers Azure (`az`), AWS (`aws`), GCP (`gcloud`, `gsutil`), Kubernetes (`kubectl`, `helm`), and Terraform/IaC (`terraform`). Born from a real production incident where a partial-YAML container update wiped every environment variable on a live service.
Detects and blocks hardcoded secrets — API keys, tokens, private keys, and database connection strings — before they are written to disk, committed to git, or echoed to logs. Covers 40+ patterns across Stripe, AWS, GitHub, GitLab, OpenAI, Anthropic, Slack, Google, SendGrid, Mailgun, Square, Twilio, and generic credential formats. Apply on every file write, every diff review, and every shell command that emits configuration.