security-automation

📁 bagelhole/devops-security-agent-skills 📅 9 days ago

总安装量

周安装量

#53946

全站排名

安装命令

npx skills add https://github.com/bagelhole/devops-security-agent-skills --skill security-automation

Agent 安装分布

opencode 1

codex 1

claude-code 1

Skill 文档

Security Automation

Automate security operations for scale and efficiency.

Security Pipeline

# .github/workflows/security.yml
name: Security Pipeline

on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Secret Scanning
        uses: trufflesecurity/trufflehog@main
        
      - name: SAST
        uses: returntocorp/semgrep-action@v1
        
      - name: Dependency Scan
        run: npm audit --audit-level=high
        
      - name: Container Scan
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          
      - name: Compliance Check
        run: |
          checkov -d . --framework terraform

Automated Remediation

# Auto-remediation script
def remediate_public_s3(bucket_name):
    """Remove public access from S3 bucket."""
    s3 = boto3.client('s3')
    s3.put_public_access_block(
        Bucket=bucket_name,
        PublicAccessBlockConfiguration={
            'BlockPublicAcls': True,
            'IgnorePublicAcls': True,
            'BlockPublicPolicy': True,
            'RestrictPublicBuckets': True
        }
    )

SOAR Integration

playbook:
  name: Suspicious Login Response
  trigger: alert.type == "suspicious_login"
  actions:
    - enrich_ip:
        source: threat_intel
    - if_condition: ip.is_malicious
      then:
        - block_ip:
            firewall: cloudflare
        - disable_user:
            duration: 1h
        - notify:
            channel: security
        - create_ticket:
            priority: high

Compliance as Code

# Checkov custom check
from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck

class S3Encryption(BaseResourceCheck):
    def __init__(self):
        name = "Ensure S3 bucket has encryption enabled"
        id = "CUSTOM_S3_1"
        supported_resources = ['aws_s3_bucket']
        super().__init__(name=name, id=id, ...)
    
    def scan_resource_conf(self, conf):
        if 'server_side_encryption_configuration' in conf:
            return CheckResult.PASSED
        return CheckResult.FAILED

Best Practices

Start with high-impact automations
Test in staging first
Include manual review gates
Monitor automation effectiveness
Regular rule updates

Related Skills

github-actions – CI/CD automation
policy-as-code – Policy enforcement

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台