securing-cloud-and-supply-chain

Solid

云原生与软件供应链安全防御。容器/K8s 加固、Service Mesh、CI/CD 安全、SLSA/SBOM/Sigstore、云 IAM、Secrets 管理、IaC 安全。Use when hardening Kubernetes clusters, auditing CI/CD pipelines, implementing supply chain security, managing cloud IAM, or reviewing IaC code.

AI & Automation 228 stars 30 forks Updated today MIT

Install

View on GitHub

Quality Score: 91/100

Stars 20%

Recency 20%

100

Frontmatter 20%

Documentation 15%

100

Issue Health 10%

License 10%

100

Description 5%

100

Skill Content

# 云原生与供应链安全 > 默认怀疑一切外来字节：镜像、依赖、IaC 模块、CI runner、IAM trust。能签就签，能锁就锁，能最小就最小。 ## 路由 | 意图 | 秘典 | 核心 | |------|------|------| | 容器/K8s 加固 | [container-and-k8s](references/container-and-k8s.md) | 容器逃逸、RBAC、PSS、NetworkPolicy、Service Mesh、Admission | | 软件供应链 | [supply-chain](references/supply-chain.md) | SLSA、Sigstore、SBOM、CI/CD OIDC、attestation、VEX | | 云 IAM 与 Secrets | [cloud-iam-and-secrets](references/cloud-iam-and-secrets.md) | IAM 反模式、AssumeRole、Vault、KMS、IaC、Workload Identity | ## 何时使用 | 场景 | 用本 skill | 不用 | |------|-----------|------| | K8s manifest / Helm chart 安全审查 | ✅ | — | | CI/CD pipeline (GitHub Actions / GitLab CI) 加固 | ✅ | — | | Terraform / Pulumi / CloudFormation 评审 | ✅ | — | | AWS/GCP/Azure IAM policy 审查 | ✅ | — | | 镜像扫描与签名链路设计 | ✅ | — | | 应用层 Web/API 漏洞 (SQLi/XSS/SSRF) | — | 用 `securing-systems` | | 红队 C2/横移/免杀 | — | 用 `securing-systems/red-team` | | 集群部署/Helm 模板编写 (非安全视角) | — | 用 `provisioning-infrastructure` | | 一般架构设计与权衡 | — | 用 `designing-architectures` | ## 通用铁律 1. **Least privilege by default** — 任何 Role/IAM/SA/Token 起手就是空集合，按需求逐项添加，禁通配 `*` 与 `Action: *`。 2. **Immutable infrastructure** — 镜像用 digest 不用 tag，IaC state 不允许人工 drift，部署后只重建不改造。 3. **Sign everything, verify everywhere** — 镜像、artifact、commit、SBOM 必须签名；准入控制必须 verify，否则等于没签。 4. **Secrets never in plaintext** — 不进 git、不进 env file、不进 ConfigMap、不进 Terraform state；Vault/Secret Manager + 短期凭证。 5. **Defense in depth** — 镜像扫描 + admission policy + runtime detection + network policy + audit log，单层失守不致命。...

Details

Author: telagod
Repository: telagod/code-abyss
Created: 4 months ago
Last Updated: today
Language: JavaScript
License: MIT

Integrates with

Azure · Cloud GitHub · DevTools GitLab · DevTools Kubernetes · Infrastructure Terraform · Infrastructure

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Solid

securing-systems

Security engineering router for authorized assessments and defensive engineering. Covers penetration testing, code auditing, red/blue/purple team operations, threat intelligence, and vulnerability research. For specialized application security, cloud security, detection engineering, or security architecture, route to dedicated skills (defending-applications, securing-cloud-and-supply-chain, detecting-and-responding, architecting-security).

228 Updated today

telagod

AI & Automation Solid

defending-applications

Application security defense knowledge for builders, not pentesters. Covers Web/API/GraphQL hardening (XSS/SQLi/SSRF/IDOR/BOLA/Mass Assignment/deserialization/upload/path traversal), authentication/authorization (OAuth 2.0/OIDC/JWT/Session/Cookie/SAML/SSO), and LLM application security (prompt injection, jailbreak, RAG poisoning, agent privilege escalation, output filtering). Use when designing or reviewing application-layer defenses, fixing CVE-class bugs in your own code, hardening auth flows, or threat-modeling LLM-powered features. Do NOT use for offensive testing (see securing-systems/pentest), incident response (see securing-systems/blue-team), or infra-layer hardening (see provisioning-infrastructure).

228 Updated today

telagod

AI & Automation Solid

architecting-security

安全架构与治理：威胁建模 (STRIDE/PASTA/LINDDUN)、零信任身份架构、IAM/SSO/MFA/PAM、合规框架 (SOC2/PCI/HIPAA/GDPR)、DLP、隐私工程、安全控制设计。Use when designing security architecture, threat modeling new systems, implementing zero-trust identity, designing IAM/SSO/PAM, building compliance evidence chains, or planning privacy-by-design.

228 Updated today

telagod