feat(skill): introduce owasp-infrastructure

[JasonTheDeveloper]

Pull Request

Description

In alignment with phase 2 discussed in #480 (comment), this PR introduces the OWASP Infrastructure Top 10 skill to hve-core and the security reviewer agent.

Related Issue(s)

Closes #1241

Type of Change

Select all that apply:

Code & Documentation:

• Bug fix (non-breaking change fixing an issue)
• New feature (non-breaking change adding functionality)
• Breaking change (fix or feature causing existing functionality to change)
• Documentation update

Infrastructure & Configuration:

• GitHub Actions workflow
• Linting configuration (markdown, PowerShell, etc.)
• Security configuration
• DevContainer configuration
• Dependency update

AI Artifacts:

• Reviewed contribution with prompt-builder agent and addressed all feedback
• Copilot instructions (.github/instructions/*.instructions.md)
• Copilot prompt (.github/prompts/*.prompt.md)
• Copilot agent (.github/agents/*.agent.md)
• Copilot skill (.github/skills/*/SKILL.md)

Note for AI Artifact Contributors:

• Agents: Research, indexing/referencing other project (using standard VS Code GitHub Copilot/MCP tools), planning, and general implementation agents likely already exist. Review .github/agents/ before creating new ones.
• Skills: Must include both bash and PowerShell scripts. See Skills.
• Model Versions: Only contributions targeting the latest Anthropic and OpenAI models will be accepted. Older model versions (e.g., GPT-3.5, Claude 3) will be rejected.
• See Agents Not Accepted and Model Version Requirements.

Other:

• Script/automation (.ps1, .sh, .py)
• Other (please describe):

Testing

To be able to test the owasp-infrastructure skill using the security reviewer agent you will need a repository containing infrastructure related code/configuration.

1. Either select the Security Reviewer agent or invoke the agent via the /security-revew instruction
2. Use the following prompt analyse the code and produce a vulnerability report
   • If you are testing to see if the codebase-profiler.agent.md picks up that the repository contains infrastructure related code (like terraform) and thus uses the owasp-infrastructure skill then that's all you need.
   • If you only want to test the owasp-infrastructure is used, in your prompt add targetSkill=owasp-infrastructure

You should see in the output report the owasp-infrastructure skill being referenced and used.

Checklist

Required Checks

• Documentation is updated (if applicable)
• Files follow existing naming conventions
• Changes are backwards compatible (if applicable)
• Tests added for new functionality (if applicable)

AI Artifact Contributions

• Used /prompt-analyze to review contribution
• Addressed all feedback from prompt-builder review
• Verified contribution follows common standards and type-specific requirements

Required Automated Checks

The following validation commands must pass before merging:

• Markdown linting: npm run lint:md
• Spell checking: npm run spell-check
• Frontmatter validation: npm run lint:frontmatter
• Skill structure validation: npm run validate:skills
• Link validation: npm run lint:md-links
• PowerShell analysis: npm run lint:ps
• Plugin freshness: npm run plugin:generate

Security Considerations

• This PR does not contain any sensitive or NDA information
• Any new dependencies have been reviewed for security issues
• Security-related scripts follow the principle of least privilege

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.71%. Comparing base (8722d8f) to head (cc40e2a).
⚠️ Report is 3 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1244      +/-   ##
==========================================
- Coverage   87.72%   87.71%   -0.02%     
==========================================
  Files          61       61              
  Lines        9320     9320              
==========================================
- Hits         8176     8175       -1     
- Misses       1144     1145       +1     

Flag	Coverage Δ
pester	85.31% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[katriendg]

Thanks Jason, left a few comments on changes needed before we can merge.

From a merge order probably do this:

1. Merge PR 1244 (owasp-infrastructure) first — broadest infrastructure scope.
2. Rebase PR 1245 (owasp-docker) onto updated main, resolve conflicts in 6 shared files, merge.
3. Rebase PR 1246 (owasp-cicd) onto updated main, resolve conflicts in 6 shared files, merge.

After each merge, run npm run plugin:generate to keep plugin outputs fresh.

[JasonTheDeveloper]

Using the owasp-infrastructure here are the results:

---

OWASP Security Assessment Report

Date: 2026-04-01
Repository: hve-core
Agent: Security Reviewer
Skills applied: owasp-infrastructure

Caution

This prompt is an assistive tool only and does not replace professional security tooling (SAST, DAST, SCA, penetration testing, compliance scanners) or qualified human review. All AI-generated vulnerability findings must be reviewed and validated by qualified security professionals before use. AI outputs may contain inaccuracies, miss critical threats, or produce recommendations that are incomplete or inappropriate for your environment.

---

Executive Summary

A comprehensive infrastructure security assessment of the hve-core repository was conducted using the OWASP Infrastructure Top 10 (2024) framework. All 10 controls were evaluated, resulting in 9 PASS findings and 1 NOT_ASSESSED finding, with zero vulnerabilities identified. The NOT_ASSESSED control (ISR06 — Insecure Network Access Management) is not applicable because hve-core is a documentation and tooling repository running on ephemeral GitHub-hosted runners with no managed network infrastructure. All 10 findings passed through verification unchanged, confirming the repository's strong infrastructure security posture.

Summary Counts

Status	Count
PASS	9
FAIL	0
PARTIAL	0
NOT_ASSESSED	1
Total	10

Severity Breakdown (FAIL + PARTIAL only)

Severity	Count
CRITICAL	0
HIGH	0
MEDIUM	0
LOW	0

Verification Summary

Verdict	Count
CONFIRMED	0
DISPROVED	0
DOWNGRADED	0
UNCHANGED	10

---

Findings by Framework

owasp-infrastructure

ID	Title	Status	Severity	Location	Finding	Recommendation	Verdict	Justification
ISR01:2024	Outdated Software	PASS	N/A	N/A	Comprehensive dependency update management: Dependabot configured for npm, GitHub Actions, and uv Python packages on a weekly schedule. SHA staleness monitoring detects outdated pinned action references. Weekly security maintenance workflows automate stale dependency detection. Tool versions pinned with SHA256 checksums. pip-audit scans Python dependencies. npm overrides pin transitive dependencies.	No additional action needed.	UNCHANGED	PASS finding passed through without verification.
ISR02:2024	Insufficient Threat Detection	PASS	N/A	N/A	Multiple detection layers deployed: Gitleaks secret scanning on every PR and release with soft-fail: false. CodeQL weekly and PR-triggered scans with security-extended queries. OpenSSF Scorecard weekly and after releases. Dependency review on PRs. Workflow permissions scanning. SARIF results uploaded to GitHub Security tab. Weekly validation workflows for continuous monitoring.	No additional action needed.	UNCHANGED	PASS finding passed through without verification.
ISR03:2024	Insecure Configurations	PASS	N/A	N/A	Secure configuration practices: top-level permissions: contents: read with minimal per-job escalation, persist-credentials: false on all checkouts, concurrency groups, cancel-in-progress controls. Dedicated workflow-permissions-scan.yml enforces proper permissions. ActionLint validates syntax. Branch protection requires status checks, PR review, CODEOWNERS approval, prohibits admin bypass. JIT access limits admin to 2 hours.	No additional action needed.	UNCHANGED	PASS finding passed through without verification.
ISR04:2024	Insecure Resource and User Management	PASS	N/A	N/A	Team-based ACLs with explicit role assignments. CODEOWNERS enforcement for domain expert review. GitHub App tokens for release operations instead of broad PATs. Marketplace publish uses OIDC federation for short-lived Azure credentials. JIT policy restricts admin access to 2-hour windows with approval requirements.	Periodically audit team membership and GitHub App installation permissions.	UNCHANGED	PASS finding passed through without verification.
ISR05:2024	Insecure Use of Cryptography	PASS	N/A	N/A	All external communications use HTTPS. GitHub API calls use Bearer token authentication over TLS. Azure marketplace publishing uses OIDC federation. Release artifacts signed using Sigstore attestations with in-toto DSSE envelopes. SBOM generation uses SPDX 2.3 JSON with cryptographic attestation. Tool downloads verify SHA256 checksums. No custom cryptographic implementations or unencrypted protocols.	No additional action needed.	UNCHANGED	PASS finding passed through without verification.
ISR06:2024	Insecure Network Access Management	NOT_ASSESSED	N/A	N/A	Not applicable. hve-core is a documentation/tooling/DevOps repository hosted on GitHub with CI/CD on ephemeral GitHub-hosted runners. No self-hosted runners, managed network infrastructure, or deployed services exist.	If self-hosted runners or deployed infrastructure are introduced, implement network segmentation and NAC controls.	UNCHANGED	NOT_ASSESSED finding passed through without verification.
ISR07:2024	Insecure Authentication Methods and Default Credentials	PASS	N/A	N/A	No default credentials in codebase. Gitleaks with soft-fail: false blocks secret leakage. Test fixture tokens allowlisted in .gitleaksignore with commit-specific entries. Secrets stored in GitHub Secrets/Variables. OIDC federation for Azure authentication. GitHub App tokens generated per-workflow-run with scoped permissions. Jira and GitLab skill scripts read credentials from environment variables only.	No additional action needed.	UNCHANGED	PASS finding passed through without verification.
ISR08:2024	Information Leakage	PASS	N/A	N/A	Comprehensive leakage controls: .gitignore excludes sensitive patterns. Gitleaks prevents secret commits. persist-credentials: false prevents token leakage. Release artifacts include only intended outputs. SARIF results uploaded to restricted Security tab. SECURITY.md provides vulnerability disclosure channels via MSRC.	No additional action needed.	UNCHANGED	PASS finding passed through without verification.
ISR09:2024	Insecure Access to Resources and Management Components	PASS	N/A	N/A	Least-privilege access: branch protection requires PR review, CODEOWNERS approval, prohibits admin bypass. Workflow permissions minimized per-job. Release pipeline uses scoped GitHub App tokens. Marketplace publish uses protected environment with OIDC. CODEOWNERS self-protection. JIT access policy limits admin elevation. Security-critical workflows produce auditable SARIF output.	No additional action needed.	UNCHANGED	PASS finding passed through without verification.
ISR10:2024	Insufficient Asset Management and Documentation	PASS	N/A	N/A	Comprehensive asset management: SBOM generation via anchore/sbom-action in SPDX 2.3 JSON. Dependency SBOM diffs between releases. tool-checksums.json inventories external tool versions and checksums. Dependabot tracks all ecosystems. package.json and pyproject.toml govern dependencies. Collection manifests document bundled artifact sets. Security documentation covers security model, dependency pinning, and SBOM verification.	No additional action needed.	UNCHANGED	PASS finding passed through without verification.

---

Detailed Remediation Guidance

None identified.

Disproved Findings

None.

---

Remediation Checklist

ID	Control	Status	Evidence

---

Appendix: Skills Used

Skill	Framework	Version	Reference
owasp-infrastructure	OWASP Infrastructure Security Top 10	1.0.0	https://owasp.org/www-project-top-10-infrastructure-security-risks/

[katriendg]

Thanks, I believe this looks good! The example evaluation you posted is very useful to get a better idea how it runs.

Please note to merge we will need to the npm run docs:test to pass CI. Could you add that (I messaged you offline). Thanks.