Skip to content

DevCop95/cyhber-deploy

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

11 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

Cyhber Deploy Banner

πŸ” Cyhber Deploy

Systematic DevSecOps Analysis for Claude Code β€” 5-layer security review with standardized severity-tagged alerts

Claude Code License: MIT Version TDD

Security CI/CD IaC Tested

πŸš€ Quick Start β€’ πŸ“– Documentation β€’ πŸ§ͺ Test Results β€’ πŸ› Report Bug


✨ What's New in v2.0

Complete rebuild with TDD methodology:

  • βœ… Systematic 5-layer review enforced (no ad-hoc analysis)
  • βœ… Standardized severity-tagged alerts (CRITICO/ALTO/MEDIO/BAJO)
  • βœ… Proactive scope expansion beyond user request
  • βœ… Token-efficient (~450 words, 60% reduction)
  • βœ… Pressure-tested with time/authority/exhaustion scenarios
  • βœ… Full test documentation included

Observed in manual evaluation: 6-8 categorized alerts vs 1-2 ad-hoc findings on the same test scenarios. These are qualitative comparisons, not automated benchmarks.

See FINAL-REPORT.md for the full evaluation notes.


πŸš€ Features

Systematic 5-Layer Analysis

Every security review follows this structured methodology:

  1. Code Validation β€” Input validation, injection (SQL/XSS/Command), auth/authz, error handling
  2. Dependencies β€” CVEs, outdated packages, unmaintained libraries, transitive dependencies
  3. Secrets & PII β€” Hardcoded API keys, tokens, certificates, exposed personal data
  4. CI/CD Pipeline β€” Branch restrictions, secret exposure, security gates, rollback plans
  5. Infrastructure β€” Network exposure, IAM/RBAC permissions, encryption, security groups

No layer skipped β€” even "frontend-only" code triggers full review.

Standardized Alert Format

Every finding includes:

Campo Valor
Severidad πŸ”΄ CRITICO | 🟠 ALTO | 🟑 MEDIO | 🟒 BAJO
ID CD-SEC-XXX (sequential)
Componente file.js:line or resource name
DescripciΓ³n What + why it's a risk
Evidencia Code snippet or config excerpt
RemediaciΓ³n Specific fix steps

Risk Assessment Output

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ πŸ”’ ESTADO DE SEGURIDAD                      β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ Nivel de riesgo:  πŸ”΄ CRITICO                β”‚
β”‚ Alertas totales:  8                         β”‚
β”‚   β€’ CrΓ­ticas:     2                         β”‚
β”‚   β€’ Altas:        3                         β”‚
β”‚   β€’ Medias:       2                         β”‚
β”‚   β€’ Bajas:        1                         β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ ⚠️  RECOMENDACIΓ“N:                          β”‚
β”‚ BLOQUEAR despliegue hasta resolver          β”‚
β”‚ hallazgos crΓ­ticos y altos.                 β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

πŸ“¦ Installation

Claude Code CLI

# Install from local directory
git clone https://github.com/DevCop95/cyhber-deploy.git
cd cyhber-deploy
cp -r skills/cyhber-deploy ~/.claude/skills/

Verify Installation

# Check skill is loaded
claude # Start Claude Code session
# Skill auto-triggers on: deploy, CI/CD, Terraform, auth, secrets, injection

🎯 Usage

Auto-Trigger Keywords

Skill activates when you mention:

  • Deploy: staging, production, release
  • CI/CD: GitHub Actions, GitLab CI, Jenkins, CircleCI
  • IaC: Terraform, Kubernetes, Docker, Helm
  • Cloud: AWS, GCP, Azure
  • Security: auth, secrets, injection, SQL, XSS
  • Review: "security review", "check this code"

Manual Invocation

@cyhber-deploy review this for production

πŸ“Έ Examples

Example 1: SQL Injection Detection

Input:

app.post('/login', (req, res) => {
  db.query(`SELECT * FROM users WHERE email='${req.body.email}'`);
});

Output:

Campo Valor
Severidad πŸ”΄ CRITICO
ID CD-SEC-001
Componente api/auth.js:2
DescripciΓ³n SQL injection - user-controlled email concatenated into query
Evidencia db.query(`SELECT * FROM users WHERE email='${req.body.email}'`)
RemediaciΓ³n Use parameterized query: db.query('SELECT * FROM users WHERE email = ?', [req.body.email])

Example 2: CI/CD Secret Exposure

Input:

# .github/workflows/deploy.yml
- run: |
    echo "API_KEY=${{ secrets.API_KEY }}" >> .env
    cat .env

Output:

Campo Valor
Severidad πŸ”΄ CRITICO
ID CD-SEC-002
Componente .github/workflows/deploy.yml:3
DescripciΓ³n API key exposed in workflow logs via cat .env
Evidencia cat .env prints secrets to logs accessible to all repo users
RemediaciΓ³n Remove cat .env. Pass secrets via env vars: env: API_KEY: ${{ secrets.API_KEY }}

Example 3: Infrastructure Overexposure

Input:

resource "aws_security_group" "db" {
  ingress {
    cidr_blocks = ["0.0.0.0/0"]
    from_port   = 5432
    to_port     = 5432
  }
}

Output:

Campo Valor
Severidad πŸ”΄ CRITICO
ID CD-SEC-003
Componente terraform/main.tf:3
DescripciΓ³n Database exposed to entire internet via overly permissive security group
Evidencia cidr_blocks = ["0.0.0.0/0"] allows connections from any IP
RemediaciΓ³n Restrict to application subnet: cidr_blocks = ["10.0.1.0/24"] or use VPC peering

πŸ–₯️ Terminal Report (visual layer)

A zero-dependency Python renderer turns findings into colored alert cards plus a final ESTADO DE SEGURIDAD panel β€” a visual recap of the scan, right in your terminal.

# See it instantly with the bundled demo
python tools/cyhber_report.py --demo

# Render your own findings (see schema in tools/findings.example.json)
python tools/cyhber_report.py findings.json

# Pipe from another tool
cat findings.json | python tools/cyhber_report.py

Preview:

  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
  β”‚ πŸ”’ ESTADO DE SEGURIDAD                                  β”‚
  β”‚ Objetivo: examples/vulnerable-api/server.js            β”‚
  β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
  β”‚ Nivel de riesgo:  πŸ”΄ CRITICO                            β”‚
  β”‚ Alertas totales:  8                                     β”‚
  β”‚   β€’ CRITICO  3                                          β”‚
  β”‚   β€’ ALTO     3                                          β”‚
  β”‚   β€’ MEDIO    1                                          β”‚
  β”‚   β€’ BAJO     1                                          β”‚
  β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
  β”‚ ⚠️  RECOMENDACIΓ“N:                                      β”‚
  β”‚ BLOQUEAR despliegue β€” resolver crΓ­ticos/altos           β”‚
  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
  • Pure stdlib (no pip install), works on Windows / macOS / Linux.
  • Auto-detects color; honors NO_COLOR / FORCE_COLOR.
  • Exit code 1 when the run should block (any πŸ”΄ or β‰₯3 🟠), 0 otherwise β€” drop it straight into a CI gate.

πŸ§ͺ Testing & Quality

TDD Methodology

Skill built following complete RED-GREEN-REFACTOR cycle:

  • RED Phase: Baseline testing without skill (3 pressure scenarios)
  • GREEN Phase: Skill enforcement verification (systematic 5-layer review)
  • REFACTOR Phase: Edge case testing (frontend-only code)

Test Results

Metric Baseline (No Skill) With Skill
Issues found 1-2 6-8
Structure Ad-hoc 5-layer systematic
Output format Freeform Severity tables
Scope Limited Proactive expansion

Numbers come from manual evaluation on the bundled test scenarios, not from an automated benchmark suite. Treat them as directional, not guaranteed.

Full documentation: tests/FINAL-REPORT.md


πŸ“š Documentation


πŸ›  Configuration

Secret Patterns

Built-in detection for:

  • AWS keys (AKIA...), Azure, GCP service accounts
  • GitHub tokens (ghp_, gho_, glpat-)
  • Private keys (RSA, EC, OpenSSH, PGP)
  • Database connection strings
  • JWT tokens
  • Slack/Discord webhooks
  • Payment provider keys (Stripe, PayPal, Square)

See secret-patterns.md for complete list.


🀝 Contributing

Contributions welcome! For major changes:

  1. Fork repo
  2. Create feature branch (git checkout -b feature/improvement)
  3. Follow TDD methodology (see tests/ for examples)
  4. Commit with conventional commits
  5. Push and open PR

Reporting Security Issues

DO NOT open public issues for vulnerabilities.

Email: yared.henriquezb@gmail.com


πŸ“‹ Roadmap

  • SARIF output format for CI/CD integration
  • Custom rule configuration (.cyhber-deploy.json)
  • Multi-language support (Django, Flask, Spring Boot)
  • GitHub Action for automated PR reviews
  • VS Code extension
  • Dashboard for security metrics over time

πŸ“„ License

MIT License - see LICENSE


πŸ™ Credits

Author: DevCop95

Built with guidance from:

Inspired by:


πŸ“ž Support


⚠️ Disclaimer

Cyhber Deploy provides static analysis and does not replace professional security audits or penetration testing. Use as complement to existing security practices.

Production-Ready β€’ TDD-Tested β€’ Open Source

⭐ Star this repo if it helps your security workflow!

About

Security Skill ( Claude , Codex , Gemini )

Resources

License

Stars

11 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages