diff --git a/scripts/security.sh b/scripts/security.sh index d1584e66..b4e1efe3 100755 --- a/scripts/security.sh +++ b/scripts/security.sh @@ -3,6 +3,7 @@ set -euo pipefail ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" GITLEAKS_VERSION="8.30.0" +TRIVY_VERSION="0.70.0" install_gitleaks() { local os arch archive url install_dir @@ -30,12 +31,57 @@ install_gitleaks() { export PATH="${install_dir}:${PATH}" } +install_trivy() { + local os arch archive url install_dir + + os="$(uname -s)" + case "${os}" in + Linux | Darwin) ;; + *) + echo "Unsupported OS for automatic Trivy install: ${os}" >&2 + exit 1 + ;; + esac + + arch="$(uname -m)" + case "${arch}" in + x86_64 | amd64) arch="64bit" ;; + aarch64 | arm64) arch="ARM64" ;; + *) + echo "Unsupported architecture for automatic Trivy install: ${arch}" >&2 + exit 1 + ;; + esac + + install_dir="${HOME}/.local/bin" + mkdir -p "${install_dir}" + + archive="$(mktemp)" + url="https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_${os}-${arch}.tar.gz" + curl --location --fail --silent --show-error --output "${archive}" "${url}" + tar -xzf "${archive}" -C "${install_dir}" trivy + rm -f "${archive}" + chmod +x "${install_dir}/trivy" + export PATH="${install_dir}:${PATH}" +} + if ! command -v gitleaks >/dev/null 2>&1; then install_gitleaks fi +if ! command -v trivy >/dev/null 2>&1; then + install_trivy +fi + gitleaks detect \ --config "${ROOT_DIR}/.github/linters/.gitleaks.toml" \ --redact=90 \ --source "${ROOT_DIR}" \ --no-banner + +trivy fs \ + --scanners vuln,secret,misconfig \ + --severity HIGH,CRITICAL \ + --exit-code 1 \ + --ignore-unfixed \ + "${ROOT_DIR}" diff --git a/scripts/validate-containers.sh b/scripts/validate-containers.sh index d493ad97..0d74346e 100755 --- a/scripts/validate-containers.sh +++ b/scripts/validate-containers.sh @@ -2,16 +2,63 @@ set -euo pipefail ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" +TRIVY_VERSION="0.70.0" + +install_trivy() { + local os arch archive url install_dir + + os="$(uname -s)" + case "${os}" in + Linux | Darwin) ;; + *) + echo "Unsupported OS for automatic Trivy install: ${os}" >&2 + exit 1 + ;; + esac + + arch="$(uname -m)" + case "${arch}" in + x86_64 | amd64) arch="64bit" ;; + aarch64 | arm64) arch="ARM64" ;; + *) + echo "Unsupported architecture for automatic Trivy install: ${arch}" >&2 + exit 1 + ;; + esac + + install_dir="${HOME}/.local/bin" + mkdir -p "${install_dir}" + + archive="$(mktemp)" + url="https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_${os}-${arch}.tar.gz" + curl --location --fail --silent --show-error --output "${archive}" "${url}" + tar -xzf "${archive}" -C "${install_dir}" trivy + rm -f "${archive}" + chmod +x "${install_dir}/trivy" + export PATH="${install_dir}:${PATH}" +} + +if ! command -v trivy >/dev/null 2>&1; then + install_trivy +fi build_container() { local name="$1" local dir="$2" + local image="$3" echo "Building ${name} container..." - docker build --quiet "${dir}" >/dev/null + docker build --quiet --tag "${image}" "${dir}" >/dev/null + + echo "Scanning ${name} container..." + trivy image \ + --severity HIGH,CRITICAL \ + --exit-code 1 \ + --ignore-unfixed \ + "${image}" } -build_container "OpenAI Agents SDK API" "${ROOT_DIR}/reference-architectures/app/api/typescript/openai-agents-sdk" -build_container "Foundry Agent Service API" "${ROOT_DIR}/reference-architectures/app/api/typescript/foundry-agent-service" -build_container "React frontend" "${ROOT_DIR}/reference-architectures/app/frontend/typescript/react" -build_container "Microsoft Agent Framework API" "${ROOT_DIR}/reference-architectures/app/api/csharp/microsoft-agent-framework" +build_container "OpenAI Agents SDK API" "${ROOT_DIR}/reference-architectures/app/api/typescript/openai-agents-sdk" "caira/openai-agents-sdk-api:validation" +build_container "Foundry Agent Service API" "${ROOT_DIR}/reference-architectures/app/api/typescript/foundry-agent-service" "caira/foundry-agent-service-api:validation" +build_container "React frontend" "${ROOT_DIR}/reference-architectures/app/frontend/typescript/react" "caira/react-frontend:validation" +build_container "Microsoft Agent Framework API" "${ROOT_DIR}/reference-architectures/app/api/csharp/microsoft-agent-framework" "caira/microsoft-agent-framework-api:validation" diff --git a/skills/caira/SKILL.md b/skills/caira/SKILL.md index 21294e71..a6327974 100644 --- a/skills/caira/SKILL.md +++ b/skills/caira/SKILL.md @@ -27,6 +27,8 @@ Ask only what is needed to choose components: - Prefer small component references over full-stack copying. - For scenarios that need OpenAI-compatible endpoints, prefer the Foundry IaC reference unless the user already has endpoints or asks for a different approach. - Determine what the user already has before proposing new infrastructure. +- When possible, prefer managed identities or other passwordless identity patterns over API keys, static credentials, or secrets, unless the user explicitly asks for an API-key- or secret-based approach. +- Before proposing repository security scans, check whether the target repository already uses or has configured Gitleaks, Trivy, or similar tools for secret, dependency, container, or IaC scanning. If similar scanning is missing, ask whether the user wants to add Gitleaks and/or Trivy scans before implementing them. - Keep recommendations focused on the current reference components listed below. - Explain which CAIRA paths influenced the recommendation or generated files. - Always ask follow-up questions to narrow down the user's needs and avoid unnecessary copying of reference code.