OCSF-native detection engineering and posture for cloud and AI infrastructure. Normalise every source to OCSF 1.8 on the wire, then compose ingest → detect → view skills like Unix pipes. MITRE ATT&CK inside every finding. Read-only, agentless, least-privilege, closed-loop.
python skills/detection-engineering/ingest-k8s-audit-ocsf/src/ingest.py audit.log \
| python skills/detection-engineering/detect-privilege-escalation-k8s/src/detect.py \
| python skills/detection-engineering/convert-ocsf-to-sarif/src/convert.py \
> findings.sarif| Layer | Role | Output |
|---|---|---|
| Ingest | Per-source raw log → OCSF | API / Network / HTTP / Application Activity |
| Detect | OCSF → finding + MITRE ATT&CK | Detection Finding (class 2004) |
| Evaluate | OCSF → framework check | Compliance Finding (class 2003) — CIS / NIST / SOC 2 |
| View | OCSF → SARIF / Mermaid / graph | GitHub Security tab, PR comments, dashboards |
| Remediate | Finding → action (HITL-gated, audited) | Dual-write audit row |
Each skill is a standalone Python bundle following Anthropic's skill spec — SKILL.md with trigger phrases and a Do NOT use… clause, src/, tests/, golden fixtures, REFERENCES.md. Runs from the CLI, in CI, or via any agent that reads SKILL.md (Claude Desktop, Cursor, Codex, Cortex, Windsurf).
See ARCHITECTURE.md for the full layered diagram and closed-loop vendor flow.
Skills shipped today
skills/
├── compliance-cis-mitre/ "Aligned with a published benchmark?"
│ ├── cspm-aws-cis-benchmark (CIS AWS Foundations v3.0 — 18 checks)
│ ├── cspm-gcp-cis-benchmark (CIS GCP Foundations v3.0 — 7 checks)
│ ├── cspm-azure-cis-benchmark (CIS Azure Foundations v2.1 — 6 checks)
│ ├── k8s-security-benchmark (CIS Kubernetes — 10 checks)
│ └── container-security (CIS Docker — 8 checks)
│
├── remediation/ "Fix it, gated and audited"
│ └── iam-departures-remediation (event-driven, DLQ + SNS, dual audit)
│
├── detection-engineering/ "What does an attack look like on this surface?"
│ ├── ingest-cloudtrail-ocsf AWS → API Activity 6003
│ ├── ingest-gcp-audit-ocsf GCP → API Activity 6003
│ ├── ingest-azure-activity-ocsf Azure → API Activity 6003
│ ├── ingest-k8s-audit-ocsf K8s → API Activity 6003
│ ├── ingest-mcp-proxy-ocsf MCP → Application Activity 6002
│ ├── detect-mcp-tool-drift → T1195.001 Supply Chain
│ ├── detect-privilege-escalation-k8s → T1552.007 / T1611 / T1098 / T1550.001
│ ├── detect-sensitive-secret-read-k8s → T1552.007 Container API
│ ├── convert-ocsf-to-sarif → GitHub Security tab
│ └── convert-ocsf-to-mermaid-attack-flow → PR comments
│
└── ai-infra-security/ "AI-native surfaces"
├── model-serving-security (16 checks — auth / rate limit / egress / safety)
├── gpu-cluster-security (13 checks — runtime / driver / tenant isolation)
└── discover-environment (MITRE ATT&CK + ATLAS graph overlay)
Roadmap: 14 open issues (#26–#39) covering VPC Flow / GuardDuty / Security Hub / AWS Config / Okta / GitHub / Workspace / Slack / Workday / Salesforce / SAP / GCP + Azure parity / folder reshape.
This is a security tool. Trustworthiness is the first feature, not an afterthought. Eleven principles pinned in SECURITY_BAR.md, every skill graded against every principle.
The eleven principles
| # | Principle | What it means |
|---|---|---|
| 1 | Read-only by default | Posture + detection NEVER call write APIs. Remediation isolates the write path behind explicit IAM grants and dry-run defaults. |
| 2 | Agentless | No daemons, no sidecars, no continuously running processes. Short-lived Python scripts that read what's already there. |
| 3 | Least privilege | Each skill documents the EXACT IAM / RBAC permissions it needs in REFERENCES.md. Minimal set only. |
| 4 | Defense in depth | Posture + detection + remediation + audit + re-verify all run in parallel and back each other up. |
| 5 | Closed loop | Every workflow has a verification step: detect → finding → action → audit → re-verify. Drift is itself a detection. |
| 6 | OCSF on the wire | All ingest + detect skills speak OCSF 1.8 JSONL. MITRE ATT&CK lives inside finding_info.attacks[]. |
| 7 | Secure by design | Security is a first-class input to the skill's architecture, not a bolt-on. |
| 8 | Secure code | Defensive parsing on every input boundary. No eval/exec/pickle.loads on untrusted data. Parameterised SQL only. bandit in CI. |
| 9 | Secure secrets & tokens | No hardcoded creds. Secrets from cloud secret stores. Short-lived tokens. Logs scrub creds. CI greps for AKIA / sk- / ghp_ patterns. |
| 10 | No telemetry | No phone-home. Findings stay local unless the operator explicitly forwards them. |
| 11 | HITL, no rogue behaviour | A skill never escalates its own privileges, never bypasses guardrails, never invokes siblings it wasn't composed with. Destructive actions require HITL gates. |
How trust is verified
| Check | What it catches | Where it runs |
|---|---|---|
| Golden-fixture deep-eq | Silent detection-coverage regressions after a refactor | Per-skill pytest — tests/test_*.py::TestGoldenFixture |
| Wire-contract tests | Off-spec events, wrong class_uid, missing required fields, attacks[] at the wrong level |
Cross-skill assertions pinned in OCSF_CONTRACT.md |
| End-to-end pipes | Breakage across the ingest → detect → convert chain |
tests/integration/ — deep-eq against frozen SARIF + Mermaid |
| Static analysis | Unsafe parsing, missing imports, style drift | ruff check + ruff format --check + bandit on every PR |
| Hardcoded-secret grep | Leaked AKIA… / sk-… / ghp_… tokens before they ship |
CI lint job, repo-wide on every push |
REFERENCES.md per skill |
Fabricated APIs, opaque dependencies, undocumented IAM | Presence enforced by CI; manual review on new skills |
agent-bom scans |
Vulnerable deps, IaC misconfig, shadow AI components | code / skills scan / fs / iac on every push; findings land in GitHub Security tab under agent-bom-iac |
| Document | Purpose |
|---|---|
ARCHITECTURE.md |
9-layer design, two execution modes (stateless + persistent), 10 guardrails |
OCSF_CONTRACT.md |
Wire format pinning for OCSF 1.8 + MITRE ATT&CK v14 |
SECURITY_BAR.md |
Per-principle verification matrix — every skill graded against every principle |
SECURITY.md |
Coordinated disclosure policy |
CONTRIBUTING.md |
How to add a new skill |
New skills land as standalone bundles. The checklist:
- Pick a layer — ingest, enrich, detect, evaluate, remediate, or convert
- Copy the nearest sibling — the existing skills in the target category are the canonical reference layout
- Ship the bundle —
SKILL.mdwith aDo NOT use…clause,src/<entry>.py,tests/test_<entry>.py, golden fixtures underdetection-engineering/golden/(or equivalent),REFERENCES.mdlisting every official doc the skill depends on - Add a row to the
SECURITY_BAR.mdmatrix - Wire into CI — add the skill to the right matrix cell in
.github/workflows/ci.yml - Open a PR —
ARCHITECTURE.mdis the review contract; make sure your skill satisfies every applicable guardrail
See CONTRIBUTING.md for the full guide.
Apache 2.0 — use it, fork it, ship it. Security research is welcome; see SECURITY.md for coordinated disclosure.