Skip to content

add CVE validation for container images and OCP CoreOS skills with SBOM, VEX and CSAF usage to the ocp-admin pack#103

Merged
r2dedios merged 7 commits into
RHEcosystemAppEng:mainfrom
p-rog:feat/rh-security-validation
May 25, 2026
Merged

add CVE validation for container images and OCP CoreOS skills with SBOM, VEX and CSAF usage to the ocp-admin pack#103
r2dedios merged 7 commits into
RHEcosystemAppEng:mainfrom
p-rog:feat/rh-security-validation

Conversation

@p-rog

@p-rog p-rog commented May 15, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds a new skill pack for validating CVEs against Red Hat container images and OpenShift CoreOS using official SBOMs and VEX data.

Skills:

  • container-cve-validator — full CVE validation pipeline using SBOM attestations, Red Hat VEX, and newer image scanning
  • coreos-cve-validator — RHCOS validation with RPM extraction and RHEL EUS stream-aware VEX matching
  • cve-recon — CVE metadata lookup from MITRE, OSV.dev, and Go vulnerability database
  • image-inspect — container image metadata and SBOM artifact reference resolution

Why this matters: Security scanners generate noisy CVE reports full of false positives. These skills validate findings against official Red Hat security data — SPDX SBOM attestations and CSAF VEX files — to
confirm true positives, eliminate false alarms, and provide actionable remediation steps including layered product relationships.

What's included:

  • 4 skills with 9 helper scripts for deterministic data fetching
  • RHSA advisory resolution (when scanners report advisories instead of CVEs)
  • VEX data gap detection with secalert@redhat.com reporting guidance
  • No MCP servers required — all data from public Red Hat APIs

Pack(s) affected

  • rh-sre
  • rh-developer
  • ocp-admin
  • rh-virt
  • rh-ai-engineer
  • Other / repo-wide

Change type

  • New skill
  • New agent
  • New pack
  • Update existing skill / agent
  • MCP server config (mcps.json)
  • Docs / README
  • CI / tooling

CLAUDE.md compliance

  • Agents orchestrate skills; no direct MCP/tool calls in agents
  • Skills are single-purpose task executors
  • Skills encapsulate all tool access (MCP tools invoked only inside skills)
  • Document consultation: file is read with the Read tool, then declared to the user
  • No credentials hardcoded; env vars used via ${VAR} references
  • Human-in-the-loop confirmation added for any destructive or critical operations

Validation

  • make validate passes locally
  • New/changed skills have valid YAML frontmatter (name, description)
  • New/changed agents have valid YAML frontmatter (name, description)

@dmartinol

Copy link
Copy Markdown
Collaborator

/skill-code-review

@dmartinol

Copy link
Copy Markdown
Collaborator

/skill-security-scan

@github-actions

Copy link
Copy Markdown

🔄 Run #1 — 2026-05-20 11:29 UTC

❌ Skill Security Scan

📋 rh-security-validation

Agent Skills Security Scan Report

Timestamp: 2026-05-20T11:21:54.614758+00:00

Summary

  • Total Skills Scanned: 4
  • Safe Skills: 1
  • Total Findings: 12

Findings by Severity

  • Critical: 3
  • High: 1
  • Medium: 6
  • Low: 2
  • Info: 0

Skill Results


[FAIL] coreos-cve-validator

  • Max Severity: CRITICAL

  • Findings: 3

  • Directory: /home/runner/work/agentic-collections/agentic-collections/rh-security-validation/skills/coreos-cve-validator

    [CRITICAL] Access to Sensitive Credential File

    Severity: CRITICAL
    Category: data_exfiltration
    Rule ID: LLM_DATA_EXFILTRATION
    Location: SKILL.md

    Description: The skill instructs the agent that pulling a CoreOS image requires a Red Hat pull secret located in ~/.docker/config.json. This constitutes direct access to a sensitive user credential file. If any of the external scripts executed by the skill are compromised, they could easily exfiltrate this secret, leading to account takeover and unauthorized access to private container registries.

    Code Snippet:

    Important: Pulling the CoreOS image requires a Red Hat pull secret saved to `~/.docker/config.json`. The pull secret can be downloaded from https://console.redhat.com/openshift/downloads. If authentication fails, inform the user.
    

    Remediation: The skill should not directly access credential files. Instead, it should rely on the pre-configured environment of the execution tool (e.g., a pre-authenticated podman or docker client) and delegate the authentication responsibility to the underlying tool, which should be securely configured by the user.

    [CRITICAL] Execution of Unaudited External Scripts from a Relative Path

    Severity: CRITICAL
    Category: supply_chain_attack
    Rule ID: LLM_SUPPLY_CHAIN_ATTACK
    Location: SKILL.md

    Description: The skill's core functionality depends on executing multiple Python scripts located in a relative parent directory (../scripts/). These scripts are not included in the skill package for analysis, representing a significant supply chain risk. An attacker could place malicious code in this location, leading to arbitrary code execution on the user's machine. The skill's security is entirely dependent on the integrity of these external, unaudited files.

    Code Snippet:

    SCRIPTS_DIR="$(cd "$(dirname "$(dirname "$(pwd)")")" && pwd)/scripts"
    test -f "$SCRIPTS_DIR/validate_input.py" || { echo "Error: Scripts directory not found at $SCRIPTS_DIR"; exit 1; }
    ...
    python $SCRIPTS_DIR/validate_input.py --coreos --ocp-version [OCP_VERSION] --cve [CVE-ID]
    

    Remediation: All executable scripts required by the skill should be bundled within the skill's directory. The skill should reference them using a local, non-relative path to prevent executing arbitrary code from outside the trusted skill package.

    [LOW] Missing allowed-tools Declaration in Manifest

    Severity: LOW
    Category: skill_discovery_abuse
    Rule ID: LLM_SKILL_DISCOVERY_ABUSE
    Location: SKILL.md

    Description: The skill's manifest (SKILL.md frontmatter) does not specify the allowed-tools field. While this field is optional, its absence means there are no declared restrictions on the tools the agent can use. The skill's instructions heavily rely on executing both Bash and Python scripts, which should be explicitly declared to provide clarity on its capabilities and prevent unexpected tool usage.

    Code Snippet:

    YAML Manifest Details:
    - name: coreos-cve-validator
    - description: ...
    - license: Apache-2.0
    - compatibility: Not specified
    - allowed-tools: Not specified
    

    Remediation: Add an allowed-tools key to the YAML frontmatter and explicitly list the tools required for the skill's operation, such as allowed-tools: [Bash, Python].


[FAIL] cve-recon

  • Max Severity: CRITICAL

  • Findings: 2

  • Directory: /home/runner/work/agentic-collections/agentic-collections/rh-security-validation/skills/cve-recon

    [CRITICAL] Arbitrary Code Execution via Un-packaged Script Dependency

    Severity: CRITICAL
    Category: supply_chain_attack
    Rule ID: LLM_SUPPLY_CHAIN_ATTACK
    Location: SKILL.md

    Description: The skill instructs the agent to locate and execute a Python script (fetch_cve_metadata.py) from a relative parent directory (../scripts/). This script is not included within the skill package itself, meaning its contents are unknown and un-analyzed. This constitutes a severe supply chain vulnerability, as a malicious actor could place arbitrary code in that location, leading to full compromise of the agent's environment. The skill explicitly trusts and executes code from outside its secure boundary.

    Code Snippet:

    SCRIPTS_DIR="$(cd "$(dirname "$(dirname "$(pwd)")")" && pwd)/scripts"
    test -f "$SCRIPTS_DIR/fetch_cve_metadata.py" || { echo "Error: Scripts directory not found at $SCRIPTS_DIR"; exit 1; }
    ...
    python $SCRIPTS_DIR/fetch_cve_metadata.py [CVE-ID]
    

    Remediation: The fetch_cve_metadata.py script and all its dependencies must be bundled within the skill's directory. The skill should reference the script using a path relative to its own location, not by traversing up the directory tree. All executable code required by a skill must be included in the package for security analysis.

    [LOW] Missing allowed-tools Declaration in Manifest

    Severity: LOW
    Category: skill_discovery_abuse
    Rule ID: LLM_SKILL_DISCOVERY_ABUSE
    Location: SKILL.md

    Description: The skill's manifest does not declare the allowed-tools it requires. Based on the instructions, the skill uses both 'Bash' (for path resolution) and 'Python' (for script execution). Omitting this declaration reduces transparency and bypasses a potential security control that restricts the skill to only its necessary tools.

    Code Snippet:

    The YAML manifest in SKILL.md is missing the `allowed-tools` key.
    

    Remediation: Add allowed-tools: [Bash, Python] to the skill's YAML manifest to explicitly declare its required capabilities and improve the security posture.


[OK] container-cve-validator

  • Max Severity: MEDIUM

  • Findings: 1

  • Directory: /home/runner/work/agentic-collections/agentic-collections/rh-security-validation/skills/container-cve-validator

    [MEDIUM] Potential Credential Exposure via Login Command

    Severity: MEDIUM
    Category: data_exfiltration
    Rule ID: LLM_DATA_EXFILTRATION
    Location: SKILL.md

    Description: The skill instructs the agent to execute regctl registry login registry.redhat.io in response to an authentication error. Directing an agent to perform login operations is insecure as it may involve handling sensitive credentials, potentially exposing them to logging mechanisms or a compromised execution environment.

    Code Snippet:
    If the script fails with an authentication error, log in first:

    regctl registry login registry.redhat.io
    

    Then re-run. If login fails, stop and inform the user.

    Remediation: The skill should not perform login operations on behalf of the user. Instead, it should detect authentication failures and instruct the user to log in manually in their own secure terminal environment before re-running the skill.


[FAIL] image-inspect

  • Max Severity: HIGH

  • Findings: 3

  • Directory: /home/runner/work/agentic-collections/agentic-collections/rh-security-validation/skills/image-inspect

    [HIGH] Misleading Skill with Missing Core Logic

    Severity: HIGH
    Category: skill_discovery_abuse
    Rule ID: LLM_SKILL_DISCOVERY_ABUSE
    Location: SKILL.md

    Description: The skill's instructions in SKILL.md describe a detailed workflow that relies on executing multiple Python scripts (inspect_image.py, download_sbom.py, validate_input.py). However, these essential script files are not present in the skill package. This makes the skill non-functional and its description entirely deceptive. It creates a dangerous condition where the agent is instructed to execute non-existent code, which could become an arbitrary code execution vector if an attacker can supply malicious files at the expected path.

    Code Snippet:

    python $SCRIPTS_DIR/inspect_image.py [IMAGE_REFERENCE]
    python $SCRIPTS_DIR/download_sbom.py [IMAGE_REFERENCE]
    

    Remediation: The skill package must include all required executable scripts (inspect_image.py, download_sbom.py, validate_input.py) for it to be functional and safe. If the scripts are intended to be provided by the user or another source, this must be explicitly and clearly documented with strong warnings about the security implications of running untrusted code.

    [MEDIUM] Unsafe Directory Traversal to Locate Scripts

    Severity: MEDIUM
    Category: command_injection
    Rule ID: LLM_COMMAND_INJECTION
    Location: SKILL.md

    Description: The skill uses the command SCRIPTS_DIR="$(cd "$(dirname "$(dirname "$(pwd)")")" && pwd)/scripts" to locate its dependencies. This constitutes a path traversal vulnerability, as it attempts to navigate two directories above the current working directory. This breaks encapsulation and could be manipulated to point to a malicious scripts directory elsewhere on the filesystem, leading to arbitrary code execution.

    Code Snippet:

    SCRIPTS_DIR="$(cd "$(dirname "$(dirname "$(pwd)")")" && pwd)/scripts"
    

    Remediation: Scripts should be located using a safe, relative path within the skill's package, for example, by using a mechanism that resolves paths relative to the SKILL.md file without traversing upwards out of the skill's root directory.

    [MEDIUM] Ambiguous Tool Definition and Potential for Tool Shadowing

    Severity: MEDIUM
    Category: unauthorized_tool_use
    Rule ID: LLM_UNAUTHORIZED_TOOL_USE
    Location: SKILL.md

    Description: The skill's documentation is contradictory regarding its dependencies. The 'Workflow' section instructs the agent to run local Python scripts from a relative directory, while the 'Dependencies' section lists the same names as 'Required MCP Tools'. This ambiguity could be exploited to cause tool shadowing, where a local, untrusted script is executed instead of a trusted, sandboxed system tool with the same name.

    Code Snippet:

    The 'Workflow' section contains `python $SCRIPTS_DIR/inspect_image.py ...`, while the 'Dependencies' section lists 'Required MCP Tools: `inspect_image`'. This is a direct contradiction.
    

    Remediation: The skill must be clear and consistent about its dependencies. If it uses local scripts, it should declare Bash and Python in allowed-tools and not refer to them as MCP tools. If it uses MCP tools, it should not include instructions to execute local scripts.


Cross-Skill Findings

  • Findings: 3

    [MEDIUM] Multiple skills reference the same external domain

    Severity: MEDIUM
    Category: data_exfiltration
    Rule ID: CROSS_SKILL_SHARED_URL
    Location: (cross-skill analysis)

    Description: Domain 'security.access.redhat.com' is referenced by 2 skills: coreos-cve-validator, container-cve-validator. Multiple skills pointing to the same external resource may indicate coordinated C2 or exfiltration.

    Remediation: Review why multiple skills reference this domain and ensure it is a legitimate, trusted resource.

    [MEDIUM] Multiple skills reference the same external domain

    Severity: MEDIUM
    Category: data_exfiltration
    Rule ID: CROSS_SKILL_SHARED_URL
    Location: (cross-skill analysis)

    Description: Domain 'cveawg.mitre.org' is referenced by 3 skills: coreos-cve-validator, cve-recon, container-cve-validator. Multiple skills pointing to the same external resource may indicate coordinated C2 or exfiltration.

    Remediation: Review why multiple skills reference this domain and ensure it is a legitimate, trusted resource.

    [MEDIUM] Multiple skills reference the same external domain

    Severity: MEDIUM
    Category: data_exfiltration
    Rule ID: CROSS_SKILL_SHARED_URL
    Location: (cross-skill analysis)

    Description: Domain 'api.osv.dev' is referenced by 3 skills: coreos-cve-validator, cve-recon, container-cve-validator. Multiple skills pointing to the same external resource may indicate coordinated C2 or exfiltration.

    Remediation: Review why multiple skills reference this domain and ensure it is a legitimate, trusted resource.

📦 Download security reports | Workflow run

@p-rog

p-rog commented May 20, 2026

Copy link
Copy Markdown
Contributor Author

After discussion with @dmartinol we agreed to move all proposed skills to the ocp-admin pack.
In the last commit I moved everything to ocp-admin pack:
  - 4 skills → ocp-admin/skills/ (container-cve-validator, coreos-cve-validator, cve-recon, image-inspect)
  - 9 scripts → ocp-admin/scripts/security-validation/
  - SCRIPTS_DIR updated in all 4 SKILL.md files to point to scripts/security-validation

  Updated ocp-admin files:
  - CLAUDE.md — expanded persona, added 4 intent routing rows, 3 skill chaining workflows, helper scripts section, security prerequisites, 2 global rules
  - README.md — added security prerequisites, 4 skill descriptions, 2 sample workflows, updated architecture tree, key patterns, security model, and references
  - collection.yaml/json — added categories, personas, 4 skills, 4 decision guide entries, 2 sample workflows, 3 resources, 6 keywords

PTAL

@r2dedios r2dedios left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please take a look to the observations I commented in the PR.

Additionally, I think the scripts included are useful, but we should consider how to simplify the installation process of its dependencies (regctl, syft, cosign) for the final user, as they are a requirement for the scripts.

Appart of my comments.. Good job and really appreciated contribution! 🚀

Comment thread marketplace/rh-agentic-collection.yml Outdated
Comment thread ocp-admin/skills/coreos-cve-validator/SKILL.md Outdated
Comment thread ocp-admin/skills/cve-recon/SKILL.md Outdated
Comment thread ocp-admin/skills/image-inspect/SKILL.md Outdated
Comment thread ocp-admin/skills/container-cve-validator/SKILL.md Outdated
Comment thread ocp-admin/skills/image-inspect/SKILL.md Outdated
Comment thread ocp-admin/skills/coreos-cve-validator/SKILL.md Outdated

**Caching:** The `--cache-dir` flag stores the result per OCP version. When validating multiple CVEs against the same OCP version, the CoreOS RPM list is fetched once and reused from cache for all subsequent CVEs. Always pass the same cache dir for all scans in a session.

This fetches OCP release info via `oc adm release info`, extracts the `rhel-coreos` image pullspec, and runs `podman` to get the full RPM package list. It returns:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we replace this oc command by a MCP tool?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm... I can try. I would consider this a next improvement. OK?

@r2dedios r2dedios May 25, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, sounds fair but let's track this future improvement so we will not forget about it

Comment thread ocp-admin/scripts/security-validation/fetch_coreos_metadata.py
Comment thread ocp-admin/README.md
@p-rog

p-rog commented May 21, 2026

Copy link
Copy Markdown
Contributor Author

Please take a look to the observations I commented in the PR.

Additionally, I think the scripts included are useful, but we should consider how to simplify the installation process of its dependencies (regctl, syft, cosign) for the final user, as they are a requirement for the scripts.

Appart of my comments.. Good job and really appreciated contribution! 🚀

@r2dedios thanks for the review and suggestions. I've addressed everything. It should look much better now.

@p-rog p-rog changed the title add rh-security-validation pack — CVE validation for container images and OCP CoreOS add CVE validation for container images and OCP CoreOS skills with SBOM, VEX and CSAF usage to the ocp-admin pack May 21, 2026

@r2dedios r2dedios left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great Job @p-rog. The PR now looks much more better. Thanks a lot for your contribution! 🚀

@r2dedios r2dedios merged commit 362d14c into RHEcosystemAppEng:main May 25, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants