add CVE validation for container images and OCP CoreOS skills with SBOM, VEX and CSAF usage to the ocp-admin pack#103
Conversation
|
/skill-code-review |
|
/skill-security-scan |
🔄 Run #1 — 2026-05-20 11:29 UTC❌ Skill Security Scan📋 rh-security-validationAgent Skills Security Scan ReportTimestamp: 2026-05-20T11:21:54.614758+00:00 Summary
Findings by Severity
Skill Results[FAIL] coreos-cve-validator
[FAIL] cve-recon
[OK] container-cve-validator
[FAIL] image-inspect
Cross-Skill Findings
|
…e user pullsecret path, instead of checking hardcoded location
…ocp-admin skill pack
|
After discussion with @dmartinol we agreed to move all proposed skills to the Updated ocp-admin files: PTAL |
There was a problem hiding this comment.
Please take a look to the observations I commented in the PR.
Additionally, I think the scripts included are useful, but we should consider how to simplify the installation process of its dependencies (regctl, syft, cosign) for the final user, as they are a requirement for the scripts.
Appart of my comments.. Good job and really appreciated contribution! 🚀
|
|
||
| **Caching:** The `--cache-dir` flag stores the result per OCP version. When validating multiple CVEs against the same OCP version, the CoreOS RPM list is fetched once and reused from cache for all subsequent CVEs. Always pass the same cache dir for all scans in a session. | ||
|
|
||
| This fetches OCP release info via `oc adm release info`, extracts the `rhel-coreos` image pullspec, and runs `podman` to get the full RPM package list. It returns: |
There was a problem hiding this comment.
Can we replace this oc command by a MCP tool?
There was a problem hiding this comment.
Hmm... I can try. I would consider this a next improvement. OK?
There was a problem hiding this comment.
Ok, sounds fair but let's track this future improvement so we will not forget about it
@r2dedios thanks for the review and suggestions. I've addressed everything. It should look much better now. |
Summary
Adds a new skill pack for validating CVEs against Red Hat container images and OpenShift CoreOS using official SBOMs and VEX data.
Skills:
Why this matters: Security scanners generate noisy CVE reports full of false positives. These skills validate findings against official Red Hat security data — SPDX SBOM attestations and CSAF VEX files — to
confirm true positives, eliminate false alarms, and provide actionable remediation steps including layered product relationships.
What's included:
Pack(s) affected
rh-srerh-developerocp-adminrh-virtrh-ai-engineerChange type
mcps.json)CLAUDE.md compliance
${VAR}referencesValidation
make validatepasses locallyname,description)name,description)