diff --git a/marketplace/rh-agentic-collection.yml b/marketplace/rh-agentic-collection.yml index 9d8ebdb9..1c2569ee 100644 --- a/marketplace/rh-agentic-collection.yml +++ b/marketplace/rh-agentic-collection.yml @@ -14,6 +14,13 @@ modules: - "openshift" - "administration" - "management" + - "security" + - "cve" + - "sbom" + - "vex" + - "coreos" + - "container-security" + - "vulnerability-management" - name: "rh-developer" description: "Plugins for building and deploying applications on Red Hat platforms." @@ -97,3 +104,4 @@ modules: - "governance" - "troubleshooting" - "execution" + diff --git a/ocp-admin/.catalog/collection.json b/ocp-admin/.catalog/collection.json index 4c162bd8..9d076f75 100644 --- a/ocp-admin/.catalog/collection.json +++ b/ocp-admin/.catalog/collection.json @@ -7,10 +7,13 @@ "Red Hat", "Openshift", "Administration", - "Management" + "Management", + "Security", + "Container Security", + "Vulnerability Management" ], "contents": { - "description": "The pack provides three skills for cluster lifecycle and fleet visibility on OpenShift, using Assisted Installer and OCM APIs\nwhere applicable and read-only cluster APIs for consolidated reports.\n", + "description": "The pack provides seven skills for cluster lifecycle, fleet visibility, and security validation on OpenShift,\nusing Assisted Installer and OCM APIs for cluster management, read-only cluster APIs for consolidated reports,\nand Python helper scripts for CVE/SBOM/VEX-based security validation.\n", "orchestration_skills": [], "skills": [ { @@ -27,6 +30,26 @@ "description": "Consolidated health report across kubeconfig contexts, skipping non-OpenShift contexts by default.", "name": "cluster-report", "summary_markdown": "Aggregate node, namespace, and workload signals across contexts that resolve to real OpenShift clusters.\n**Use when:**\n- \"Health report across clusters\"\n- \"Fleet summary from kubeconfig\"\n- \"Compare resource usage between contexts\"\n**What it does:**\n- Verifies each context is OpenShift before collecting metrics to avoid kube API errors.\n- Summarizes capacity, GPU presence, and pod health for operations review.\n" + }, + { + "description": "Container image CVE validation using official SBOMs, Red Hat VEX data, and MITRE/OSV.dev metadata.", + "name": "container-cve-validator", + "summary_markdown": "Full CVE validation pipeline for Red Hat container images with SBOM attestation extraction, VEX matching,\nversion comparison, newer image scanning, and VEX data gap detection.\n**Use when:**\n- \"Is this CVE a real issue in my container image?\"\n- \"Validate RHSA against my image\"\n- \"Batch scan CVEs from a CSV file\"\n**What it does:**\n- Extracts official SBOMs, checks VEX product status, performs version comparison, and scans for patched images.\n" + }, + { + "description": "CoreOS (RHCOS) CVE validation for specific OCP releases with RHEL EUS stream awareness.", + "name": "coreos-cve-validator", + "summary_markdown": "CVE validation for Red Hat Enterprise Linux CoreOS in specific OCP releases.\n**Use when:**\n- \"Does this CVE affect CoreOS in OCP 4.20?\"\n- \"Check CVE against RHCOS\"\n**What it does:**\n- Extracts RPM list from CoreOS images, validates against VEX with RHEL EUS CPE matching.\n" + }, + { + "description": "CVE reconnaissance from MITRE, OSV.dev, and Go vulnerability database.", + "name": "cve-recon", + "summary_markdown": "Structured CVE metadata lookup with affected packages, version ranges, and CVSS scores.\n**Use when:**\n- \"What packages does this CVE affect?\"\n- \"Look up CVE details\"\n**What it does:**\n- Queries three data sources and returns merged results with cross-references.\n" + }, + { + "description": "Container image metadata inspection with SBOM reference and registry ownership validation.", + "name": "image-inspect", + "summary_markdown": "Fetch image labels, validate registry ownership, resolve tag/digest via SBOM.\n**Use when:**\n- \"Inspect this container image\"\n- \"What SBOM does this image have?\"\n**What it does:**\n- Extracts labels, validates ownership, resolves SBOM artifact OCI reference.\n" } ], "skills_decision_guide": [ @@ -44,11 +67,31 @@ "reason": "Read-only aggregation after OpenShift context verification.", "skill_to_use": "cluster-report", "user_request": "\"Fleet health\" or \"multi-cluster report from kubeconfig\"" + }, + { + "reason": "Full validation pipeline using SBOM attestations, Red Hat VEX data, and newer image scanning.", + "skill_to_use": "container-cve-validator", + "user_request": "\"Validate CVE against container image\" or \"Is this CVE a false positive?\"" + }, + { + "reason": "Extracts CoreOS RPM list, validates against VEX with RHEL EUS stream awareness.", + "skill_to_use": "coreos-cve-validator", + "user_request": "\"Check CVE against CoreOS in OCP 4.20\" or \"Validate RHSA against RHCOS\"" + }, + { + "reason": "Quick CVE metadata lookup from MITRE, OSV.dev, and Go vulnerability database.", + "skill_to_use": "cve-recon", + "user_request": "\"What packages does this CVE affect?\" or \"Look up CVE details\"" + }, + { + "reason": "Fetches image labels, registry ownership, and SBOM artifact reference.", + "skill_to_use": "image-inspect", + "user_request": "\"Inspect this container image\" or \"What SBOM does this image have?\"" } ] }, "deploy_and_use": "#deploy_and_use.md", - "description": "Automation capabilities for OpenShift Container Platform cluster management, workload orchestration, security policies, and operational tasks.", + "description": "Automation capabilities for OpenShift Container Platform cluster management, workload orchestration, security validation, and operational tasks including CVE validation for container images and CoreOS.", "homepage": "https://github.com/RHEcosystemAppEng/agentic-collections", "id": "openshift-administration", "keywords": [ @@ -56,7 +99,13 @@ "assisted-installer", "ocm", "fleet", - "kubeconfig" + "kubeconfig", + "cve", + "sbom", + "vex", + "security", + "vulnerability", + "coreos" ], "legal_resources": { "license_agreement_url": "https://github.com/RHEcosystemAppEng/agentic-collections/blob/main/LICENSE", @@ -71,7 +120,9 @@ "mcp_section": "#mcp_section.md", "name": "Agentic skill pack for Red Hat OpenShift", "personas": [ - "OpenShift Administrator" + "OpenShift Administrator", + "Security Engineer", + "DevSecOps" ], "provider": "Red Hat", "repository": "https://github.com/RHEcosystemAppEng/agentic-collections", @@ -85,6 +136,21 @@ "description": "Source repository for these packs, skills, and catalog metadata.", "title": "agentic-collections repository", "url": "https://github.com/RHEcosystemAppEng/agentic-collections" + }, + { + "description": "Official Red Hat VEX/CSAF data, security advisories, and CVE information.", + "title": "Red Hat Security Data", + "url": "https://security.access.redhat.com/" + }, + { + "description": "Authoritative CVE metadata source used for vulnerability reconnaissance.", + "title": "MITRE CVE API", + "url": "https://cveawg.mitre.org/" + }, + { + "description": "Open Source Vulnerability database with cross-references to Go, PyPI, npm ecosystems.", + "title": "OSV.dev", + "url": "https://osv.dev/" } ], "sample_workflows": [ @@ -99,9 +165,17 @@ { "name": "Multi-cluster health", "workflow": "User: \"Summarize node and pod health for every OpenShift context in my kubeconfig\"\n- `/cluster-report` skips non-OpenShift contexts and aggregates signals for operators\n" + }, + { + "name": "Container CVE validation", + "workflow": "User: \"Is CVE-2024-45490 a real issue in registry.redhat.io/ubi9/ubi:latest?\"\n- `/container-cve-validator` extracts SBOM, checks VEX, confirms true/false positive with remediation\n" + }, + { + "name": "CoreOS vulnerability check", + "workflow": "User: \"Does CVE-2025-61726 affect CoreOS in OCP 4.20.16?\"\n- `/coreos-cve-validator` extracts RPMs, finds affected package, checks VEX under OCP and RHEL EUS CPEs\n" } ], - "summary": "The ocp-admin collection covers Assisted Installer cluster creation, multi-cluster discovery across self-managed and managed\nOpenShift, and kubeconfig-backed fleet health reporting. Use CLAUDE.md intent routing to pick `/cluster-creator`,\n`/cluster-inventory`, or `/cluster-report`.\n", + "summary": "The ocp-admin collection covers Assisted Installer cluster creation, multi-cluster discovery across self-managed and managed\nOpenShift, kubeconfig-backed fleet health reporting, and security validation for Red Hat container images and CoreOS using\nofficial SBOMs and VEX data. Use CLAUDE.md intent routing to pick the right skill.\n", "support_level": "Unknown", "version": "0.1.0" } diff --git a/ocp-admin/.catalog/collection.yaml b/ocp-admin/.catalog/collection.yaml index 1be62b71..1cc9f06a 100644 --- a/ocp-admin/.catalog/collection.yaml +++ b/ocp-admin/.catalog/collection.yaml @@ -11,23 +11,29 @@ categories: - Openshift - Administration - Management +- Security +- Container Security +- Vulnerability Management personas: - OpenShift Administrator +- Security Engineer +- DevSecOps marketplaces: - Claude Code - Cursor support_level: Unknown maturity: GREEN -description: Automation capabilities for OpenShift Container Platform cluster management, workload orchestration, security - policies, and operational tasks. +description: Automation capabilities for OpenShift Container Platform cluster management, workload orchestration, + security validation, and operational tasks including CVE validation for container images and CoreOS. summary: | The ocp-admin collection covers Assisted Installer cluster creation, multi-cluster discovery across self-managed and managed - OpenShift, and kubeconfig-backed fleet health reporting. Use CLAUDE.md intent routing to pick `/cluster-creator`, - `/cluster-inventory`, or `/cluster-report`. + OpenShift, kubeconfig-backed fleet health reporting, and security validation for Red Hat container images and CoreOS using + official SBOMs and VEX data. Use CLAUDE.md intent routing to pick the right skill. contents: description: | - The pack provides three skills for cluster lifecycle and fleet visibility on OpenShift, using Assisted Installer and OCM APIs - where applicable and read-only cluster APIs for consolidated reports. + The pack provides seven skills for cluster lifecycle, fleet visibility, and security validation on OpenShift, + using Assisted Installer and OCM APIs for cluster management, read-only cluster APIs for consolidated reports, + and Python helper scripts for CVE/SBOM/VEX-based security validation. skills: - name: cluster-creator description: End-to-end OpenShift cluster creation using Red Hat Assisted Installer (SNO and HA; bare metal, vSphere, OCI, Nutanix). @@ -62,6 +68,44 @@ contents: **What it does:** - Verifies each context is OpenShift before collecting metrics to avoid kube API errors. - Summarizes capacity, GPU presence, and pod health for operations review. + - name: container-cve-validator + description: Container image CVE validation using official SBOMs, Red Hat VEX data, and MITRE/OSV.dev metadata. + summary_markdown: | + Full CVE validation pipeline for Red Hat container images with SBOM attestation extraction, VEX matching, + version comparison, newer image scanning, and VEX data gap detection. + **Use when:** + - "Is this CVE a real issue in my container image?" + - "Validate RHSA against my image" + - "Batch scan CVEs from a CSV file" + **What it does:** + - Extracts official SBOMs, checks VEX product status, performs version comparison, and scans for patched images. + - name: coreos-cve-validator + description: CoreOS (RHCOS) CVE validation for specific OCP releases with RHEL EUS stream awareness. + summary_markdown: | + CVE validation for Red Hat Enterprise Linux CoreOS in specific OCP releases. + **Use when:** + - "Does this CVE affect CoreOS in OCP 4.20?" + - "Check CVE against RHCOS" + **What it does:** + - Extracts RPM list from CoreOS images, validates against VEX with RHEL EUS CPE matching. + - name: cve-recon + description: CVE reconnaissance from MITRE, OSV.dev, and Go vulnerability database. + summary_markdown: | + Structured CVE metadata lookup with affected packages, version ranges, and CVSS scores. + **Use when:** + - "What packages does this CVE affect?" + - "Look up CVE details" + **What it does:** + - Queries three data sources and returns merged results with cross-references. + - name: image-inspect + description: Container image metadata inspection with SBOM reference and registry ownership validation. + summary_markdown: | + Fetch image labels, validate registry ownership, resolve tag/digest via SBOM. + **Use when:** + - "Inspect this container image" + - "What SBOM does this image have?" + **What it does:** + - Extracts labels, validates ownership, resolves SBOM artifact OCI reference. orchestration_skills: [] skills_decision_guide: - user_request: '"Create cluster" or "install OpenShift with Assisted Installer"' @@ -73,6 +117,18 @@ contents: - user_request: '"Fleet health" or "multi-cluster report from kubeconfig"' skill_to_use: cluster-report reason: Read-only aggregation after OpenShift context verification. + - user_request: '"Validate CVE against container image" or "Is this CVE a false positive?"' + skill_to_use: container-cve-validator + reason: Full validation pipeline using SBOM attestations, Red Hat VEX data, and newer image scanning. + - user_request: '"Check CVE against CoreOS in OCP 4.20" or "Validate RHSA against RHCOS"' + skill_to_use: coreos-cve-validator + reason: Extracts CoreOS RPM list, validates against VEX with RHEL EUS stream awareness. + - user_request: '"What packages does this CVE affect?" or "Look up CVE details"' + skill_to_use: cve-recon + reason: Quick CVE metadata lookup from MITRE, OSV.dev, and Go vulnerability database. + - user_request: '"Inspect this container image" or "What SBOM does this image have?"' + skill_to_use: image-inspect + reason: Fetches image labels, registry ownership, and SBOM artifact reference. mcp_section: '#mcp_section.md' deploy_and_use: '#deploy_and_use.md' sample_workflows: @@ -89,6 +145,14 @@ sample_workflows: workflow: | User: "Summarize node and pod health for every OpenShift context in my kubeconfig" - `/cluster-report` skips non-OpenShift contexts and aggregates signals for operators +- name: Container CVE validation + workflow: | + User: "Is CVE-2024-45490 a real issue in registry.redhat.io/ubi9/ubi:latest?" + - `/container-cve-validator` extracts SBOM, checks VEX, confirms true/false positive with remediation +- name: CoreOS vulnerability check + workflow: | + User: "Does CVE-2025-61726 affect CoreOS in OCP 4.20.16?" + - `/coreos-cve-validator` extracts RPMs, finds affected package, checks VEX under OCP and RHEL EUS CPEs resources: - title: OpenShift documentation url: https://docs.redhat.com/en/documentation/openshift_container_platform/ @@ -96,6 +160,15 @@ resources: - title: agentic-collections repository url: https://github.com/RHEcosystemAppEng/agentic-collections description: Source repository for these packs, skills, and catalog metadata. +- title: Red Hat Security Data + url: https://security.access.redhat.com/ + description: Official Red Hat VEX/CSAF data, security advisories, and CVE information. +- title: MITRE CVE API + url: https://cveawg.mitre.org/ + description: Authoritative CVE metadata source used for vulnerability reconnaissance. +- title: OSV.dev + url: https://osv.dev/ + description: Open Source Vulnerability database with cross-references to Go, PyPI, npm ecosystems. legal_resources: license_agreement_url: https://github.com/RHEcosystemAppEng/agentic-collections/blob/main/LICENSE privacy_policy_url: https://www.redhat.com/en/about/privacy-policy @@ -111,3 +184,9 @@ keywords: - ocm - fleet - kubeconfig +- cve +- sbom +- vex +- security +- vulnerability +- coreos diff --git a/ocp-admin/CLAUDE.md b/ocp-admin/CLAUDE.md index 29e7a1c8..22d9ecdb 100644 --- a/ocp-admin/CLAUDE.md +++ b/ocp-admin/CLAUDE.md @@ -1,10 +1,10 @@ # ocp-admin Plugin -You are an OpenShift administrator assistant. You help users create OpenShift clusters using Red Hat Assisted Installer, manage multi-cluster fleets, and monitor cluster health across self-managed (OCP, SNO) and managed service (ROSA, ARO, OSD) deployments. +You are an OpenShift administrator and security assistant. You help users create OpenShift clusters using Red Hat Assisted Installer, manage multi-cluster fleets, monitor cluster health across self-managed (OCP, SNO) and managed service (ROSA, ARO, OSD) deployments, and validate CVEs against Red Hat container images and OpenShift CoreOS using official SBOMs and VEX data. ## Skill-First Rule -ALWAYS use the appropriate skill for OpenShift cluster administration tasks. Do NOT call MCP tools (openshift-self-managed, openshift-ocm-managed, openshift-administration) directly — skills handle error recovery, multi-API coordination, credential safety, and user confirmations automatically. +ALWAYS use the appropriate skill for OpenShift cluster administration and security validation tasks. Do NOT call MCP tools (openshift-self-managed, openshift-ocm-managed, openshift-administration) or helper scripts directly — skills handle error recovery, multi-API coordination, credential safety, and user confirmations automatically. To invoke a skill, use the Skill tool with the skill name (e.g., `/cluster-creator`). @@ -17,6 +17,10 @@ Match the user's request to the correct skill: | Create cluster, install OpenShift, deploy SNO, deploy HA cluster, provision cluster, set up cluster | `/cluster-creator` | | List clusters, show cluster status, cluster details, cluster events, installation progress, cluster inventory | `/cluster-inventory` | | Health report, multi-cluster status, fleet summary, resource usage across clusters, cluster comparison | `/cluster-report` | +| Validate a CVE against a container image, check if image is affected, RHSA against an image | `/container-cve-validator` | +| Validate a CVE against CoreOS/RHCOS in a specific OCP version | `/coreos-cve-validator` | +| Look up CVE details, affected packages, version ranges, ecosystem info | `/cve-recon` | +| Inspect container image metadata, labels, SBOM reference, registry ownership | `/image-inspect` | If the request doesn't clearly match one skill, ask the user to clarify. @@ -26,6 +30,9 @@ Some workflows require multiple skills in sequence: - **New cluster deployment monitoring**: `/cluster-creator` → `/cluster-inventory` (check installation progress) → `/cluster-report` (verify health) - **Fleet health check**: `/cluster-inventory` (list all clusters) → `/cluster-report` (aggregate metrics) +- **Container image metadata audit then CVE validation**: `/image-inspect` (check metadata and SBOM) → `/container-cve-validator` (validate specific CVE) +- **CVE research then validate**: `/cve-recon` (look up CVE details) → `/container-cve-validator` or `/coreos-cve-validator` (validate against specific image or OCP version) +- **CoreOS security check**: `/coreos-cve-validator` (validate CVE against OCP release) — uses `oc` and `podman` for CoreOS RPM extraction After completing a skill, suggest relevant next-step skills to the user. @@ -37,6 +44,18 @@ Three MCP servers are available. Skills manage these automatically — do not ca - **openshift-ocm-managed** (Required for cluster-inventory) — OpenShift Cluster Manager API for managed service clusters (ROSA, ARO, OSD). Requires OFFLINE_TOKEN. - **openshift-administration** (Required for cluster-report) — Kubernetes/OpenShift cluster operations for multi-cluster management. Requires KUBECONFIG with cluster access. Read-only mode enforced. +## Helper Scripts (Security Validation) + +Security validation skills use Python helper scripts in `scripts/security-validation/` for deterministic data fetching from public APIs (Red Hat security APIs, MITRE CVE API, OSV.dev). Skills call these scripts via `python $SCRIPTS_DIR/