Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions marketplace/rh-agentic-collection.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,13 @@ modules:
- "openshift"
- "administration"
- "management"
- "security"
- "cve"
- "sbom"
- "vex"
- "coreos"
- "container-security"
- "vulnerability-management"

- name: "rh-developer"
description: "Plugins for building and deploying applications on Red Hat platforms."
Expand Down Expand Up @@ -97,3 +104,4 @@ modules:
- "governance"
- "troubleshooting"
- "execution"

86 changes: 80 additions & 6 deletions ocp-admin/.catalog/collection.json
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,13 @@
"Red Hat",
"Openshift",
"Administration",
"Management"
"Management",
"Security",
"Container Security",
"Vulnerability Management"
],
"contents": {
"description": "The pack provides three skills for cluster lifecycle and fleet visibility on OpenShift, using Assisted Installer and OCM APIs\nwhere applicable and read-only cluster APIs for consolidated reports.\n",
"description": "The pack provides seven skills for cluster lifecycle, fleet visibility, and security validation on OpenShift,\nusing Assisted Installer and OCM APIs for cluster management, read-only cluster APIs for consolidated reports,\nand Python helper scripts for CVE/SBOM/VEX-based security validation.\n",
"orchestration_skills": [],
"skills": [
{
Expand All @@ -27,6 +30,26 @@
"description": "Consolidated health report across kubeconfig contexts, skipping non-OpenShift contexts by default.",
"name": "cluster-report",
"summary_markdown": "Aggregate node, namespace, and workload signals across contexts that resolve to real OpenShift clusters.\n**Use when:**\n- \"Health report across clusters\"\n- \"Fleet summary from kubeconfig\"\n- \"Compare resource usage between contexts\"\n**What it does:**\n- Verifies each context is OpenShift before collecting metrics to avoid kube API errors.\n- Summarizes capacity, GPU presence, and pod health for operations review.\n"
},
{
"description": "Container image CVE validation using official SBOMs, Red Hat VEX data, and MITRE/OSV.dev metadata.",
"name": "container-cve-validator",
"summary_markdown": "Full CVE validation pipeline for Red Hat container images with SBOM attestation extraction, VEX matching,\nversion comparison, newer image scanning, and VEX data gap detection.\n**Use when:**\n- \"Is this CVE a real issue in my container image?\"\n- \"Validate RHSA against my image\"\n- \"Batch scan CVEs from a CSV file\"\n**What it does:**\n- Extracts official SBOMs, checks VEX product status, performs version comparison, and scans for patched images.\n"
},
{
"description": "CoreOS (RHCOS) CVE validation for specific OCP releases with RHEL EUS stream awareness.",
"name": "coreos-cve-validator",
"summary_markdown": "CVE validation for Red Hat Enterprise Linux CoreOS in specific OCP releases.\n**Use when:**\n- \"Does this CVE affect CoreOS in OCP 4.20?\"\n- \"Check CVE against RHCOS\"\n**What it does:**\n- Extracts RPM list from CoreOS images, validates against VEX with RHEL EUS CPE matching.\n"
},
{
"description": "CVE reconnaissance from MITRE, OSV.dev, and Go vulnerability database.",
"name": "cve-recon",
"summary_markdown": "Structured CVE metadata lookup with affected packages, version ranges, and CVSS scores.\n**Use when:**\n- \"What packages does this CVE affect?\"\n- \"Look up CVE details\"\n**What it does:**\n- Queries three data sources and returns merged results with cross-references.\n"
},
{
"description": "Container image metadata inspection with SBOM reference and registry ownership validation.",
"name": "image-inspect",
"summary_markdown": "Fetch image labels, validate registry ownership, resolve tag/digest via SBOM.\n**Use when:**\n- \"Inspect this container image\"\n- \"What SBOM does this image have?\"\n**What it does:**\n- Extracts labels, validates ownership, resolves SBOM artifact OCI reference.\n"
}
],
"skills_decision_guide": [
Expand All @@ -44,19 +67,45 @@
"reason": "Read-only aggregation after OpenShift context verification.",
"skill_to_use": "cluster-report",
"user_request": "\"Fleet health\" or \"multi-cluster report from kubeconfig\""
},
{
"reason": "Full validation pipeline using SBOM attestations, Red Hat VEX data, and newer image scanning.",
"skill_to_use": "container-cve-validator",
"user_request": "\"Validate CVE against container image\" or \"Is this CVE a false positive?\""
},
{
"reason": "Extracts CoreOS RPM list, validates against VEX with RHEL EUS stream awareness.",
"skill_to_use": "coreos-cve-validator",
"user_request": "\"Check CVE against CoreOS in OCP 4.20\" or \"Validate RHSA against RHCOS\""
},
{
"reason": "Quick CVE metadata lookup from MITRE, OSV.dev, and Go vulnerability database.",
"skill_to_use": "cve-recon",
"user_request": "\"What packages does this CVE affect?\" or \"Look up CVE details\""
},
{
"reason": "Fetches image labels, registry ownership, and SBOM artifact reference.",
"skill_to_use": "image-inspect",
"user_request": "\"Inspect this container image\" or \"What SBOM does this image have?\""
}
]
},
"deploy_and_use": "#deploy_and_use.md",
"description": "Automation capabilities for OpenShift Container Platform cluster management, workload orchestration, security policies, and operational tasks.",
"description": "Automation capabilities for OpenShift Container Platform cluster management, workload orchestration, security validation, and operational tasks including CVE validation for container images and CoreOS.",
"homepage": "https://github.com/RHEcosystemAppEng/agentic-collections",
"id": "openshift-administration",
"keywords": [
"openshift",
"assisted-installer",
"ocm",
"fleet",
"kubeconfig"
"kubeconfig",
"cve",
"sbom",
"vex",
"security",
"vulnerability",
"coreos"
],
"legal_resources": {
"license_agreement_url": "https://github.com/RHEcosystemAppEng/agentic-collections/blob/main/LICENSE",
Expand All @@ -71,7 +120,9 @@
"mcp_section": "#mcp_section.md",
"name": "Agentic skill pack for Red Hat OpenShift",
"personas": [
"OpenShift Administrator"
"OpenShift Administrator",
"Security Engineer",
"DevSecOps"
],
"provider": "Red Hat",
"repository": "https://github.com/RHEcosystemAppEng/agentic-collections",
Expand All @@ -85,6 +136,21 @@
"description": "Source repository for these packs, skills, and catalog metadata.",
"title": "agentic-collections repository",
"url": "https://github.com/RHEcosystemAppEng/agentic-collections"
},
{
"description": "Official Red Hat VEX/CSAF data, security advisories, and CVE information.",
"title": "Red Hat Security Data",
"url": "https://security.access.redhat.com/"
},
{
"description": "Authoritative CVE metadata source used for vulnerability reconnaissance.",
"title": "MITRE CVE API",
"url": "https://cveawg.mitre.org/"
},
{
"description": "Open Source Vulnerability database with cross-references to Go, PyPI, npm ecosystems.",
"title": "OSV.dev",
"url": "https://osv.dev/"
}
],
"sample_workflows": [
Expand All @@ -99,9 +165,17 @@
{
"name": "Multi-cluster health",
"workflow": "User: \"Summarize node and pod health for every OpenShift context in my kubeconfig\"\n- `/cluster-report` skips non-OpenShift contexts and aggregates signals for operators\n"
},
{
"name": "Container CVE validation",
"workflow": "User: \"Is CVE-2024-45490 a real issue in registry.redhat.io/ubi9/ubi:latest?\"\n- `/container-cve-validator` extracts SBOM, checks VEX, confirms true/false positive with remediation\n"
},
{
"name": "CoreOS vulnerability check",
"workflow": "User: \"Does CVE-2025-61726 affect CoreOS in OCP 4.20.16?\"\n- `/coreos-cve-validator` extracts RPMs, finds affected package, checks VEX under OCP and RHEL EUS CPEs\n"
}
],
"summary": "The ocp-admin collection covers Assisted Installer cluster creation, multi-cluster discovery across self-managed and managed\nOpenShift, and kubeconfig-backed fleet health reporting. Use CLAUDE.md intent routing to pick `/cluster-creator`,\n`/cluster-inventory`, or `/cluster-report`.\n",
"summary": "The ocp-admin collection covers Assisted Installer cluster creation, multi-cluster discovery across self-managed and managed\nOpenShift, kubeconfig-backed fleet health reporting, and security validation for Red Hat container images and CoreOS using\nofficial SBOMs and VEX data. Use CLAUDE.md intent routing to pick the right skill.\n",
"support_level": "Unknown",
"version": "0.1.0"
}
91 changes: 85 additions & 6 deletions ocp-admin/.catalog/collection.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,23 +11,29 @@ categories:
- Openshift
- Administration
- Management
- Security
- Container Security
- Vulnerability Management
personas:
- OpenShift Administrator
- Security Engineer
- DevSecOps
marketplaces:
- Claude Code
- Cursor
support_level: Unknown
maturity: GREEN
description: Automation capabilities for OpenShift Container Platform cluster management, workload orchestration, security
policies, and operational tasks.
description: Automation capabilities for OpenShift Container Platform cluster management, workload orchestration,
security validation, and operational tasks including CVE validation for container images and CoreOS.
summary: |
The ocp-admin collection covers Assisted Installer cluster creation, multi-cluster discovery across self-managed and managed
OpenShift, and kubeconfig-backed fleet health reporting. Use CLAUDE.md intent routing to pick `/cluster-creator`,
`/cluster-inventory`, or `/cluster-report`.
OpenShift, kubeconfig-backed fleet health reporting, and security validation for Red Hat container images and CoreOS using
official SBOMs and VEX data. Use CLAUDE.md intent routing to pick the right skill.
contents:
description: |
The pack provides three skills for cluster lifecycle and fleet visibility on OpenShift, using Assisted Installer and OCM APIs
where applicable and read-only cluster APIs for consolidated reports.
The pack provides seven skills for cluster lifecycle, fleet visibility, and security validation on OpenShift,
using Assisted Installer and OCM APIs for cluster management, read-only cluster APIs for consolidated reports,
and Python helper scripts for CVE/SBOM/VEX-based security validation.
skills:
- name: cluster-creator
description: End-to-end OpenShift cluster creation using Red Hat Assisted Installer (SNO and HA; bare metal, vSphere, OCI, Nutanix).
Expand Down Expand Up @@ -62,6 +68,44 @@ contents:
**What it does:**
- Verifies each context is OpenShift before collecting metrics to avoid kube API errors.
- Summarizes capacity, GPU presence, and pod health for operations review.
- name: container-cve-validator
description: Container image CVE validation using official SBOMs, Red Hat VEX data, and MITRE/OSV.dev metadata.
summary_markdown: |
Full CVE validation pipeline for Red Hat container images with SBOM attestation extraction, VEX matching,
version comparison, newer image scanning, and VEX data gap detection.
**Use when:**
- "Is this CVE a real issue in my container image?"
- "Validate RHSA against my image"
- "Batch scan CVEs from a CSV file"
**What it does:**
- Extracts official SBOMs, checks VEX product status, performs version comparison, and scans for patched images.
- name: coreos-cve-validator
description: CoreOS (RHCOS) CVE validation for specific OCP releases with RHEL EUS stream awareness.
summary_markdown: |
CVE validation for Red Hat Enterprise Linux CoreOS in specific OCP releases.
**Use when:**
- "Does this CVE affect CoreOS in OCP 4.20?"
- "Check CVE against RHCOS"
**What it does:**
- Extracts RPM list from CoreOS images, validates against VEX with RHEL EUS CPE matching.
- name: cve-recon
description: CVE reconnaissance from MITRE, OSV.dev, and Go vulnerability database.
summary_markdown: |
Structured CVE metadata lookup with affected packages, version ranges, and CVSS scores.
**Use when:**
- "What packages does this CVE affect?"
- "Look up CVE details"
**What it does:**
- Queries three data sources and returns merged results with cross-references.
- name: image-inspect
description: Container image metadata inspection with SBOM reference and registry ownership validation.
summary_markdown: |
Fetch image labels, validate registry ownership, resolve tag/digest via SBOM.
**Use when:**
- "Inspect this container image"
- "What SBOM does this image have?"
**What it does:**
- Extracts labels, validates ownership, resolves SBOM artifact OCI reference.
orchestration_skills: []
skills_decision_guide:
- user_request: '"Create cluster" or "install OpenShift with Assisted Installer"'
Expand All @@ -73,6 +117,18 @@ contents:
- user_request: '"Fleet health" or "multi-cluster report from kubeconfig"'
skill_to_use: cluster-report
reason: Read-only aggregation after OpenShift context verification.
- user_request: '"Validate CVE against container image" or "Is this CVE a false positive?"'
skill_to_use: container-cve-validator
reason: Full validation pipeline using SBOM attestations, Red Hat VEX data, and newer image scanning.
- user_request: '"Check CVE against CoreOS in OCP 4.20" or "Validate RHSA against RHCOS"'
skill_to_use: coreos-cve-validator
reason: Extracts CoreOS RPM list, validates against VEX with RHEL EUS stream awareness.
- user_request: '"What packages does this CVE affect?" or "Look up CVE details"'
skill_to_use: cve-recon
reason: Quick CVE metadata lookup from MITRE, OSV.dev, and Go vulnerability database.
- user_request: '"Inspect this container image" or "What SBOM does this image have?"'
skill_to_use: image-inspect
reason: Fetches image labels, registry ownership, and SBOM artifact reference.
mcp_section: '#mcp_section.md'
deploy_and_use: '#deploy_and_use.md'
sample_workflows:
Expand All @@ -89,13 +145,30 @@ sample_workflows:
workflow: |
User: "Summarize node and pod health for every OpenShift context in my kubeconfig"
- `/cluster-report` skips non-OpenShift contexts and aggregates signals for operators
- name: Container CVE validation
workflow: |
User: "Is CVE-2024-45490 a real issue in registry.redhat.io/ubi9/ubi:latest?"
- `/container-cve-validator` extracts SBOM, checks VEX, confirms true/false positive with remediation
- name: CoreOS vulnerability check
workflow: |
User: "Does CVE-2025-61726 affect CoreOS in OCP 4.20.16?"
- `/coreos-cve-validator` extracts RPMs, finds affected package, checks VEX under OCP and RHEL EUS CPEs
resources:
- title: OpenShift documentation
url: https://docs.redhat.com/en/documentation/openshift_container_platform/
description: Platform guides for administrators installing and operating OpenShift.
- title: agentic-collections repository
url: https://github.com/RHEcosystemAppEng/agentic-collections
description: Source repository for these packs, skills, and catalog metadata.
- title: Red Hat Security Data
url: https://security.access.redhat.com/
description: Official Red Hat VEX/CSAF data, security advisories, and CVE information.
- title: MITRE CVE API
url: https://cveawg.mitre.org/
description: Authoritative CVE metadata source used for vulnerability reconnaissance.
- title: OSV.dev
url: https://osv.dev/
description: Open Source Vulnerability database with cross-references to Go, PyPI, npm ecosystems.
legal_resources:
license_agreement_url: https://github.com/RHEcosystemAppEng/agentic-collections/blob/main/LICENSE
privacy_policy_url: https://www.redhat.com/en/about/privacy-policy
Expand All @@ -111,3 +184,9 @@ keywords:
- ocm
- fleet
- kubeconfig
- cve
- sbom
- vex
- security
- vulnerability
- coreos
Loading
Loading