Skip to content

chore(security-scan): First version of the security scan workflow#75

Merged
dmartinol merged 8 commits into
RHEcosystemAppEng:mainfrom
r2dedios:skill-security-scanner
May 5, 2026
Merged

chore(security-scan): First version of the security scan workflow#75
dmartinol merged 8 commits into
RHEcosystemAppEng:mainfrom
r2dedios:skill-security-scanner

Conversation

@r2dedios

@r2dedios r2dedios commented May 5, 2026

Copy link
Copy Markdown
Contributor

Summary

Pack(s) affected

  • rh-sre
  • rh-developer
  • ocp-admin
  • rh-virt
  • rh-ai-engineer
  • Other / repo-wide

Change type

  • New skill
  • New agent
  • New pack
  • Update existing skill / agent
  • MCP server config (mcps.json)
  • Docs / README
  • CI / tooling

CLAUDE.md compliance

  • Agents orchestrate skills; no direct MCP/tool calls in agents
  • Skills are single-purpose task executors
  • Skills encapsulate all tool access (MCP tools invoked only inside skills)
  • Document consultation: file is read with the Read tool, then declared to the user
  • No credentials hardcoded; env vars used via ${VAR} references
  • Human-in-the-loop confirmation added for any destructive or critical operations

Validation

  • make validate passes locally
  • New/changed skills have valid YAML frontmatter (name, description)
  • New/changed agents have valid YAML frontmatter (name, description)

@r2dedios r2dedios self-assigned this May 5, 2026
@r2dedios r2dedios added the enhancement New feature or request label May 5, 2026
@r2dedios r2dedios force-pushed the skill-security-scanner branch 2 times, most recently from cb3f01b to bca5af5 Compare May 5, 2026 13:53
@r2dedios r2dedios linked an issue May 5, 2026 that may be closed by this pull request

@dmartinol dmartinol left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

});
}

- name: Check scan results

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

beware that we run the full scan of all the pack, including skills that may not be updated by the PR. For now I would just warn the user instead, so the reviewer can take decisions.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a step called "Detect changed packs" to only evaluate the agentic packs that were updated in the target PR, so we are saving time and LLM usage

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we change it to "detect skills" instead?

@r2dedios r2dedios requested a review from dmartinol May 5, 2026 14:26
r2dedios added 7 commits May 5, 2026 17:35
… usage

Signed-off-by: r2dedios <alex.ansi.c@gmail.com>
Signed-off-by: r2dedios <alex.ansi.c@gmail.com>
Signed-off-by: r2dedios <alex.ansi.c@gmail.com>
…on when PR comes from a Fork repo

Signed-off-by: r2dedios <alex.ansi.c@gmail.com>
Signed-off-by: r2dedios <alex.ansi.c@gmail.com>
are two or more modified packages

Signed-off-by: r2dedios <alex.ansi.c@gmail.com>
@r2dedios r2dedios force-pushed the skill-security-scanner branch from 2654afe to 2477fdb Compare May 5, 2026 15:38
Signed-off-by: r2dedios <alex.ansi.c@gmail.com>

@dmartinol dmartinol left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! /lgtm

@dmartinol dmartinol merged commit 3564911 into RHEcosystemAppEng:main May 5, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Address security scanner findings in ocp-admin and rh-virt skills

2 participants