chore: git cache cleanup

.github/skills/security-verify-sbom.SKILL.md

@@ -0,0 +1,317 @@
+````markdown
+---
+# agentskills.io specification v1.0
+name: "security-verify-sbom"
+version: "1.0.0"
+description: "Verify SBOM completeness, scan for vulnerabilities, and perform semantic diff analysis"
+author: "Charon Project"
+license: "MIT"
+tags:
+  - "security"
+  - "sbom"
+  - "verification"
+  - "supply-chain"
+  - "vulnerability-scanning"
+compatibility:
+  os:
+    - "linux"
+    - "darwin"
+  shells:
+    - "bash"
+requirements:
+  - name: "syft"
+    version: ">=1.17.0"
+    optional: false
+    install_url: "https://github.com/anchore/syft"
+  - name: "grype"
+    version: ">=0.85.0"
+    optional: false
+    install_url: "https://github.com/anchore/grype"
+  - name: "jq"
+    version: ">=1.6"
+    optional: false
+environment_variables:
+  - name: "SBOM_FORMAT"
+    description: "SBOM format (spdx-json, cyclonedx-json)"
+    default: "spdx-json"
+    required: false
+  - name: "VULN_SCAN_ENABLED"
+    description: "Enable vulnerability scanning"
+    default: "true"
+    required: false
+parameters:
+  - name: "target"
+    type: "string"
+    description: "Docker image or file path"
+    required: true
+    validation: "^[a-zA-Z0-9:/@._-]+$"
+  - name: "baseline"
+    type: "string"
+    description: "Baseline SBOM file path for comparison"
+    required: false
+    default: ""
+  - name: "vuln_scan"
+    type: "boolean"
+    description: "Run vulnerability scan"
+    required: false
+    default: true
+outputs:
+  - name: "sbom_file"
+    type: "file"
+    description: "Generated SBOM in SPDX JSON format"
+  - name: "scan_results"
+    type: "stdout"
+    description: "Verification results and vulnerability counts"
+  - name: "exit_code"
+    type: "number"
+    description: "0 if no critical issues, 1 if critical vulnerabilities found, 2 if validation failed"
+metadata:
+  category: "security"
+  subcategory: "supply-chain"
+  execution_time: "medium"
+  risk_level: "low"
+  ci_cd_safe: true
+  requires_network: true
+  idempotent: true
+exit_codes:
+  0: "Verification successful"
+  1: "Verification failed or critical vulnerabilities found"
+  2: "Missing dependencies or invalid parameters"
+---
+
+# Security: Verify SBOM
+
+Verify Software Bill of Materials (SBOM) completeness, scan for vulnerabilities, and perform semantic diff analysis.
+
+## Overview
+
+This skill generates an SBOM for Docker images or local files, compares it with a baseline (if provided), scans for known vulnerabilities using Grype, and reports any critical security issues. It supports both online vulnerability scanning and air-gapped operation modes.
+
+## Features
+
+- Generate SBOM in SPDX format (standardized)
+- Compare with baseline SBOM (semantic diff)
+- Scan for vulnerabilities (Critical/High/Medium/Low)
+- Validate SBOM structure and completeness
+- Support Docker images and local files
+- Air-gapped operation support (skip vulnerability scanning)
+- Detect added/removed packages between builds
+
+## Prerequisites
+
+- Syft 1.17.0 or higher (for SBOM generation)
+- Grype 0.85.0 or higher (for vulnerability scanning)
+- jq 1.6 or higher (for JSON processing)
+- Internet connection (for vulnerability database updates, unless air-gapped mode)
+- Docker (if scanning container images)
+
+## Usage
+
+### Basic Verification
+
+Run with default settings (generate SBOM + scan vulnerabilities):
+
+```bash
+cd /path/to/charon
+.github/skills/scripts/skill-runner.sh security-verify-sbom ghcr.io/user/charon:latest
+```
+
+### Verify Docker Image with Baseline Comparison
+
+Compare current SBOM against a known baseline:
+
+```bash
+.github/skills/scripts/skill-runner.sh security-verify-sbom \
+  charon:local sbom-baseline.json
+```
+
+### Air-Gapped Mode (No Vulnerability Scan)
+
+Verify SBOM structure only, without network access:
+
+```bash
+VULN_SCAN_ENABLED=false .github/skills/scripts/skill-runner.sh \
+  security-verify-sbom charon:local
+```
+
+### Custom SBOM Format
+
+Generate SBOM in CycloneDX format:
+
+```bash
+SBOM_FORMAT=cyclonedx-json .github/skills/scripts/skill-runner.sh \
+  security-verify-sbom charon:local
+```
+
+## Parameters
+
+| Parameter | Type | Required | Default | Description |
+|-----------|------|----------|---------|-------------|
+| target    | string | Yes    | -       | Docker image tag or local image name |
+| baseline  | string | No     | ""      | Path to baseline SBOM for comparison |
+| vuln_scan | boolean | No    | true    | Run vulnerability scan (set VULN_SCAN_ENABLED=false to disable) |
+
+## Environment Variables
+
+| Variable | Required | Default | Description |
+|----------|----------|---------|-------------|
+| SBOM_FORMAT | No | spdx-json | SBOM format (spdx-json or cyclonedx-json) |
+| VULN_SCAN_ENABLED | No | true | Enable vulnerability scanning (set to false for air-gapped) |
+
+## Outputs
+
+- **Success Exit Code**: 0 (no critical issues found)
+- **Error Exit Codes**:
+  - 1: Critical vulnerabilities found or verification failed
+  - 2: Missing dependencies or invalid parameters
+- **Generated Files**:
+  - `sbom-generated.json`: Generated SBOM file
+  - `vuln-results.json`: Vulnerability scan results (if enabled)
+- **Output**: Verification summary to stdout
+
+## Examples
+
+### Example 1: Verify Local Docker Image
+
+```bash
+$ .github/skills/scripts/skill-runner.sh security-verify-sbom charon:test
+[INFO] Generating SBOM for charon:test...
+[SBOM] Generated SBOM contains 247 packages
+[INFO] Scanning for vulnerabilities...
+[VULN] Found: 0 Critical, 2 High, 15 Medium, 42 Low
+[INFO] High vulnerabilities:
+  - CVE-2023-12345 in golang.org/x/crypto (CVSS: 7.5)
+  - CVE-2024-67890 in github.com/example/lib (CVSS: 8.2)
+[SUCCESS] Verification complete - review High severity vulnerabilities
+```
+
+### Example 2: With Baseline Comparison
+
+```bash
+$ .github/skills/scripts/skill-runner.sh security-verify-sbom \
+  charon:latest sbom-baseline.json
+[INFO] Generating SBOM for charon:latest...
+[SBOM] Generated SBOM contains 247 packages
+[INFO] Comparing with baseline...
+[BASELINE] Baseline: 245 packages, Current: 247 packages
+[BASELINE] Delta: +2 packages (0.8% increase)
+[BASELINE] Added packages:
+  - golang.org/x/crypto@v0.30.0
+  - github.com/pkg/errors@v0.9.1
+[BASELINE] Removed packages: (none)
+[INFO] Scanning for vulnerabilities...
+[VULN] Found: 0 Critical, 0 High, 5 Medium, 20 Low
+[SUCCESS] Verification complete (0.8% variance from baseline)
+```
+
+### Example 3: Air-Gapped Mode
+
+```bash
+$ VULN_SCAN_ENABLED=false .github/skills/scripts/skill-runner.sh \
+  security-verify-sbom charon:local
+[INFO] Generating SBOM for charon:local...
+[SBOM] Generated SBOM contains 247 packages
+[INFO] Vulnerability scanning disabled (air-gapped mode)
+[SUCCESS] SBOM generation complete
+```
+
+### Example 4: CI/CD Pipeline Integration
+
+```yaml
+# GitHub Actions example
+- name: Verify SBOM
+  run: |
+    .github/skills/scripts/skill-runner.sh \
+      security-verify-sbom ghcr.io/${{ github.repository }}:${{ github.sha }}
+  continue-on-error: false
+```
+
+## Semantic Diff Analysis
+
+When a baseline SBOM is provided, the skill performs semantic comparison:
+
+1. **Package Count Comparison**: Reports total package delta
+2. **Added Packages**: Lists new dependencies with versions
+3. **Removed Packages**: Lists removed dependencies
+4. **Variance Percentage**: Calculates percentage change
+5. **Threshold Check**: Warns if variance exceeds 5%
+
+## Vulnerability Severity Thresholds
+
+**Project Standards**:
+- **CRITICAL**: Must fix before release (blocking) - **Script exits with code 1**
+- **HIGH**: Should fix before release (warning) - **Script continues but logs warning**
+- **MEDIUM**: Fix in next release cycle (informational)
+- **LOW**: Optional, fix as time permits
+
+## Error Handling
+
+### Common Issues
+
+**Syft not installed**:
+```bash
+Error: syft command not found
+Solution: Install Syft from https://github.com/anchore/syft
+```
+
+**Grype not installed**:
+```bash
+Error: grype command not found
+Solution: Install Grype from https://github.com/anchore/grype
+```
+
+**Docker image not found**:
+```bash
+Error: Unable to find image 'charon:test' locally
+Solution: Build the image or pull from registry
+```
+
+**Invalid baseline SBOM**:
+```bash
+Error: Baseline SBOM file not found: sbom-baseline.json
+Solution: Verify the file path or omit baseline parameter
+```
+
+**Network timeout (vulnerability scan)**:
+```bash
+Warning: Failed to update vulnerability database
+Solution: Check internet connection or use air-gapped mode (VULN_SCAN_ENABLED=false)
+```
+
+## Exit Codes
+
+- **0**: Verification successful, no critical vulnerabilities
+- **1**: Critical vulnerabilities found or verification failed
+- **2**: Missing dependencies or invalid parameters
+
+## Related Skills
+
+- [security-sign-cosign](./security-sign-cosign.SKILL.md) - Sign artifacts with Cosign
+- [security-slsa-provenance](./security-slsa-provenance.SKILL.md) - Generate SLSA provenance
+- [security-scan-trivy](./security-scan-trivy.SKILL.md) - Alternative vulnerability scanner
+
+## Notes
+
+- SBOM generation requires read access to Docker images
+- Vulnerability database is updated automatically by Grype
+- Baseline comparison is optional but recommended for drift detection
+- Critical vulnerabilities will cause the script to exit with code 1
+- High vulnerabilities generate warnings but don't block execution
+- Use air-gapped mode when network access is unavailable
+- SPDX format is standardized and recommended over CycloneDX
+
+## Security Considerations
+
+- Never commit SBOM files containing sensitive information
+- Review all High and Critical vulnerabilities before deployment
+- Baseline drift >5% should trigger manual review
+- Air-gapped mode skips vulnerability scanning - use with caution
+- SBOM files can reveal internal architecture - protect accordingly
+
+---
+
+**Last Updated**: 2026-01-10
+**Maintained by**: Charon Project
+**Source**: Syft (SBOM generation) + Grype (vulnerability scanning)
+
+````