Skill UI

This guide details how to implement comprehensive API security testing using the 42Crunch platform. It performs static audits of OpenAPI specifications (API Audit) and dynamic vulnerability scanning (Conformance Scan) against live APIs. Supports integration into CI/CD pipelines to proactively discover OWASP API Top 10 vulnerabilities, enabling a Shift-Left security approach.

Learn how to implement robust container security by integrating the open-source Trivy scanner (from Aqua Security) into your CI/CD pipelines. This guide covers scanning container images, Kubernetes manifests, IaC files, and code repositories to detect critical vulnerabilities, misconfigurations, secrets, and generating Software Bill of Materials (SBOM) for comprehensive supply chain security.

A comprehensive guide for integrating DevSecOps practices into CI/CD pipelines. It automates security testing by incorporating Static Application Security Testing (SAST), Dependency/IaC Scanning (SCA), Secrets Detection, and Dynamic Application Security Testing (DAST). Use this workflow to shift security left, enforce compliance, and establish security gates that block vulnerable deployments.

Learn how to integrate AFL++ (American Fuzzy Lop Plus Plus) into Continuous Integration/Continuous Deployment (CI/CD) pipelines. This guide details the process of using coverage-guided fuzzing to discover critical vulnerabilities, such as memory corruption, input handling flaws, and logic bugs, in compiled C/C++ applications that process untrusted input.

This guide details implementing robust container image provenance verification using Cosign, a Sigstore tool. It covers key-based and keyless (OIDC) signing methods, enabling secure supply chain practices. Users can sign images, attach critical attestations (such as SBOMs and vulnerability scans), and enforce verification in CI/CD pipelines and Kubernetes environments to ensure high integrity and trust.

This skill guides the implementation of automated security scanning for Infrastructure as Code (IaC) templates using industry-leading tools like Checkov and tfsec. It focuses on integrating security checks into CI/CD pipelines to detect misconfigurations (e.g., public buckets, open ports) in Terraform, CloudFormation, and Kubernetes manifests before they reach production, thereby enforcing policy-based governance and securing the development lifecycle.

This skill covers implementing Open Policy Agent (OPA) and Gatekeeper for robust policy-as-code enforcement. Learn to write complex Rego policies, deploy OPA Gatekeeper as a Kubernetes admission controller, and integrate policy evaluation into CI/CD pipelines to enforce security and compliance across clusters.

This skill guides the implementation of Gitleaks for robust secret scanning across development lifecycles. It covers setting up pre-commit hooks to prevent secrets from being committed, integrating scanning into CI/CD pipelines (like GitHub Actions), and writing custom regex rules to detect and remediate hardcoded credentials (API keys, passwords, tokens) in Git history, ensuring adherence to secure SDLC practices.

This skill guides the integration of gitleaks and trufflehog into CI/CD pipelines. It automates the detection of hardcoded secrets, such as API keys, passwords, and tokens, preventing their accidental deployment. By integrating scans as a mandatory pre-deployment gate, organizations enforce strong security policies and maintain compliance.

This skill guides the implementation of security chaos engineering experiments. It involves deliberately degrading or disabling security controls (like WAF, firewalls, or log pipelines) in a controlled environment to rigorously verify the detection, alerting, and response capabilities of the Security Operations Center (SOC). Users learn to use tools like boto3 and Python to simulate failure scenarios and assess system resilience and compliance posture.

Semgrep is an open-source static analysis tool used to find bugs, detect vulnerabilities, and enforce coding standards. This guide covers writing custom rules in YAML format to implement advanced SAST checks, such as detecting SQL injection, hardcoded secrets, or tracking tainted user input. It is essential for building robust DevSecOps pipelines and ensuring compliance.

In-toto is a CNCF standard project used to verify the integrity of software supply chains. It generates cryptographically signed attestations (link metadata) at every stage of the CI/CD pipeline, proving exactly what artifacts were produced and who authorized the process. This is crucial for securing container builds and ensuring compliance against tampering.