Install
Quick install
npx skills add https://github.com/microsoft/hve-core/tree/HEAD/.github/skills/securitynpx skills add microsoft/hve-core --skill owasp-cicd --agent claude-codenpx skills add microsoft/hve-core --skill owasp-cicd --agent cursornpx skills add microsoft/hve-core --skill owasp-cicd --agent codexnpx skills add microsoft/hve-core --skill owasp-cicd --agent opencodenpx skills add microsoft/hve-core --skill owasp-cicd --agent github-copilotnpx skills add microsoft/hve-core --skill owasp-cicd --agent windsurfMore install options
Shorthand — useful for multi-skill repos:
npx skills add microsoft/hve-core --skill owasp-cicdManual — clone the repo and drop the folder into your agent's skills directory:
git clone https://github.com/microsoft/hve-core.gitcp -r hve-core/.github/skills/security ~/.claude/skills/owasp-cicd
OWASP CI/CD Top 10 vulnerability knowledge base for identifying, assessing, and remediating security risks in continuous integration and continuous delivery…
owasp-cicdby microsoft
OWASP CI/CD Top 10 vulnerability knowledge base for identifying, assessing, and remediating security risks in continuous integration and continuous delivery…npx skills add https://github.com/microsoft/hve-core --skill owasp-cicdDownload ZIPGitHub
OWASP® CI/CD Top 10 — Skill Entry
This SKILL.md is the entrypoint for the OWASP CI/CD Top 10 skill.
The skill encodes the OWASP Top 10 CI/CD Security Risks as structured, machine-readable references
that an agent can query to identify, assess, and remediate CI/CD pipeline security risks.
Normative references (CI/CD Top 10)
- 00 Vulnerability Index
- 01 Insufficient Flow Control Mechanisms
- 02 Inadequate Identity and Access Management
- 03 Dependency Chain Abuse
- 04 Poisoned Pipeline Execution
- 05 Insufficient PBAC
- 06 Insufficient Credential Hygiene
- 07 Insecure System Configuration
- 08 Ungoverned Usage of 3rd Party Services
- 09 Improper Artifact Integrity Validation
- 10 Insufficient Logging and Visibility
Skill layout
SKILL.md— this file (skill entrypoint).
references/— the CI/CD Top 10 normative documents.
00-vulnerability-index.md— index of all vulnerability identifiers, categories, and cross-references.
01through10— one document per vulnerability aligned with OWASP CI/CD Security numbering.
Third-Party Attribution
Copyright © OWASP Foundation.
OWASP® Top 10 CI/CD Security Risks content is derived from works by the
OWASP Foundation, licensed under CC BY-SA 4.0
(https://creativecommons.org/licenses/by-sa/4.0/).
Source: https://owasp.org/www-project-top-10-ci-cd-security-risks/
Modifications: Vulnerability descriptions restructured into agent-consumable reference
documents with added detection and remediation guidance.
OWASP® is a registered trademark of the OWASP Foundation. Use does not imply endorsement.
🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.
More skills from microsoft
oss-growthby microsoftOSS growth hacker personapr-description-skillby microsoftTrigger this skill on any of the following intents:python-architectureby microsoftPython architect personasupply-chain-securityby microsoftSupply chain security expert personaskill-nameby microsoftDescription of what the skill does and when to use itwork-iterationsby microsoftList, create, and assign iterations for Azure DevOps projects and teams.djangoby microsoftBest practices for Django web development including models, views, templates, and testing.flaskby microsoftBest practices for Flask web development including routing, blueprints, and testing.---
Source: https://github.com/microsoft/hve-core/tree/HEAD/.github/skills/security/owasp-cicd
Author: microsoft
Discovered via: mcpservers.org
SKILL.md source
--- name: owasp-cicd description: OWASP CI/CD Top 10 vulnerability knowledge base for identifying, assessing, and remediating security risks in continuous integration and continuous delivery… --- # owasp-cicd OWASP CI/CD Top 10 vulnerability knowledge base for identifying, assessing, and remediating security risks in continuous integration and continuous delivery… # owasp-cicdby microsoft OWASP CI/CD Top 10 vulnerability knowledge base for identifying, assessing, and remediating security risks in continuous integration and continuous delivery… `npx skills add https://github.com/microsoft/hve-core --skill owasp-cicd`Download ZIPGitHub ## OWASP® CI/CD Top 10 — Skill Entry This `SKILL.md` is the entrypoint for the OWASP CI/CD Top 10 skill. The skill encodes the OWASP Top 10 CI/CD Security Risks as structured, machine-readable references that an agent can query to identify, assess, and remediate CI/CD pipeline security risks. ## Normative references (CI/CD Top 10) * 00 Vulnerability Index * 01 Insufficient Flow Control Mechanisms * 02 Inadequate Identity and Access Management * 03 Dependency Chain Abuse * 04 Poisoned Pipeline Execution * 05 Insufficient PBAC * 06 Insufficient Credential Hygiene * 07 Insecure System Configuration * 08 Ungoverned Usage of 3rd Party Services * 09 Improper Artifact Integrity Validation * 10 Insufficient Logging and Visibility ## Skill layout * `SKILL.md` — this file (skill entrypoint). * `references/` — the CI/CD Top 10 normative documents. * `00-vulnerability-index.md` — index of all vulnerability identifiers, categories, and cross-references. * `01` through `10` — one document per vulnerability aligned with OWASP CI/CD Security numbering. ## Third-Party Attribution Copyright © OWASP Foundation. OWASP® Top 10 CI/CD Security Risks content is derived from works by the OWASP Foundation, licensed under CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0/). Source: https://owasp.org/www-project-top-10-ci-cd-security-risks/ Modifications: Vulnerability descriptions restructured into agent-consumable reference documents with added detection and remediation guidance. OWASP® is a registered trademark of the OWASP Foundation. Use does not imply endorsement. 🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers. ## More skills from microsoft oss-growthby microsoftOSS growth hacker personapr-description-skillby microsoftTrigger this skill on any of the following intents:python-architectureby microsoftPython architect personasupply-chain-securityby microsoftSupply chain security expert personaskill-nameby microsoftDescription of what the skill does and when to use itwork-iterationsby microsoftList, create, and assign iterations for Azure DevOps projects and teams.djangoby microsoftBest practices for Django web development including models, views, templates, and testing.flaskby microsoftBest practices for Flask web development including routing, blueprints, and testing. --- **Source**: https://github.com/microsoft/hve-core/tree/HEAD/.github/skills/security/owasp-cicd **Author**: microsoft **Discovered via**: mcpservers.org
Related skills 6
azure-validate
Pre-deployment validation for Azure readiness. Run deep checks on configuration, infrastructure (Bicep or Terraform), RBAC role assignments, managed identity permissions, and prerequisites before deploying. WHEN: validate my app, check deployment readiness, run preflight checks, verify configuration, check if ready to deploy, validate azure.yaml, validate Bicep, test before deploying, troubleshoot deployment errors, validate Azure Functions, validate function app, validate serverless deployme...
entra-app-registration
Guides Microsoft Entra ID app registration, OAuth 2.0 authentication, and MSAL integration. USE FOR: create app registration, register Azure AD app, configure OAuth, set up authentication, add API permissions, generate service principal, MSAL example, console app auth, Entra ID setup, Azure AD authentication. DO NOT USE FOR: Azure RBAC or role assignments (use azure-rbac), Key Vault secrets (use azure-keyvault-expiration-audit), general Azure resource security guidance.
azure-rbac
Helps users find the right Azure RBAC role for an identity with least privilege access, then generate CLI commands and Bicep code to assign it. Also provides guidance on permissions required to grant roles. WHEN: bicep for role assignment, what role should I assign, least privilege role, RBAC role for, role to read blobs, role for managed identity, custom role definition, assign role to identity, what role do I need to grant access, permissions to assign roles.
azure-compliance
Run Azure compliance and security audits with azqr plus Key Vault expiration checks. Covers best-practice assessment, resource review, policy/compliance validation, and security posture checks. WHEN: compliance scan, security audit, BEFORE running azqr (compliance cli tool), Azure best practices, Key Vault expiration check, expired certificates, expiring secrets, orphaned resources, compliance assessment.
azure-enterprise-infra-planner
Architect and provision enterprise Azure infrastructure from workload descriptions. For cloud architects and platform engineers planning networking, identity, security, compliance, and multi-resource topologies with WAF alignment. Generates Bicep or Terraform directly (no azd). WHEN: 'plan Azure infrastructure', 'architect Azure landing zone', 'design hub-spoke network', 'plan multi-region DR topology', 'set up VNets firewalls and private endpoints', 'subscription-scope Bicep deployment', 'Az...
azure-kubernetes
Plan, create, and configure production-ready Azure Kubernetes Service (AKS) clusters. Covers Day-0 checklist, SKU selection (Automatic vs Standard), networking options (private API server, Azure CNI Overlay, egress configuration), security, and operations (autoscaling, upgrade strategy, cost analysis). WHEN: create AKS environment, provision AKS environment, enable AKS observability, design AKS networking, choose AKS SKU, secure AKS, optimize AKS, rightsize AKS pod, AKS spot nodes, AKS cluste...