feat(skill): introduce owasp-docker

[JasonTheDeveloper]

Pull Request

Description

In alignment with phase 2 discussed in #480 (comment), this PR introduces the OWASP Docker Top 6 (not top 10 because the source material only contains 6 items) skill to hve-core and the security reviewer agent.

Related Issue(s)

Closes #1242

Type of Change

Select all that apply:

Code & Documentation:

• Bug fix (non-breaking change fixing an issue)
• New feature (non-breaking change adding functionality)
• Breaking change (fix or feature causing existing functionality to change)
• Documentation update

Infrastructure & Configuration:

• GitHub Actions workflow
• Linting configuration (markdown, PowerShell, etc.)
• Security configuration
• DevContainer configuration
• Dependency update

AI Artifacts:

• Reviewed contribution with prompt-builder agent and addressed all feedback
• Copilot instructions (.github/instructions/*.instructions.md)
• Copilot prompt (.github/prompts/*.prompt.md)
• Copilot agent (.github/agents/*.agent.md)
• Copilot skill (.github/skills/*/SKILL.md)

Note for AI Artifact Contributors:

• Agents: Research, indexing/referencing other project (using standard VS Code GitHub Copilot/MCP tools), planning, and general implementation agents likely already exist. Review .github/agents/ before creating new ones.
• Skills: Must include both bash and PowerShell scripts. See Skills.
• Model Versions: Only contributions targeting the latest Anthropic and OpenAI models will be accepted. Older model versions (e.g., GPT-3.5, Claude 3) will be rejected.
• See Agents Not Accepted and Model Version Requirements.

Other:

• Script/automation (.ps1, .sh, .py)
• Other (please describe):

Testing

To be able to test the owasp-docker skill using the security reviewer agent you will need a repository containing a Dockerfile.

1. Either select the Security Reviewer agent or invoke the agent via the /security-revew instruction
2. Use the following prompt analyse the code and produce a vulnerability report
   • If you are testing to see if the codebase-profiler.agent.md picks up that the repository contains docker configurations and thus uses the owasp-docker skill then that's all you need.
   • If you only want to test the owasp-docker is used, in your prompt add targetSkill=owasp-docker

You should see in the output report the owasp-docker skill being referenced and used.

Checklist

Required Checks

• Documentation is updated (if applicable)
• Files follow existing naming conventions
• Changes are backwards compatible (if applicable)
• Tests added for new functionality (if applicable)

AI Artifact Contributions

• Used /prompt-analyze to review contribution
• Addressed all feedback from prompt-builder review
• Verified contribution follows common standards and type-specific requirements

Required Automated Checks

The following validation commands must pass before merging:

• Markdown linting: npm run lint:md
• Spell checking: npm run spell-check
• Frontmatter validation: npm run lint:frontmatter
• Skill structure validation: npm run validate:skills
• Link validation: npm run lint:md-links
• PowerShell analysis: npm run lint:ps
• Plugin freshness: npm run plugin:generate

Security Considerations

• This PR does not contain any sensitive or NDA information
• Any new dependencies have been reviewed for security issues
• Security-related scripts follow the principle of least privilege

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.71%. Comparing base (8722d8f) to head (d2e828a).
⚠️ Report is 3 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1245      +/-   ##
==========================================
- Coverage   87.72%   87.71%   -0.02%     
==========================================
  Files          61       61              
  Lines        9320     9320              
==========================================
- Hits         8176     8175       -1     
- Misses       1144     1145       +1     

Flag	Coverage Δ
pester	85.31% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[JasonTheDeveloper]

I ran the owasp-docker skill and here are the results:

---

OWASP Security Assessment Report

Date: 2026-04-01
Repository: hve-core
Agent: Security Reviewer
Skills applied: owasp-docker

Caution

This prompt is an assistive tool only and does not replace professional security tooling (SAST, DAST, SCA, penetration testing, compliance scanners) or qualified human review. All AI-generated vulnerability findings must be reviewed and validated by qualified security professionals before use. AI outputs may contain inaccuracies, miss critical threats, or produce recommendations that are incomplete or inappropriate for your environment.

---

Executive Summary

The OWASP Docker Top 6 assessment of hve-core evaluated six controls against the repository's devcontainer configuration. Two controls received PARTIAL status at LOW severity: DKR02 (floating base-image tag with no Dependabot docker ecosystem entry) was CONFIRMED, and DKR04 (missing runArgs hardening) was DOWNGRADED given the non-root user and development-only context. One control passed outright, and three were not assessable because the repository contains no production container deployments. Overall risk posture is acceptable for a documentation and tooling repository, with two defense-in-depth improvements recommended.

Summary Counts

Status	Count
PASS	1
FAIL	0
PARTIAL	2
NOT_ASSESSED	3
Total	6

Severity Breakdown (FAIL + PARTIAL only)

Severity	Count
CRITICAL	0
HIGH	0
MEDIUM	0
LOW	2

Verification Summary

Verdict	Count
CONFIRMED	1
DISPROVED	0
DOWNGRADED	1
UNCHANGED	4

---

Findings by Framework

owasp-docker

ID	Title	Status	Severity	Location	Finding	Recommendation	Verdict	Justification
DKR02:2025	Patch Management Strategy	PARTIAL	LOW	.devcontainer/devcontainer.json#L3	The base image uses a floating tag 2-jammy with no Dependabot docker ecosystem entry to automate updates.	Add a devcontainers ecosystem entry to .github/dependabot.yml; pin the default image to a digest.	CONFIRMED	Floating tag confirmed; no Dependabot docker entry exists. Enterprise override available but default is unpinned. Severity LOW — development container only.
DKR04:2025	Secure Defaults and Hardening	PARTIAL	LOW	.devcontainer/devcontainer.json#L1-L42	No runArgs with capability restrictions or no-new-privileges defined. Base image is a full Ubuntu distribution.	Add --security-opt=no-new-privileges to runArgs.	DOWNGRADED	Missing runArgs hardening confirmed. Non-root user, dev-only context, and SHA256-verified tool installs reduce exploitability. DKR04 primarily targets production containers.
DKR01:2025	Secure User Mapping	PASS	N/A	N/A	N/A	N/A	UNCHANGED	N/A
DKR03:2025	Network Segmentation and Firewalling	NOT_ASSESSED	N/A	N/A	N/A	N/A	UNCHANGED	N/A
DKR05:2025	Maintain Security Contexts	NOT_ASSESSED	N/A	N/A	N/A	N/A	UNCHANGED	N/A
DKR06:2025	Resource Protection	NOT_ASSESSED	N/A	N/A	N/A	N/A	UNCHANGED	N/A

---

Detailed Remediation Guidance

LOW Severity

DKR02:2025 — Patch Management Strategy

File: .devcontainer/devcontainer.json#L3

Offending Code:

"image": "${localEnv:HVE_DEVCONTAINER_IMAGE:mcr.microsoft.com/devcontainers/base:2-jammy}",

Example Fix:

  - package-ecosystem: "devcontainers"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "monday"
    labels:
      - "dependencies"
      - "devcontainer"
    commit-message:
      prefix: "chore"
      include: "scope"

Steps:

1. Open .github/dependabot.yml and add a devcontainers ecosystem entry targeting the root directory, as shown in the example fix above.
2. Optionally, pin the default image value in .devcontainer/devcontainer.json to a specific digest (e.g., mcr.microsoft.com/devcontainers/base@sha256:<digest>).
3. Update the enterprise override documentation at docs/customization/enterprise-artifact-hub.md to show a digest-pinned example alongside the existing floating-tag example.
4. Merge the first automated Dependabot PR to confirm the ecosystem entry works.

Verification verdict: CONFIRMED — Floating tag at .devcontainer/devcontainer.json#L3 confirmed with no Dependabot docker ecosystem entry. Severity remains LOW because this is a development container only.

---

DKR04:2025 — Secure Defaults and Hardening

File: .devcontainer/devcontainer.json#L1-L42

Offending Code:

{
  "name": "HVE Core - Markdown Editing",
  "image": "${localEnv:HVE_DEVCONTAINER_IMAGE:mcr.microsoft.com/devcontainers/base:2-jammy}",
  "features": {
    "ghcr.io/devcontainers/features/node:1": { "version": "20" },
    "ghcr.io/devcontainers/features/python:1": { "version": "3.11" },
    ...
  },
  "remoteUser": "vscode"
}

Example Fix:

{
  "name": "HVE Core - Markdown Editing",
  "image": "${localEnv:HVE_DEVCONTAINER_IMAGE:mcr.microsoft.com/devcontainers/base:2-jammy}",
  "runArgs": [
    "--security-opt=no-new-privileges"
  ],
  "features": {

Steps:

1. Open .devcontainer/devcontainer.json and add a "runArgs" key with ["--security-opt=no-new-privileges"] before the "features" key.
2. Rebuild the devcontainer locally and verify that all on-create.sh tool installations still complete successfully.
3. Avoid --cap-drop=ALL — development tooling requires several default capabilities.

Verification verdict: DOWNGRADED — Missing runArgs hardening confirmed. Non-root user, development-only context, and SHA256-verified tool installs reduce exploitability. DKR04 reference primarily targets production containers.

Disproved Findings

None.

---

Remediation Checklist

ID	Control	Status	Evidence
DKR02:2025	Patch Management Strategy	NOT_STARTED
DKR04:2025	Secure Defaults and Hardening	NOT_STARTED

---

Appendix: Skills Used

Skill	Framework	Version	Reference
owasp-docker	OWASP Docker Top 6	2025	.github/skills/security/owasp-docker/SKILL.md