Phased rollout plan for SDLC hardening. Foundation to runtime enforcement in 90 days. Prioritized by risk and audit importance.
Provides a 12-week phased roadmap for SDLC hardening, from branch protection to runtime policy enforcement. Use when planning security rollouts to prioritize controls by risk and avoid workflow disruption.
/plugin marketplace add adaptive-enforcement-lab/claude-skills/plugin install enforce@ael-skillsThis skill inherits all available tools. When active, it can use any tool Claude has access to.
examples.mdreference.mdscripts/example-1.shscripts/example-10.yamlscripts/example-11.shscripts/example-2.yamlscripts/example-3.yamlscripts/example-4.yamlscripts/example-5.yamlscripts/example-6.shscripts/example-7.shscripts/example-8.yamlscripts/example-9.yamlYou can't harden everything at once. Prioritize controls by risk and audit value.
Phased Rollout
Follow the 12-week timeline to avoid disrupting existing workflows. Skip phases at your own risk.
Three-month plan from foundation to full enforcement.
You can't harden everything at once. Prioritize controls by risk and audit value.
Phased Rollout
Follow the 12-week timeline to avoid disrupting existing workflows. Skip phases at your own risk.
Three-month plan from foundation to full enforcement.
Goal: Core enforcement in place. Evidence collection begins.
Tasks:
main and production branchesenforce_adminsValidation:
gh api repos/org/repo/branches/main/protection \
| jq '{reviews: .required_pull_request_reviews, admins: .enforce_admins}'
Documentation: Update CONTRIBUTING.md with review requirements.
Tasks:
required-checks.yml workflow (tests, lint)Workflow:
See examples.md for detailed code examples.
Validation: Open PR, verify checks block merge until passing.
Tasks:
Validation:
- name: Test app token
uses: actions/create-github-app-token@v2
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.PRIVATE_KEY }}
Migration tracking: Document remaining PAT usages for month 2.
Tasks:
Workflow:
See examples.md for detailed code examples.
Validation: Verify files appear in GCS bucket.
Goal: Add secrets detection, commit signing, and SBOM generation.
Tasks:
.pre-commit-config.yaml--no-verify tracking)Pre-commit hook:
repos:
- repo: https://github.com/trufflesecurity/trufflehog
rev: v3.63.0
hooks:
- id: trufflehog
entry: trufflehog filesystem --fail --no-update
Validation: Attempt to commit AWS key, verify block.
See Pre-commit Security Gates for full implementation.
Tasks:
required_signatures on protected branchesConfiguration:
git config --global user.signingkey YOUR_GPG_KEY_ID
git config --global commit.gpgsign true
Validation:
git log --show-signature | grep "Good signature"
See Commit Signing for setup guide.
Tasks:
Workflow:
See examples.md for detailed code examples.
Validation: Download artifact, verify SBOM contains expected dependencies.
See SBOM Generation for full implementation.
Tasks:
grep -r GITHUB_TOKEN .github/)Validation: No PATs referenced in active workflows.
Goal: Simulate audit, fix gaps, add runtime enforcement.
Tasks:
Workflow:
- name: Scan container
run: |
trivy image --severity HIGH,CRITICAL --exit-code 1 \
gcr.io/project/app:${{ github.sha }}
Validation: Introduce test vulnerability, verify build fails.
See Zero-Vulnerability Pipelines.
Tasks:
Core policy:
See examples.md for detailed code examples.
Validation: Deploy pod without limits, verify rejection.
See Policy-as-Code with Kyverno for end-to-end implementation.
Tasks:
Simulation script:
# Verify branch protection
gh api repos/org/repo/branches/main/protection
# Sample March PRs
gh api 'repos/org/repo/pulls?state=closed&base=main' \
--jq '.[] | select(.merged_at | startswith("2025-03"))'
# Check signature coverage
./scripts/signature-coverage.sh 2025-03-01 2025-04-01
Validation: Evidence collection succeeds for sampled period.
Tasks:
Runbook sections:
Validation: Team can retrieve evidence without assistance.
Week 1: Protection enabled. Week 4: Evidence collected. Week 12: Audit simulation passed. Controls enforced. System hardened.
Goal: Core enforcement in place. Evidence collection begins.
Tasks:
main and production branchesenforce_adminsValidation:
gh api repos/org/repo/branches/main/protection \
| jq '{reviews: .required_pull_request_reviews, admins: .enforce_admins}'
Documentation: Update CONTRIBUTING.md with review requirements.
Tasks:
required-checks.yml workflow (tests, lint)Workflow:
See examples.md for detailed code examples.
Validation: Open PR, verify checks block merge until passing.
Tasks:
Validation:
- name: Test app token
uses: actions/create-github-app-token@v2
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.PRIVATE_KEY }}
Migration tracking: Document remaining PAT usages for month 2.
Tasks:
Workflow:
See examples.md for detailed code examples.
Validation: Verify files appear in GCS bucket.
Goal: Add secrets detection, commit signing, and SBOM generation.
Tasks:
.pre-commit-config.yaml--no-verify tracking)Pre-commit hook:
repos:
- repo: https://github.com/trufflesecurity/trufflehog
rev: v3.63.0
hooks:
- id: trufflehog
entry: trufflehog filesystem --fail --no-update
Validation: Attempt to commit AWS key, verify block.
See Pre-commit Security Gates for full implementation.
Tasks:
required_signatures on protected branchesConfiguration:
git config --global user.signingkey YOUR_GPG_KEY_ID
git config --global commit.gpgsign true
Validation:
git log --show-signature | grep "Good signature"
See Commit Signing for setup guide.
Tasks:
Workflow:
See examples.md for detailed code examples.
Validation: Download artifact, verify SBOM contains expected dependencies.
See SBOM Generation for full implementation.
Tasks:
grep -r GITHUB_TOKEN .github/)Validation: No PATs referenced in active workflows.
Goal: Simulate audit, fix gaps, add runtime enforcement.
Tasks:
Workflow:
- name: Scan container
run: |
trivy image --severity HIGH,CRITICAL --exit-code 1 \
gcr.io/project/app:${{ github.sha }}
Validation: Introduce test vulnerability, verify build fails.
See Zero-Vulnerability Pipelines.
Tasks:
Core policy:
See examples.md for detailed code examples.
Validation: Deploy pod without limits, verify rejection.
See Policy-as-Code with Kyverno for end-to-end implementation.
Tasks:
Simulation script:
# Verify branch protection
gh api repos/org/repo/branches/main/protection
# Sample March PRs
gh api 'repos/org/repo/pulls?state=closed&base=main' \
--jq '.[] | select(.merged_at | startswith("2025-03"))'
# Check signature coverage
./scripts/signature-coverage.sh 2025-03-01 2025-04-01
Validation: Evidence collection succeeds for sampled period.
Tasks:
Runbook sections:
Validation: Team can retrieve evidence without assistance.
Week 1: Protection enabled. Week 4: Evidence collected. Week 12: Audit simulation passed. Controls enforced. System hardened.
See examples.md for code examples.
See reference.md for complete documentation.
Applies Anthropic's official brand colors and typography to any sort of artifact that may benefit from having Anthropic's look-and-feel. Use it when brand colors or style guidelines, visual formatting, or company design standards apply.
Creating algorithmic art using p5.js with seeded randomness and interactive parameter exploration. Use this when users request creating art using code, generative art, algorithmic art, flow fields, or particle systems. Create original algorithmic art rather than copying existing artists' work to avoid copyright violations.
Create beautiful visual art in .png and .pdf documents using design philosophy. You should use this skill when the user asks to create a poster, piece of art, design, or other static piece. Create original visual designs, never copying existing artists' work to avoid copyright violations.