opa-image-security-templates | enforce | ClaudePluginHub

Skill

Community

opa-image-security-templates

0

Description

OPA image security policies for container registry allowlisting, digest enforcement, and signature verification in Kubernetes.

AI Summary

Enforces OPA policies for container image security including registry allowlisting, digest enforcement, and signature verification. Use when deploying to Kubernetes to prevent supply chain attacks and ensure image integrity.

Install

1

Add the repository(one-time)

$

/plugin marketplace add adaptive-enforcement-lab/claude-skills

2

Install the plugin

$

/plugin install enforce@ael-skills

Tool Access

This skill inherits all available tools. When active, it can use any tool Claude has access to.

Supporting Assets

View in Repository

examples.md

reference.md

scripts/example-1.sh

scripts/example-10.sh

scripts/example-11.sh

scripts/example-12.sh

scripts/example-13.sh

scripts/example-14.sh

scripts/example-15.rego

scripts/example-16.sh

scripts/example-17.sh

scripts/example-2.sh

scripts/example-3.sh

scripts/example-4.sh

scripts/example-5.yaml

scripts/example-6.yaml

scripts/example-7.yaml

scripts/example-8.yaml

scripts/example-9.sh

Skill Content

OPA Image Security Templates

When to Use This Skill

Image security policies control which container images can run in your cluster. These templates enforce registry allowlists, require immutable digests, and validate cryptographic signatures.

Image Tags Are Mutable

Tags like latest or v1.2.3 can be overwritten by attackers who compromise registries. Use digest-based references (sha256:...) for immutable deployments.

When to Apply

Scenario 1: Block Public Registries

Prevent deployment of images from untrusted sources:

# Enforced by: base.yaml
# Result: Only images from registry.company.com allowed
# Impact: Eliminates supply chain attacks via public registries

Scenario 2: Prevent Tag Mutation

Require digest-based image references:

# Enforced by: digest.yaml
# Result: Image references must use @sha256:... format
# Impact: Guarantees deployed image matches approved version

Scenario 3: Block Vulnerable Images

Reject images with known CVEs:

# Enforced by: security.yaml
# Result: Images must have scan results with no high/critical vulnerabilities
# Impact: Prevents deployment of exploitable container images

Scenario 4: Verify Build Provenance

Validate cryptographic signatures on all images:

# Enforced by: verification.yaml
# Result: Images must be signed by trusted key in KMS
# Impact: Ensures images originated from approved CI/CD pipelines

Implementation

See the full implementation guide in the source documentation.

Examples

See examples.md for code examples.

Full Reference

See reference.md for complete documentation.

Related Patterns

OPA Templates Overview
OPA Pod Security
Kyverno Image Validation

References

Links

GitHub Stats

0 forks

Updated 3 days ago

Similar Skills

algorithmic-art

Creating algorithmic art using p5.js with seeded randomness and interactive parameter exploration. Use this when users request creating art using code, generative art, algorithmic art, flow fields, or particle systems. Create original algorithmic art rather than copying existing artists' work to avoid copyright violations.

anthropic-skills

35.7k

brand-guidelines

Applies Anthropic's official brand colors and typography to any sort of artifact that may benefit from having Anthropic's look-and-feel. Use it when brand colors or style guidelines, visual formatting, or company design standards apply.

anthropic-skills

35.7k

Create beautiful visual art in .png and .pdf documents using design philosophy. You should use this skill when the user asks to create a poster, piece of art, design, or other static piece. Create original visual designs, never copying existing artists' work to avoid copyright violations.

anthropic-skills

35.7k