From hyperskills
Provides checklists for Zero Trust (NIST SP 800-207), SLSA 1.2 supply chain security, and STRIDE threat modeling. Guides security reviews, compliance (SOC 2, HIPAA, GDPR), and incident response.
npx claudepluginhub hyperb1iss/hyperskills --plugin hyperskillsThis skill uses the workspace's default tool permissions.
Frameworks and checklists for secure systems. This skill is a triage map: use it to find the right review lens, then pull the authoritative standard for implementation detail.
Mandates invoking relevant skills via tools before any response in coding sessions. Covers access, priorities, and adaptations for Claude Code, Copilot CLI, Gemini CLI.
Share bugs, ideas, or general feedback.
Frameworks and checklists for secure systems. This skill is a triage map: use it to find the right review lens, then pull the authoritative standard for implementation detail.
NIST SP 800-207 frames Zero Trust as removing implicit trust based on network location, asset ownership, or perimeter membership. Access decisions are resource-centered and continuously evaluated.
| Tenet | Review Question |
|---|---|
| Resource-centric access | Is the protected thing a specific app, service, or data set? |
| Per-session authorization | Is access granted for this request/session, not forever? |
| Continuous evaluation | Do identity, device posture, and behavior affect decisions? |
| Least privilege | Are permissions scoped to the minimum operation needed? |
| Assume breach | Can one compromised account/device move laterally? |
Do not equate Zero Trust with micro-segmentation. Segmentation can help, but the security boundary is identity, policy, and resource access.
As of May 2026, SLSA 1.2 uses separate tracks. The old single SLSA 1-4 framing is retired; Build L4, hermetic builds, and reproducible builds are future-direction topics, not current requirements.
| Track | Level | Meaning | Primary Protection |
|---|---|---|---|
| Build | L0 | No guarantees | None |
| Build | L1 | Provenance exists | Mistakes, traceability |
| Build | L2 | Signed provenance from hosted platform | Tampering after build |
| Build | L3 | Hardened build platform | Tampering during build |
| Source | L1-L3 | Increasing trust in source revisions | Source integrity controls |
For agent work, minimum practical target is Build L2 for releases: hosted CI, signed provenance, and consumer verification. Aim for Build L3 when release artifacts are high-trust dependencies.
| Threat | Example | Mitigation |
|---|---|---|
| Spoofing | Fake identity | Strong auth, MFA |
| Tampering | Modified data | Integrity checks, signing |
| Repudiation | Deny actions | Audit logs, non-repudiation |
| Information Disclosure | Data leak | Encryption, access control |
| Denial of Service | Overload | Rate limiting, scaling |
| Elevation of Privilege | Unauthorized access | Least privilege, RBAC |
As of May 2026, OWASP lists the 2025 release as current.
Never commit secrets. Use environment-based injection (External Secrets Operator, Vault, cloud-native secret managers). Scan with gitleaks or trufflehog in CI.
syft packages dir:. -o spdx-jsongrype sbom:sbom.spdx.json --fail-on hightrivy image <image> --severity HIGH,CRITICALNIST SP 800-61 Rev. 3 maps incident response into the CSF 2.0 lifecycle instead of treating response as a linear cleanup checklist.
| Function | Agent Checklist |
|---|---|
| Govern | Owners, severity policy, legal/comms paths are known |
| Identify | Assets, dependencies, data classes, and blast radius |
| Protect | Preventive controls, backups, secrets rotation path |
| Detect | Alerts, logs, indicators, timelines, correlation |
| Respond | Containment, evidence preservation, eradication |
| Recover | Restore service, monitor recurrence, capture lessons |
| Framework | Focus |
|---|---|
| SOC 2 Type II | Service organization controls |
| ISO 27001 | Information security management |
| HIPAA | Protected health information |
| GDPR | EU data protection |
| PCI DSS | Payment card data |
Use Vanta or Drata for continuous monitoring and automated evidence collection.
| Anti-Pattern | Fix |
|---|---|
| Treating OWASP Top 10 as a full audit | Use it as a baseline; add abuse cases and data-flow review |
| Claiming "Zero Trust compliant" | Name concrete controls and the resource they protect |
| Calling SBOMs supply-chain security | Pair SBOM with provenance, signing, and verification |
| Doing security review after merge | Threat-model before design freezes; scan continuously |
| Ignoring recovery paths | Test restore, key rotation, and evidence capture |