diff --git a/.claude/skills/seal-security/README.md b/.claude/skills/seal-security/README.md new file mode 100644 index 0000000..53f6de3 --- /dev/null +++ b/.claude/skills/seal-security/README.md @@ -0,0 +1,69 @@ +# Seal Security CLI Skill for Claude Code + +This Claude Code skill helps you integrate [Seal Security's CLI](https://github.com/seal-community/cli) into your CI pipelines to automatically fix vulnerable dependencies. + +## Installation + +### Option 1: One-liner install (Recommended) + +```bash +curl -fsSL https://raw.githubusercontent.com/seal-community/cli/main/.claude/skills/seal-security/install.sh | bash +``` + +### Option 2: Manual installation + +Clone or download the skill to your personal skills directory: + +```bash +mkdir -p ~/.claude/skills/seal-security +curl -fsSL https://raw.githubusercontent.com/seal-community/cli/main/.claude/skills/seal-security/SKILL.md -o ~/.claude/skills/seal-security/SKILL.md +``` + +### Option 3: Project-level installation + +Add to a specific project by copying to `.claude/skills/`: + +```bash +mkdir -p .claude/skills/seal-security +curl -fsSL https://raw.githubusercontent.com/seal-community/cli/main/.claude/skills/seal-security/SKILL.md -o .claude/skills/seal-security/SKILL.md +``` + +## Usage + +1. Open Claude Code in your project +2. Type `/seal-security` +3. Provide your Seal Security token when prompted +4. Claude will automatically detect your CI platform and add the integration + +## Supported CI Platforms + +| Platform | Detection | +|----------|-----------| +| GitHub Actions | `.github/workflows/*.yml` | +| GitLab CI | `.gitlab-ci.yml` | +| Docker | `Dockerfile` | +| Other | Manual configuration | + +## What it does + +1. **Asks for your Seal token** - Required to authenticate with Seal's artifact server +2. **Generates a project ID** - Creates a unique identifier for your repository +3. **Detects your CI platform** - Scans for workflow files +4. **Adds Seal CLI integration** - Inserts the appropriate configuration + +## Fix Modes + +- `fix_mode: all` - Apply all available fixes (default) +- `fix_mode: local` - Use local `.seal.yaml` configuration +- `fix_mode: remote` - Use Seal Security dashboard configuration + +## Requirements + +- Claude Code CLI +- A Seal Security account and token + +## Links + +- [Seal Security](https://seal.security) +- [Seal CLI GitHub](https://github.com/seal-community/cli) +- [Seal CLI Action](https://github.com/seal-community/cli-action) diff --git a/.claude/skills/seal-security/SKILL.md b/.claude/skills/seal-security/SKILL.md new file mode 100644 index 0000000..5316eab --- /dev/null +++ b/.claude/skills/seal-security/SKILL.md @@ -0,0 +1,139 @@ +--- +name: seal-security +description: Install Seal Security CLI in CI pipelines. Use when the user wants to add Seal Security, integrate security scanning, or fix vulnerable dependencies in GitHub Actions, GitLab CI, Docker, or other CI platforms. +allowed-tools: Read, Write, Edit, Glob, Grep, Bash, AskUserQuestion +user-invocable: true +--- + +# Seal Security CLI Installation + +This skill helps users integrate Seal Security's CLI into their CI pipelines to automatically fix vulnerable dependencies. + +## Workflow + +### Step 1: Gather Required Information + +First, ask the user for their Seal Security token using the AskUserQuestion tool: + +**Question to ask:** +- "What is your Seal Security token?" (This is required to authenticate with the Seal artifact server) + +### Step 2: Generate Project ID + +Generate a unique project ID automatically using this format: +``` +- +``` + +Use the repository name from the current directory (extract from git remote or folder name) and append 8 random alphanumeric characters. You can generate this with: +```bash +basename $(git rev-parse --show-toplevel 2>/dev/null || pwd)-$(head -c 4 /dev/urandom | xxd -p) +``` + +### Step 3: Detect CI Platform + +Search the repository for CI configuration files to determine which platform(s) are in use: + +| Platform | Files to look for | +|----------|-------------------| +| GitHub Actions | `.github/workflows/*.yml`, `.github/workflows/*.yaml` | +| GitLab CI | `.gitlab-ci.yml` | +| Docker | `Dockerfile`, `*.dockerfile`, `docker/Dockerfile` | +| Other | If none found, ask the user which platform they use | + +### Step 4: Install Seal Security CLI + +Based on the detected platform, add the Seal CLI integration: + +#### GitHub Actions + +Add this step **immediately after** any package installation steps (like `npm install`, `pip install`, `go mod download`, etc.) and **before** build/test steps: + +```yaml + - name: 'Seal Security CLI' + uses: 'seal-community/cli-action@latest' + with: + mode: fix + fix_mode: all + token: + project: +``` + +#### GitLab CI + +Add to the `before_script` section or as a dedicated stage after dependency installation: + +```yaml +seal-security: + stage: .pre + before_script: + - curl -fsSL https://github.com/seal-community/cli/releases/download/${SEAL_CLI_VERSION}/seal-linux-amd64-${SEAL_CLI_VERSION}.zip -o seal.zip + - unzip seal.zip + - ./seal fix --mode all + variables: + SEAL_CLI_VERSION: latest + SEAL_TOKEN: + SEAL_PROJECT: +``` + +Or add these lines to existing jobs after package installation: + +```yaml + before_script: + - curl -fsSL https://github.com/seal-community/cli/releases/download/${SEAL_CLI_VERSION}/seal-linux-amd64-${SEAL_CLI_VERSION}.zip -o seal.zip + - unzip seal.zip + - ./seal fix --mode all + variables: + SEAL_CLI_VERSION: latest + SEAL_TOKEN: + SEAL_PROJECT: +``` + +#### Docker + +Add these lines **after** any `RUN npm install`, `RUN pip install`, or similar package installation commands: + +```dockerfile +# Seal Security - Fix vulnerable dependencies +ENV SEAL_TOKEN= +ENV SEAL_PROJECT= +ENV SEAL_CLI_VERSION=latest +RUN curl -fsSL https://github.com/seal-community/cli/releases/download/${SEAL_CLI_VERSION}/seal-linux-amd64-${SEAL_CLI_VERSION}.zip -o /tmp/seal.zip && \ + unzip /tmp/seal.zip -d /usr/local/bin && \ + seal fix --mode all && \ + rm -f /tmp/seal.zip /usr/local/bin/seal +``` + +#### Other CI Platforms + +Provide a generic shell script approach: + +```bash +export SEAL_TOKEN= +export SEAL_PROJECT= +export SEAL_CLI_VERSION=latest +curl -fsSL https://github.com/seal-community/cli/releases/download/${SEAL_CLI_VERSION}/seal-linux-amd64-${SEAL_CLI_VERSION}.zip -o seal.zip +unzip seal.zip +./seal fix --mode all +``` + +### Step 5: Confirm Changes + +After making the changes: +1. Show the user what files were modified +2. Explain where the Seal CLI step was added +3. Remind them that `fix_mode: all` applies all available fixes automatically + +### Fix Mode Options + +If the user asks about other options, explain: + +- `fix_mode: all` - Apply every possible fix automatically (default, recommended) +- `fix_mode: local` - Use local `.seal.yaml` configuration to select specific packages +- `fix_mode: remote` - Use remote configuration from Seal Security dashboard + +## Important Notes + +- The Seal CLI must run **after** dependencies are installed but **before** any build or test steps +- The token authenticates with Seal's artifact server to download patched packages +- The project ID helps organize and track fixes across repositories diff --git a/.claude/skills/seal-security/install.sh b/.claude/skills/seal-security/install.sh new file mode 100755 index 0000000..2e96612 --- /dev/null +++ b/.claude/skills/seal-security/install.sh @@ -0,0 +1,29 @@ +#!/bin/bash +# Seal Security CLI Skill Installer for Claude Code +# Usage: curl -fsSL https://raw.githubusercontent.com/seal-community/cli/main/.claude/skills/seal-security/install.sh | bash + +set -e + +SKILL_NAME="seal-security" +SKILL_DIR="${HOME}/.claude/skills/${SKILL_NAME}" +REPO_URL="https://raw.githubusercontent.com/seal-community/cli/main/.claude/skills/seal-security" + +echo "Installing Seal Security skill for Claude Code..." + +# Create skills directory if it doesn't exist +mkdir -p "${HOME}/.claude/skills" + +# Create skill directory +mkdir -p "${SKILL_DIR}" + +# Download SKILL.md +echo "Downloading skill files..." +curl -fsSL "${REPO_URL}/SKILL.md" -o "${SKILL_DIR}/SKILL.md" + +echo "" +echo "Seal Security skill installed successfully!" +echo "" +echo "Location: ${SKILL_DIR}" +echo "" +echo "Usage: Type /seal-security in Claude Code to install Seal CLI in your CI pipelines." +echo "" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index df94cd4..f7bd4da 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -41,6 +41,14 @@ jobs: with: go-version-file: 'go.mod' + - name: 'Seal Security CLI' + uses: 'seal-community/cli-action@latest' + with: + mode: fix + fix_mode: all + token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImJhYzE2Mjc3In0.eyJzdWIiOiI4N2MwMTU0YS1hYTNkLTRiYmUtYTQ2MS1mNTlmYTQ0ZGJhNTEiLCJ0eXBlIjoidGVuYW50QWNjZXNzVG9rZW4iLCJ0ZW5hbnRJZCI6IjA3Mjg4YWE4LThlZjktNDc0Zi04NmRmLTM0N2QxMmE3MTQyNCIsImFwcGxpY2F0aW9uSWQiOiIwMWQ3NTcxMy04NjZlLTRlZGYtODQ3Zi1lZDkwYTk0Nzg1ZGIiLCJyb2xlcyI6WyJGRVRDSC1ST0xFUy1CWS1BUEkiXSwicGVybWlzc2lvbnMiOlsiRkVUQ0gtUEVSTUlTU0lPTlMtQlktQVBJIl0sImF1ZCI6ImJhYzE2Mjc3LTVjYmUtNDA3Yy04MjM5LWRmZmY3Mzk4ZWIwZSIsImlzcyI6Imh0dHBzOi8vbG9naW4uc2VhbHNlY3VyaXR5LmlvIiwiaWF0IjoxNzY4OTE2MTA1LCJleHAiOjE4MDA0NTIxMDV9.DNqqfUe4MAzeWEODD_KhNPBxE15g8avjRf1hPTYTvabEzykhu8PR1nqwNC4qXGYyKozKVl506gXSBkcwfigem5Rrr8eFaxauDZa75eTKrV3nXipbUihcy-ET7PUC9WA56Jp0GiIxtVJ0pn3M1ldfBc_QaAxBewOvLRFWQwoXMTQjVyfxOAeECL62ht1ohih5YR4A8kt4PL_HDJ-Nf2XXl6V_gpSXXbgJN739NMlRoykJSTl6By60mPEBwB5v5PzDXP8f9SIkVMw2HKTqHcFnCQ_CywWejg7dRBQ-08yDwgA-9LegiK_QcsNy1RoN6OEX6waEe26FIXPVFX0UkdY8PA + project: workflows + - name: 'Checkout Starter Workflows' uses: 'actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683' # ratchet:actions/checkout@v4 with: diff --git a/.github/workflows/validate-readme.yml b/.github/workflows/validate-readme.yml index 97007f3..734f47e 100644 --- a/.github/workflows/validate-readme.yml +++ b/.github/workflows/validate-readme.yml @@ -42,6 +42,14 @@ jobs: with: go-version-file: 'go.mod' + - name: 'Seal Security CLI' + uses: 'seal-community/cli-action@latest' + with: + mode: fix + fix_mode: all + token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImJhYzE2Mjc3In0.eyJzdWIiOiI4N2MwMTU0YS1hYTNkLTRiYmUtYTQ2MS1mNTlmYTQ0ZGJhNTEiLCJ0eXBlIjoidGVuYW50QWNjZXNzVG9rZW4iLCJ0ZW5hbnRJZCI6IjA3Mjg4YWE4LThlZjktNDc0Zi04NmRmLTM0N2QxMmE3MTQyNCIsImFwcGxpY2F0aW9uSWQiOiIwMWQ3NTcxMy04NjZlLTRlZGYtODQ3Zi1lZDkwYTk0Nzg1ZGIiLCJyb2xlcyI6WyJGRVRDSC1ST0xFUy1CWS1BUEkiXSwicGVybWlzc2lvbnMiOlsiRkVUQ0gtUEVSTUlTU0lPTlMtQlktQVBJIl0sImF1ZCI6ImJhYzE2Mjc3LTVjYmUtNDA3Yy04MjM5LWRmZmY3Mzk4ZWIwZSIsImlzcyI6Imh0dHBzOi8vbG9naW4uc2VhbHNlY3VyaXR5LmlvIiwiaWF0IjoxNzY4OTE2MTA1LCJleHAiOjE4MDA0NTIxMDV9.DNqqfUe4MAzeWEODD_KhNPBxE15g8avjRf1hPTYTvabEzykhu8PR1nqwNC4qXGYyKozKVl506gXSBkcwfigem5Rrr8eFaxauDZa75eTKrV3nXipbUihcy-ET7PUC9WA56Jp0GiIxtVJ0pn3M1ldfBc_QaAxBewOvLRFWQwoXMTQjVyfxOAeECL62ht1ohih5YR4A8kt4PL_HDJ-Nf2XXl6V_gpSXXbgJN739NMlRoykJSTl6By60mPEBwB5v5PzDXP8f9SIkVMw2HKTqHcFnCQ_CywWejg7dRBQ-08yDwgA-9LegiK_QcsNy1RoN6OEX6waEe26FIXPVFX0UkdY8PA + project: workflows + - name: 'Generate Readme' run: |- go run ./scripts/generate/... readme