Merge pull request #7 from cosai-oasis/feature/add-rules

Add Project CodeGuard rules and skill files

Author: aacarter1

.claude-plugin/marketplace.json

@@ -0,0 +1,25 @@
+{
+  "name": "project-codeguard",
+  "metadata": {
+    "description": "Official Project CodeGuard plugins for secure AI-assisted coding"
+  },
+  "owner": {
+    "name": "Project CodeGuard",
+    "url": "https://project-codeguard.org",
+    "email": "contact@project-codeguard.org"
+  },
+  "plugins": [
+    {
+      "name": "codeguard-security",
+      "source": "./",
+      "description": "Comprehensive security rules for AI coding agents",
+      "version": "1.2.0",
+      "repository": "https://github.com/cosai-oasis/project-codeguard.git",
+      "tags": [
+        "security",
+        "code-review",
+        "vulnerability-prevention"
+      ]
+    }
+  ]
+}

.claude-plugin/plugin.json

@@ -0,0 +1,18 @@
+{
+  "name": "codeguard-security",
+  "description": "Security code review skill based on Project CodeGuard's comprehensive security rules. Helps AI coding agents write secure code and prevent common vulnerabilities.",
+  "version": "1.2.0",
+  "author": {
+    "name": "Project CodeGuard",
+    "url": "https://project-codeguard.org"
+  },
+  "homepage": "https://github.com/cosai-oasis/project-codeguard",
+  "repository": "https://github.com/cosai-oasis/project-codeguard.git",
+  "keywords": [
+    "security",
+    "secure-coding",
+    "vulnerability-prevention",
+    "code-review",
+    "appsec"
+  ]
+}

skills/software-security/SKILL.md

@@ -0,0 +1,88 @@
+---
+name: software-security
+description: A software security skill that integrates with Project CodeGuard to help AI coding agents write secure code and prevent common vulnerabilities. Use this skill when writing, reviewing, or modifying code to ensure secure-by-default practices are followed.
+codeguard-version: "1.2.0"
+framework: "Project CodeGuard"
+purpose: "Embed secure-by-default practices into AI coding workflows"
+---
+
+# Software Security Skill (Project CodeGuard)
+This skill provides comprehensive security guidance to help AI coding agents generate secure code and prevent common vulnerabilities. It is based on **Project CodeGuard**, an open-source, model-agnostic security framework that embeds secure-by-default practices into AI coding workflows.
+
+## When to Use This Skill
+This skill should be activated when:
+- Writing new code in any language
+- Reviewing or modifying existing code
+- Implementing security-sensitive features (authentication, cryptography, data handling, etc.)
+- Working with user input, databases, APIs, or external services
+- Configuring cloud infrastructure, CI/CD pipelines, or containers
+- Handling sensitive data, credentials, or cryptographic operations
+
+## How to Use This Skill
+When writing or reviewing code:
+1. Always-Apply Rules: Some rules MUST be checked on every code operation:
+- `codeguard-1-hardcoded-credentials.md` - Never hardcode secrets, passwords, API keys, or tokens
+- `codeguard-1-crypto-algorithms.md` - Use only modern, secure cryptographic algorithms
+- `codeguard-1-digital-certificates.md` - Validate and manage digital certificates securely
+2. Context-Specific Rules: Apply rules from /rules directory based on the language of the feature being implemented using the table given below:
+
+
+| Language | Rule Files to Apply |
+|----------|---------------------|
+| apex | codeguard-0-input-validation-injection.md |
+| c | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-client-side-web-security.md, codeguard-0-data-storage.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-iac-security.md, codeguard-0-input-validation-injection.md, codeguard-0-logging.md, codeguard-0-safe-c-functions.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
+| cpp | codeguard-0-safe-c-functions.md |
+| d | codeguard-0-iac-security.md |
+| docker | codeguard-0-devops-ci-cd-containers.md, codeguard-0-supply-chain-security.md |
+| go | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-input-validation-injection.md, codeguard-0-mcp-security.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
+| html | codeguard-0-client-side-web-security.md, codeguard-0-input-validation-injection.md, codeguard-0-session-management-and-cookies.md |
+| java | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-input-validation-injection.md, codeguard-0-mcp-security.md, codeguard-0-mobile-apps.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
+| javascript | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-client-side-web-security.md, codeguard-0-cloud-orchestration-kubernetes.md, codeguard-0-data-storage.md, codeguard-0-devops-ci-cd-containers.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-iac-security.md, codeguard-0-input-validation-injection.md, codeguard-0-logging.md, codeguard-0-mcp-security.md, codeguard-0-mobile-apps.md, codeguard-0-privacy-data-protection.md, codeguard-0-session-management-and-cookies.md, codeguard-0-supply-chain-security.md |
+| kotlin | codeguard-0-additional-cryptography.md, codeguard-0-authentication-mfa.md, codeguard-0-framework-and-languages.md, codeguard-0-mobile-apps.md |
+| matlab | codeguard-0-additional-cryptography.md, codeguard-0-authentication-mfa.md, codeguard-0-mobile-apps.md, codeguard-0-privacy-data-protection.md |
+| perl | codeguard-0-mobile-apps.md |
+| php | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-client-side-web-security.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-input-validation-injection.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
+| powershell | codeguard-0-devops-ci-cd-containers.md, codeguard-0-iac-security.md, codeguard-0-input-validation-injection.md |
+| python | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-input-validation-injection.md, codeguard-0-mcp-security.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
+| ruby | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-iac-security.md, codeguard-0-input-validation-injection.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
+| rust | codeguard-0-mcp-security.md |
+| shell | codeguard-0-devops-ci-cd-containers.md, codeguard-0-iac-security.md, codeguard-0-input-validation-injection.md |
+| sql | codeguard-0-data-storage.md, codeguard-0-input-validation-injection.md |
+| swift | codeguard-0-additional-cryptography.md, codeguard-0-authentication-mfa.md, codeguard-0-mobile-apps.md |
+| typescript | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-client-side-web-security.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-input-validation-injection.md, codeguard-0-mcp-security.md, codeguard-0-session-management-and-cookies.md |
+| vlang | codeguard-0-client-side-web-security.md |
+| xml | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-devops-ci-cd-containers.md, codeguard-0-framework-and-languages.md, codeguard-0-mobile-apps.md, codeguard-0-xml-and-serialization.md |
+| yaml | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authorization-access-control.md, codeguard-0-cloud-orchestration-kubernetes.md, codeguard-0-data-storage.md, codeguard-0-devops-ci-cd-containers.md, codeguard-0-framework-and-languages.md, codeguard-0-iac-security.md, codeguard-0-logging.md, codeguard-0-privacy-data-protection.md, codeguard-0-supply-chain-security.md |
+
+
+3. Proactive Security: Don't just avoid vulnerabilities-actively implement secure patterns:
+- Use parameterized queries for database access
+- Validate and sanitize all user input
+- Apply least-privilege principles
+- Use modern cryptographic algorithms and libraries
+- Implement defense-in-depth strategies
+
+## CodeGuard Security Rules
+The security rules are available in the `rules/` directory.
+
+### Usage Workflow
+When generating or reviewing code, follow this workflow:
+
+### 1. Initial Security Check
+Before writing any code:
+- Check: Will this handle credentials? → Apply codeguard-1-hardcoded-credentials
+- Check: What language am I using? → Identify applicable language-specific rules
+- Check: What security domains are involved? → Load relevant rule files
+
+### 2. Code Generation
+While writing code:
+- Apply secure-by-default patterns from relevant Project CodeGuard rules
+- Add security-relevant comments explaining choices
+
+### 3. Security Review
+After writing code:
+- Review against implementation checklists in each rule
+- Verify no hardcoded credentials or secrets
+- Validate that all the rules have been successfully followed when applicable.
+- Explain which security rules were applied
+- Highlight security features implemented

skills/software-security/rules/codeguard-0-additional-cryptography.md

@@ -0,0 +1,71 @@
+---
+description: Additional Cryptography guidance
+languages:
+- c
+- go
+- java
+- javascript
+- kotlin
+- matlab
+- php
+- python
+- ruby
+- swift
+- typescript
+- xml
+- yaml
+alwaysApply: false
+---
+
+rule_id: codeguard-0-additional-cryptography
+
+## Additional Cryptography & TLS
+
+Apply modern, vetted cryptography for data at rest and in transit. Manage keys safely, configure TLS correctly, deploy HSTS, and consider pinning only when appropriate.
+
+### Algorithms and Modes
+- Symmetric: AES‑GCM or ChaCha20‑Poly1305 preferred. Avoid ECB. CBC/CTR only with encrypt‑then‑MAC.
+- Asymmetric: RSA ≥2048 or modern ECC (Curve25519/Ed25519). Use OAEP for RSA encryption.
+- Hashing: SHA‑256+ for integrity; avoid MD5/SHA‑1.
+- RNG: Use CSPRNG appropriate to platform (e.g., SecureRandom, crypto.randomBytes, secrets module). Never use non‑crypto RNGs.
+
+### Key Management
+- Generate keys within validated modules (HSM/KMS) and never from passwords or predictable inputs.
+- Separate keys by purpose (encryption, signing, wrapping). Rotate on compromise, cryptoperiod, or policy.
+- Store keys in KMS/HSM or vault; never hardcode; avoid plain env vars. Use KEK to wrap DEKs; store separately.
+- Control access to trust stores; validate updates; audit all key access and operations.
+
+### Data at Rest
+- Encrypt sensitive data; minimize stored secrets; tokenize where possible.
+- Use authenticated encryption; manage nonces/IVs properly; keep salts unique per item.
+- Protect backups: encrypt, restrict access, test restores, manage retention.
+
+### TLS Configuration
+- Protocols: TLS 1.3 preferred; allow TLS 1.2 only for legacy compatibility; disable TLS 1.0/1.1 and SSL. Enable TLS_FALLBACK_SCSV.
+- Ciphers: prefer AEAD suites; disable NULL/EXPORT/anon. Keep libraries updated; disable compression.
+- Key exchange groups: prefer x25519/secp256r1; configure secure FFDHE groups if needed.
+- Certificates: 2048‑bit+ keys, SHA‑256, correct CN/SAN. Manage lifecycle and revocation (OCSP stapling).
+- Application: HTTPS site‑wide; redirect HTTP→HTTPS; prevent mixed content; set cookies `Secure`.
+
+### HSTS
+- Send Strict‑Transport‑Security only over HTTPS. Phase rollout:
+  - Test: short max‑age (e.g., 86400) with includeSubDomains
+  - Prod: ≥1 year max‑age; includeSubDomains when safe
+  - Optional preload once mature; understand permanence and subdomain impact
+
+### Pinning
+- Avoid browser HPKP. Consider pinning only for controlled clients (e.g., mobile) and when you own both ends.
+- Prefer SPKI pinning with backup pins; plan secure update channels; never allow user bypass.
+- Thoroughly test rotation and failure handling; understand operational risk.
+
+### Implementation Checklist
+- AEAD everywhere; vetted libraries only; no custom crypto.
+- Keys generated and stored in KMS/HSM; purpose‑scoped; rotation documented.
+- TLS 1.3/1.2 with strong ciphers; compression off; OCSP stapling on.
+- HSTS deployed per phased plan; mixed content eliminated.
+- Pinning used only where justified, with backups and update path.
+
+### Test Plan
+- Automated config scans (e.g., SSL Labs, testssl.sh) for protocol/cipher/HSTS.
+- Code review for crypto API misuse; tests for key rotation, backup/restore.
+- Pinning simulations for rotation/failures if deployed.

skills/software-security/rules/codeguard-0-api-web-services.md

@@ -0,0 +1,83 @@
+---
+description: API & Web services security (REST/GraphQL/SOAP), schema validation, authn/z, SSRF
+languages:
+- c
+- go
+- java
+- javascript
+- php
+- python
+- ruby
+- typescript
+- xml
+- yaml
+alwaysApply: false
+---
+
+rule_id: codeguard-0-api-web-services
+
+## API & Web Services Security
+
+Secure REST, GraphQL, and SOAP/WS services end‑to‑end: transport, authn/z, schema validation, SSRF controls, DoS limits, and microservice‑safe patterns.
+
+### Transport and TLS
+- HTTPS only; consider mTLS for high‑value/internal services. Validate certs (CN/SAN, revocation) and prevent mixed content.
+
+### Authentication and Tokens
+- Use standard flows (OAuth2/OIDC) for clients; avoid custom schemes. For services, use mTLS or signed service tokens.
+- JWTs: pin algorithms; validate iss/aud/exp/nbf; short lifetimes; rotation; denylist on logout/revoke. Prefer opaque tokens when revocation is required and central store is available.
+- API keys: scope narrowly; rate limit; monitor usage; do not use alone for sensitive operations.
+
+### Authorization
+- Enforce per‑endpoint, per‑resource checks server‑side; deny by default.
+- For microservices, authorize at gateway (coarse) and service (fine) layers; propagate signed internal identity, not external tokens.
+
+### Input and Content Handling
+- Validate inputs via contracts: OpenAPI/JSON Schema, GraphQL SDL, XSD. Reject unknown fields and oversize payloads; set limits.
+- Content types: enforce explicit Content‑Type/Accept; reject unsupported combinations. Harden XML parsers against XXE/expansion.
+
+### SQL/Injection Safety in Resolvers and Handlers
+- Use parameterized queries/ORM bind parameters; never concatenate user input into queries or commands.
+
+### GraphQL‑Specific Controls
+- Limit query depth and overall complexity; enforce pagination; timeouts on execution; disable introspection and IDEs in production.
+- Implement field/object‑level authorization to prevent IDOR/BOLA; validate batching and rate limit per object type.
+
+### SSRF Prevention for Outbound Calls
+- Do not accept raw URLs. Validate domains/IPs using libraries; restrict to HTTP/HTTPS only (block file://, gopher://, ftp://, etc.).
+- Case 1 (fixed partners): strict allow‑lists; disable redirects; network egress allow‑lists.
+- Case 2 (arbitrary): block private/link‑local/localhost ranges; resolve and verify all IPs are public; require signed tokens from the target where feasible.
+
+### SOAP/WS and XML Safety
+- Validate SOAP payloads with XSD; limit message sizes; enable XML signatures/encryption where required.
+- Configure parsers against XXE, entity expansion, and recursive payloads; scan attachments.
+
+### Rate Limiting and DoS
+- Apply per‑IP/user/client limits, circuit breakers, and timeouts. Use server‑side batching and caching to reduce load.
+
+### Management Endpoints
+- Do not expose over the Internet. Require strong auth (MFA), network restrictions, and separate ports/hosts.
+
+### Testing and Assessment
+- Maintain formal API definitions; drive contract tests and fuzzing from specs.
+- Assess endpoints for authn/z bypass, SSRF, injection, and information leakage; log token validation failures.
+
+### Microservices Practices
+- Policy‑as‑code with embedded decision points; sidecar or library PDPs.
+- Service identity via mTLS or signed tokens; never reuse external tokens internally.
+- Centralized structured logging with correlation IDs; sanitize sensitive data.
+
+### Implementation Checklist
+- HTTPS/mTLS configured; certs managed; no mixed content.
+- Contract validation at the edge and service; unknown fields rejected; size/time limits enforced.
+- Strong authn/z per endpoint; GraphQL limits applied; introspection disabled in prod.
+- SSRF protections at app and network layers; redirects disabled; allow‑lists where possible.
+- Rate limiting, circuit breakers, and resilient patterns in place.
+- Management endpoints isolated and strongly authenticated.
+- Logs structured and privacy‑safe with correlation IDs.
+
+### Test Plan
+- Contract tests for schema adherence; fuzzing with schema‑aware tools.
+- Pen tests for SSRF, IDOR/BOLA, and authz bypass; performance tests for DoS limits.
+- Test all HTTP methods per endpoint; discover parameters in URL paths, headers, and structured data beyond obvious query strings.
+- Automated checks for token validation and revocation behavior.