owasp-cloud-native-top-10

OWASP Cloud-Native Application Security Top 10 - prevention, detection, and remediation for containers, orchestration, and cloud-native apps. Use when securing insecure config, injection, auth, CI/CD and supply chain, secrets, network policies. Note - official list has 6 risks; project archived.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "owasp-cloud-native-top-10" with this command: npx skills add yariv1025/skills/yariv1025-skills-owasp-cloud-native-top-10

OWASP Cloud-Native Application Security Top 10

This skill encodes the OWASP Cloud-Native Application Security Top 10 for secure cloud-native design and review. References are loaded per risk. Based on OWASP Cloud-Native Application Security Top 10 2022. The official list defines 6 risks (CNAS-1 to CNAS-6); the project is archived.

When to Read Which Reference

RiskRead
CNAS-1 Insecure cloud, container or orchestration configurationreferences/cnas-1-insecure-configuration.md
CNAS-2 Injection flawsreferences/cnas-2-injection-flaws.md
CNAS-3 Improper authentication and authorizationreferences/cnas-3-auth.md
CNAS-4 CI/CD pipeline and software supply chain flawsreferences/cnas-4-cicd-supply-chain.md
CNAS-5 Insecure secrets storagereferences/cnas-5-secrets-storage.md
CNAS-6 Over-permissive or insecure network policiesreferences/cnas-6-network-policies.md

Quick Patterns

  • Harden cloud and container config; validate input and avoid injection; enforce auth and least privilege; secure CI/CD and supply chain; protect secrets; apply network segmentation.

Quick Reference / Examples

TaskApproach
Harden containersNon-root, minimal base images, read-only fs. See CNAS-1.
Prevent injectionParameterized queries, validate cloud event data. See CNAS-2.
Secure authUse managed identity (IAM roles), short-lived tokens. See CNAS-3.
Protect CI/CDSign artifacts, verify dependencies, secure pipelines. See CNAS-4.
Manage secretsUse cloud secrets manager, never in code/env. See CNAS-5.

Safe - minimal Dockerfile:

FROM gcr.io/distroless/python3-debian12
COPY --chown=nonroot:nonroot app.py /app/
USER nonroot
ENTRYPOINT ["python3", "/app/app.py"]

Unsafe - bloated image with root:

FROM ubuntu:latest
RUN apt-get update && apt-get install -y python3 curl vim  # Attack surface
COPY app.py /app/
# Running as root by default

Secrets via AWS Secrets Manager:

import boto3
client = boto3.client("secretsmanager")
secret = client.get_secret_value(SecretId="prod/db/password")
db_password = secret["SecretString"]

Workflow

Load the reference for the risk you are addressing. See OWASP Cloud-Native Application Security Top 10 (archived).

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

owasp-api-security-top-10

No summary provided by upstream source.

Repository SourceNeeds Review
7-yariv1025
Coding

agent-dev-guardrails

No summary provided by upstream source.

Repository SourceNeeds Review
8-yariv1025
General

owasp-iot-top-10

No summary provided by upstream source.

Repository SourceNeeds Review
6-yariv1025
General

owasp-mobile-top-10

No summary provided by upstream source.

Repository SourceNeeds Review
6-yariv1025