Skills
skills/yariv1025/skills/owasp-cloud-native-top-10

owasp-cloud-native-top-10

SKILL.md

OWASP Cloud-Native Application Security Top 10

This skill encodes the OWASP Cloud-Native Application Security Top 10 for secure cloud-native design and review. References are loaded per risk. Based on OWASP Cloud-Native Application Security Top 10 2022. The official list defines 6 risks (CNAS-1 to CNAS-6); the project is archived.

When to Read Which Reference

Risk Read
CNAS-1 Insecure cloud, container or orchestration configuration references/cnas-1-insecure-configuration.md
CNAS-2 Injection flaws references/cnas-2-injection-flaws.md
CNAS-3 Improper authentication and authorization references/cnas-3-auth.md
CNAS-4 CI/CD pipeline and software supply chain flaws references/cnas-4-cicd-supply-chain.md
CNAS-5 Insecure secrets storage references/cnas-5-secrets-storage.md
CNAS-6 Over-permissive or insecure network policies references/cnas-6-network-policies.md

Quick Patterns

  • Harden cloud and container config; validate input and avoid injection; enforce auth and least privilege; secure CI/CD and supply chain; protect secrets; apply network segmentation.

Quick Reference / Examples

Task Approach
Harden containers Non-root, minimal base images, read-only fs. See CNAS-1.
Prevent injection Parameterized queries, validate cloud event data. See CNAS-2.
Secure auth Use managed identity (IAM roles), short-lived tokens. See CNAS-3.
Protect CI/CD Sign artifacts, verify dependencies, secure pipelines. See CNAS-4.
Manage secrets Use cloud secrets manager, never in code/env. See CNAS-5.

Safe - minimal Dockerfile:

FROM gcr.io/distroless/python3-debian12
COPY --chown=nonroot:nonroot app.py /app/
USER nonroot
ENTRYPOINT ["python3", "/app/app.py"]

Unsafe - bloated image with root:

FROM ubuntu:latest
RUN apt-get update && apt-get install -y python3 curl vim  # Attack surface
COPY app.py /app/
# Running as root by default

Secrets via AWS Secrets Manager:

import boto3
client = boto3.client("secretsmanager")
secret = client.get_secret_value(SecretId="prod/db/password")
db_password = secret["SecretString"]

Workflow

Load the reference for the risk you are addressing. See OWASP Cloud-Native Application Security Top 10 (archived).

Weekly Installs
4
Repository
yariv1025/skills
GitHub Stars
1
First Seen
Feb 15, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
Installed on
cursor4
gemini-cli3
github-copilot3
codex3
kimi-cli3
opencode3