スキル policy-opa 監査履歴
📦

監査履歴

policy-opa - 6 監査

監査バージョン 6

最新 中リスク

Jun 28, 2026, 05:51 AM

Static analysis reported many high-severity patterns, but review found no prompt injection, malware behavior, or credential exfiltration. Most hits are false positives from Rego policy examples, compliance terms, public reference URLs, and defensive security vocabulary. The skill is medium risk because CI examples run shell commands and download OPA over the network, which users should review before copying into pipelines.

14
スキャンされたファイル
3,721
解析された行数
8
検出結果
codex
監査者
中リスクの問題 (2)
assets/ci-cd-pipeline.yaml:31assets/ci-cd-pipeline.yaml:166assets/ci-cd-pipeline.yaml:214
CI Examples Execute Shell Commands and External Tools
Verdict: TRUE_POSITIVE. The GitHub and GitLab CI examples use shell command substitution, Terraform, jq, curl, and OPA commands. This is legitimate for a policy-as-code skill, but copied pipelines can execute in privileged CI contexts and should be reviewed before use.
assets/ci-cd-pipeline.yaml:107assets/ci-cd-pipeline.yaml:220references/iac-policies.md:612
Terraform Plan Examples May Process Sensitive Deployment Data
Verdict: NEEDS_REVIEW. The examples generate Terraform plan JSON and evaluate it with OPA. Terraform plan data can include sensitive values depending on provider behavior, so CI logs and artifacts should avoid exposing raw plan contents.
低リスクの問題 (4)
assets/soc2-compliance.rego:1-5assets/terraform-security.rego:54-78references/compliance-frameworks.md:3-7
Rego Security Keywords Misclassified as Malicious Indicators
Verdict: FALSE_POSITIVE. Terms such as deny, control, encryption, privileged, and network appear in defensive OPA policies. They describe controls that block insecure Kubernetes, Terraform, SOC2, PCI-DSS, and GDPR configurations.
SKILL.md:36-46references/rego-patterns.md:18-25references/kubernetes-security.md:19-37
Markdown Code Fences Misclassified as Ruby Backtick Execution
Verdict: FALSE_POSITIVE. Static analysis flagged many fenced Rego and YAML examples as backtick execution. These are documentation blocks, not Ruby strings or executable code in the skill runtime.
assets/k8s-pod-security.rego:3-4assets/k8s-constraint-template.yaml:32-33assets/gdpr-compliance.rego:3
Future Keyword Imports Misclassified as Certificate or Key Files
Verdict: FALSE_POSITIVE. Static analysis treated Rego import statements containing future.keywords as certificate or key references. These imports enable Rego syntax features and do not read secrets or key material.
SKILL.md:19-21references/iac-policies.md:320-330references/kubernetes-security.md:547-550
Public URLs and Example Network Ranges Are Benign References
Verdict: FALSE_POSITIVE. Most hardcoded URLs are public documentation links, and 0.0.0.0/0 appears as an insecure network range that policies detect. These examples do not exfiltrate data.

リスク要因

⚙️ 外部コマンド (5)
assets/ci-cd-pipeline.yaml:31 assets/ci-cd-pipeline.yaml:166 SKILL.md:36-46 SKILL.md:152-156 references/iac-policies.md:605-612
🌐 ネットワークアクセス (5)
assets/ci-cd-pipeline.yaml:214 SKILL.md:19-21 SKILL.md:237 references/compliance-frameworks.md:503-507 references/kubernetes-security.md:547-550

検出されたパターン

Shell Command Substitution in CI LogicNetwork Binary Download Without Checksum Verification

監査バージョン 5

安全

Jan 16, 2026, 03:51 PM

Pure documentation and policy template skill containing only Rego policy definitions and reference materials. The static scanner flagged compliance terminology as security issues due to keyword-based detection without semantic understanding. All 382 findings are false positives: 'C2 keywords' are SOC2 control codes (CC6.1, CC7.2), 'weak cryptographic algorithm' flags TLS configurations (valid security controls), and 'certificate/key files' references are Kubernetes annotations, not actual sensitive files. No executable code, network calls, or command execution present.

15
スキャンされたファイル
3,983
解析された行数
2
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

リスク要因

⚙️ 外部コマンド (216)
assets/ci-cd-pipeline.yaml:31 assets/ci-cd-pipeline.yaml:166 references/compliance-frameworks.md:19-57 references/compliance-frameworks.md:57-63 references/compliance-frameworks.md:63-88 references/compliance-frameworks.md:88-94 references/compliance-frameworks.md:94-108 references/compliance-frameworks.md:108-114 references/compliance-frameworks.md:114-132 references/compliance-frameworks.md:132-140 references/compliance-frameworks.md:140-159 references/compliance-frameworks.md:159-165 references/compliance-frameworks.md:165-194 references/compliance-frameworks.md:194-200 references/compliance-frameworks.md:200-226 references/compliance-frameworks.md:226-232 references/compliance-frameworks.md:232-251 references/compliance-frameworks.md:251-259 references/compliance-frameworks.md:259-294 references/compliance-frameworks.md:294-300 references/compliance-frameworks.md:300-326 references/compliance-frameworks.md:326-334 references/compliance-frameworks.md:334-348 references/compliance-frameworks.md:348-354 references/compliance-frameworks.md:354-396 references/compliance-frameworks.md:396-404 references/compliance-frameworks.md:404-429 references/compliance-frameworks.md:429-435 references/compliance-frameworks.md:435-449 references/compliance-frameworks.md:449-455 references/compliance-frameworks.md:455-468 references/compliance-frameworks.md:468-474 references/compliance-frameworks.md:474-499 references/iac-policies.md:16-50 references/iac-policies.md:50-54 references/iac-policies.md:54-88 references/iac-policies.md:88-92 references/iac-policies.md:92-126 references/iac-policies.md:126-130 references/iac-policies.md:130-172 references/iac-policies.md:172-176 references/iac-policies.md:176-226 references/iac-policies.md:226-230 references/iac-policies.md:230-256 references/iac-policies.md:256-260 references/iac-policies.md:260-277 references/iac-policies.md:277-283 references/iac-policies.md:283-309 references/iac-policies.md:309-313 references/iac-policies.md:313-335 references/iac-policies.md:335-339 references/iac-policies.md:339-357 references/iac-policies.md:357-363 references/iac-policies.md:363-389 references/iac-policies.md:389-393 references/iac-policies.md:393-419 references/iac-policies.md:419-423 references/iac-policies.md:423-447 references/iac-policies.md:447-453 references/iac-policies.md:453-479 references/iac-policies.md:479-483 references/iac-policies.md:483-509 references/iac-policies.md:509-513 references/iac-policies.md:513-537 references/iac-policies.md:537-543 references/iac-policies.md:543-566 references/iac-policies.md:566-572 references/iac-policies.md:572-601 references/iac-policies.md:601-605 references/iac-policies.md:605-615 references/kubernetes-security.md:19-37 references/kubernetes-security.md:37-43 references/kubernetes-security.md:43-61 references/kubernetes-security.md:61-67 references/kubernetes-security.md:67-77 references/kubernetes-security.md:77-83 references/kubernetes-security.md:83-115 references/kubernetes-security.md:115-121 references/kubernetes-security.md:121-144 references/kubernetes-security.md:144-150 references/kubernetes-security.md:150-170 references/kubernetes-security.md:170-176 references/kubernetes-security.md:176-201 references/kubernetes-security.md:201-209 references/kubernetes-security.md:209-235 references/kubernetes-security.md:235-241 references/kubernetes-security.md:241-262 references/kubernetes-security.md:262-268 references/kubernetes-security.md:268-282 references/kubernetes-security.md:282-290 references/kubernetes-security.md:290-304 references/kubernetes-security.md:304-310 references/kubernetes-security.md:310-327 references/kubernetes-security.md:327-333 references/kubernetes-security.md:333-347 references/kubernetes-security.md:347-355 references/kubernetes-security.md:355-375 references/kubernetes-security.md:375-381 references/kubernetes-security.md:381-399 references/kubernetes-security.md:399-405 references/kubernetes-security.md:405-426 references/kubernetes-security.md:426-434 references/kubernetes-security.md:434-459 references/kubernetes-security.md:459-465 references/kubernetes-security.md:465-478 references/kubernetes-security.md:478-484 references/kubernetes-security.md:484-494 references/kubernetes-security.md:494-500 references/kubernetes-security.md:500-526 references/kubernetes-security.md:526-530 references/kubernetes-security.md:530-543 references/rego-patterns.md:18-25 references/rego-patterns.md:25-31 references/rego-patterns.md:31-43 references/rego-patterns.md:43-49 references/rego-patterns.md:49-57 references/rego-patterns.md:57-63 references/rego-patterns.md:63-73 references/rego-patterns.md:73-81 references/rego-patterns.md:81-89 references/rego-patterns.md:89-95 references/rego-patterns.md:95-103 references/rego-patterns.md:103-109 references/rego-patterns.md:109-127 references/rego-patterns.md:127-133 references/rego-patterns.md:133-141 references/rego-patterns.md:141-147 references/rego-patterns.md:147-157 references/rego-patterns.md:157-163 references/rego-patterns.md:163-181 references/rego-patterns.md:181-185 references/rego-patterns.md:185-203 references/rego-patterns.md:203-207 references/rego-patterns.md:207-233 references/rego-patterns.md:233-237 references/rego-patterns.md:237-259 references/rego-patterns.md:259-267 references/rego-patterns.md:267-293 references/rego-patterns.md:293-299 references/rego-patterns.md:299-316 references/rego-patterns.md:316-322 references/rego-patterns.md:322-345 references/rego-patterns.md:345-351 references/rego-patterns.md:351-375 references/rego-patterns.md:375-381 references/rego-patterns.md:381-403 references/rego-patterns.md:403-409 references/rego-patterns.md:409-452 references/rego-patterns.md:452-460 references/rego-patterns.md:460-482 references/rego-patterns.md:482-488 references/rego-patterns.md:488-499 SKILL.md:36-46 SKILL.md:46-50 SKILL.md:50-59 SKILL.md:59-74 SKILL.md:74-77 SKILL.md:77-96 SKILL.md:96-99 SKILL.md:99-118 SKILL.md:118-124 SKILL.md:124-162 SKILL.md:162-165 SKILL.md:165-167 SKILL.md:167-173 SKILL.md:173-182 SKILL.md:182-185 SKILL.md:185-191 SKILL.md:191-198 SKILL.md:198-217 SKILL.md:217-220 SKILL.md:220-229 SKILL.md:229-235 SKILL.md:235-247 SKILL.md:247-253 SKILL.md:253-259 SKILL.md:259-273 SKILL.md:273-275 SKILL.md:275-276 SKILL.md:276-277 SKILL.md:277-279 SKILL.md:279-281 SKILL.md:281-282 SKILL.md:282-283 SKILL.md:283-284 SKILL.md:284-286 SKILL.md:286-288 SKILL.md:288-289 SKILL.md:289-290 SKILL.md:290-291 SKILL.md:291-292 SKILL.md:292-293 SKILL.md:293-294 SKILL.md:294-295 SKILL.md:295-302 SKILL.md:302-310 SKILL.md:310-315 SKILL.md:315-324 SKILL.md:324-329 SKILL.md:329-338 SKILL.md:338-343 SKILL.md:343-351 SKILL.md:351-356 SKILL.md:356-376 SKILL.md:376-382 SKILL.md:382-392 SKILL.md:392-395 SKILL.md:395-400 SKILL.md:400-401 SKILL.md:401-402 SKILL.md:402-408 SKILL.md:408-411 SKILL.md:411-416 SKILL.md:416-419 SKILL.md:212 SKILL.md:198-217
🌐 ネットワークアクセス (37)
assets/ci-cd-pipeline.yaml:214 assets/terraform-security.rego:193 references/compliance-frameworks.md:503 references/compliance-frameworks.md:504 references/compliance-frameworks.md:505 references/compliance-frameworks.md:506 references/compliance-frameworks.md:507 references/iac-policies.md:619 references/iac-policies.md:620 references/iac-policies.md:621 references/iac-policies.md:622 references/iac-policies.md:623 references/iac-policies.md:215 references/iac-policies.md:320 references/iac-policies.md:330 references/iac-policies.md:520 references/iac-policies.md:531 references/kubernetes-security.md:547 references/kubernetes-security.md:548 references/kubernetes-security.md:549 references/kubernetes-security.md:550 references/rego-patterns.md:503 references/rego-patterns.md:504 references/rego-patterns.md:505 SKILL.md:19 SKILL.md:20 SKILL.md:21 SKILL.md:41 SKILL.md:237 SKILL.md:424 SKILL.md:425 SKILL.md:426 SKILL.md:427 SKILL.md:428 SKILL.md:429 SKILL.md:430 SKILL.md:431

監査バージョン 4

安全

Jan 16, 2026, 03:51 PM

Pure documentation and policy template skill containing only Rego policy definitions and reference materials. The static scanner flagged compliance terminology as security issues due to keyword-based detection without semantic understanding. All 382 findings are false positives: 'C2 keywords' are SOC2 control codes (CC6.1, CC7.2), 'weak cryptographic algorithm' flags TLS configurations (valid security controls), and 'certificate/key files' references are Kubernetes annotations, not actual sensitive files. No executable code, network calls, or command execution present.

15
スキャンされたファイル
3,983
解析された行数
2
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

リスク要因

⚙️ 外部コマンド (216)
assets/ci-cd-pipeline.yaml:31 assets/ci-cd-pipeline.yaml:166 references/compliance-frameworks.md:19-57 references/compliance-frameworks.md:57-63 references/compliance-frameworks.md:63-88 references/compliance-frameworks.md:88-94 references/compliance-frameworks.md:94-108 references/compliance-frameworks.md:108-114 references/compliance-frameworks.md:114-132 references/compliance-frameworks.md:132-140 references/compliance-frameworks.md:140-159 references/compliance-frameworks.md:159-165 references/compliance-frameworks.md:165-194 references/compliance-frameworks.md:194-200 references/compliance-frameworks.md:200-226 references/compliance-frameworks.md:226-232 references/compliance-frameworks.md:232-251 references/compliance-frameworks.md:251-259 references/compliance-frameworks.md:259-294 references/compliance-frameworks.md:294-300 references/compliance-frameworks.md:300-326 references/compliance-frameworks.md:326-334 references/compliance-frameworks.md:334-348 references/compliance-frameworks.md:348-354 references/compliance-frameworks.md:354-396 references/compliance-frameworks.md:396-404 references/compliance-frameworks.md:404-429 references/compliance-frameworks.md:429-435 references/compliance-frameworks.md:435-449 references/compliance-frameworks.md:449-455 references/compliance-frameworks.md:455-468 references/compliance-frameworks.md:468-474 references/compliance-frameworks.md:474-499 references/iac-policies.md:16-50 references/iac-policies.md:50-54 references/iac-policies.md:54-88 references/iac-policies.md:88-92 references/iac-policies.md:92-126 references/iac-policies.md:126-130 references/iac-policies.md:130-172 references/iac-policies.md:172-176 references/iac-policies.md:176-226 references/iac-policies.md:226-230 references/iac-policies.md:230-256 references/iac-policies.md:256-260 references/iac-policies.md:260-277 references/iac-policies.md:277-283 references/iac-policies.md:283-309 references/iac-policies.md:309-313 references/iac-policies.md:313-335 references/iac-policies.md:335-339 references/iac-policies.md:339-357 references/iac-policies.md:357-363 references/iac-policies.md:363-389 references/iac-policies.md:389-393 references/iac-policies.md:393-419 references/iac-policies.md:419-423 references/iac-policies.md:423-447 references/iac-policies.md:447-453 references/iac-policies.md:453-479 references/iac-policies.md:479-483 references/iac-policies.md:483-509 references/iac-policies.md:509-513 references/iac-policies.md:513-537 references/iac-policies.md:537-543 references/iac-policies.md:543-566 references/iac-policies.md:566-572 references/iac-policies.md:572-601 references/iac-policies.md:601-605 references/iac-policies.md:605-615 references/kubernetes-security.md:19-37 references/kubernetes-security.md:37-43 references/kubernetes-security.md:43-61 references/kubernetes-security.md:61-67 references/kubernetes-security.md:67-77 references/kubernetes-security.md:77-83 references/kubernetes-security.md:83-115 references/kubernetes-security.md:115-121 references/kubernetes-security.md:121-144 references/kubernetes-security.md:144-150 references/kubernetes-security.md:150-170 references/kubernetes-security.md:170-176 references/kubernetes-security.md:176-201 references/kubernetes-security.md:201-209 references/kubernetes-security.md:209-235 references/kubernetes-security.md:235-241 references/kubernetes-security.md:241-262 references/kubernetes-security.md:262-268 references/kubernetes-security.md:268-282 references/kubernetes-security.md:282-290 references/kubernetes-security.md:290-304 references/kubernetes-security.md:304-310 references/kubernetes-security.md:310-327 references/kubernetes-security.md:327-333 references/kubernetes-security.md:333-347 references/kubernetes-security.md:347-355 references/kubernetes-security.md:355-375 references/kubernetes-security.md:375-381 references/kubernetes-security.md:381-399 references/kubernetes-security.md:399-405 references/kubernetes-security.md:405-426 references/kubernetes-security.md:426-434 references/kubernetes-security.md:434-459 references/kubernetes-security.md:459-465 references/kubernetes-security.md:465-478 references/kubernetes-security.md:478-484 references/kubernetes-security.md:484-494 references/kubernetes-security.md:494-500 references/kubernetes-security.md:500-526 references/kubernetes-security.md:526-530 references/kubernetes-security.md:530-543 references/rego-patterns.md:18-25 references/rego-patterns.md:25-31 references/rego-patterns.md:31-43 references/rego-patterns.md:43-49 references/rego-patterns.md:49-57 references/rego-patterns.md:57-63 references/rego-patterns.md:63-73 references/rego-patterns.md:73-81 references/rego-patterns.md:81-89 references/rego-patterns.md:89-95 references/rego-patterns.md:95-103 references/rego-patterns.md:103-109 references/rego-patterns.md:109-127 references/rego-patterns.md:127-133 references/rego-patterns.md:133-141 references/rego-patterns.md:141-147 references/rego-patterns.md:147-157 references/rego-patterns.md:157-163 references/rego-patterns.md:163-181 references/rego-patterns.md:181-185 references/rego-patterns.md:185-203 references/rego-patterns.md:203-207 references/rego-patterns.md:207-233 references/rego-patterns.md:233-237 references/rego-patterns.md:237-259 references/rego-patterns.md:259-267 references/rego-patterns.md:267-293 references/rego-patterns.md:293-299 references/rego-patterns.md:299-316 references/rego-patterns.md:316-322 references/rego-patterns.md:322-345 references/rego-patterns.md:345-351 references/rego-patterns.md:351-375 references/rego-patterns.md:375-381 references/rego-patterns.md:381-403 references/rego-patterns.md:403-409 references/rego-patterns.md:409-452 references/rego-patterns.md:452-460 references/rego-patterns.md:460-482 references/rego-patterns.md:482-488 references/rego-patterns.md:488-499 SKILL.md:36-46 SKILL.md:46-50 SKILL.md:50-59 SKILL.md:59-74 SKILL.md:74-77 SKILL.md:77-96 SKILL.md:96-99 SKILL.md:99-118 SKILL.md:118-124 SKILL.md:124-162 SKILL.md:162-165 SKILL.md:165-167 SKILL.md:167-173 SKILL.md:173-182 SKILL.md:182-185 SKILL.md:185-191 SKILL.md:191-198 SKILL.md:198-217 SKILL.md:217-220 SKILL.md:220-229 SKILL.md:229-235 SKILL.md:235-247 SKILL.md:247-253 SKILL.md:253-259 SKILL.md:259-273 SKILL.md:273-275 SKILL.md:275-276 SKILL.md:276-277 SKILL.md:277-279 SKILL.md:279-281 SKILL.md:281-282 SKILL.md:282-283 SKILL.md:283-284 SKILL.md:284-286 SKILL.md:286-288 SKILL.md:288-289 SKILL.md:289-290 SKILL.md:290-291 SKILL.md:291-292 SKILL.md:292-293 SKILL.md:293-294 SKILL.md:294-295 SKILL.md:295-302 SKILL.md:302-310 SKILL.md:310-315 SKILL.md:315-324 SKILL.md:324-329 SKILL.md:329-338 SKILL.md:338-343 SKILL.md:343-351 SKILL.md:351-356 SKILL.md:356-376 SKILL.md:376-382 SKILL.md:382-392 SKILL.md:392-395 SKILL.md:395-400 SKILL.md:400-401 SKILL.md:401-402 SKILL.md:402-408 SKILL.md:408-411 SKILL.md:411-416 SKILL.md:416-419 SKILL.md:212 SKILL.md:198-217
🌐 ネットワークアクセス (37)
assets/ci-cd-pipeline.yaml:214 assets/terraform-security.rego:193 references/compliance-frameworks.md:503 references/compliance-frameworks.md:504 references/compliance-frameworks.md:505 references/compliance-frameworks.md:506 references/compliance-frameworks.md:507 references/iac-policies.md:619 references/iac-policies.md:620 references/iac-policies.md:621 references/iac-policies.md:622 references/iac-policies.md:623 references/iac-policies.md:215 references/iac-policies.md:320 references/iac-policies.md:330 references/iac-policies.md:520 references/iac-policies.md:531 references/kubernetes-security.md:547 references/kubernetes-security.md:548 references/kubernetes-security.md:549 references/kubernetes-security.md:550 references/rego-patterns.md:503 references/rego-patterns.md:504 references/rego-patterns.md:505 SKILL.md:19 SKILL.md:20 SKILL.md:21 SKILL.md:41 SKILL.md:237 SKILL.md:424 SKILL.md:425 SKILL.md:426 SKILL.md:427 SKILL.md:428 SKILL.md:429 SKILL.md:430 SKILL.md:431

監査バージョン 3

安全

Jan 10, 2026, 10:52 AM

Pure documentation and policy template skill with no executable code. Contains only Rego policy definitions, YAML configurations, and reference documentation for Open Policy Agent. No scripts, network calls, filesystem access, or command execution detected.

14
スキャンされたファイル
3,707
解析された行数
0
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

監査バージョン 2

安全

Jan 10, 2026, 10:52 AM

Pure documentation and policy template skill with no executable code. Contains only Rego policy definitions, YAML configurations, and reference documentation for Open Policy Agent. No scripts, network calls, filesystem access, or command execution detected.

14
スキャンされたファイル
3,707
解析された行数
0
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

監査バージョン 1

安全

Jan 10, 2026, 10:52 AM

Pure documentation and policy template skill with no executable code. Contains only Rego policy definitions, YAML configurations, and reference documentation for Open Policy Agent. No scripts, network calls, filesystem access, or command execution detected.

14
スキャンされたファイル
3,707
解析された行数
0
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした
← スキルに戻る