claude-skills-cicd

Build a Python wheel, npm package, or Docker image AND optionally push it to a registry. This is a SIDE-EFFECTING WRITE OPERATION. Default behaviour reads `$PWD` (the repo the user is releasing) and runs in dry-run mode (build only, no push). Use this when the user asks to "release v1.2.3", "publish to PyPI", "twine upload", "npm publish", "ship a new version", "build and push the docker image to ghcr", "cut a github release", "tag and push", "deploy the SDK", or any explicit publish/release request on the current repo. The user may also pass a GitHub URL to release a different repo. For running tests or linters, use lint-and-test. For SAST or secret scans, use security-scan. For dependency CVE checks, use dependency-audit.

Scan the user's CURRENT repository (or a remote GitHub URL) for KNOWN VULNERABILITIES in third-party dependencies using OSV/GHSA advisory databases. Detects ecosystem from manifest files (pyproject.toml/requirements.txt, package.json/package-lock.json, Cargo.toml, go.mod) and runs the matching auditor (pip-audit, npm audit, cargo audit, govulncheck). Default behaviour reads `$PWD` (no clone). Use this when the user asks to "audit dependencies", "run pip-audit", "npm audit", "check for vulnerable packages", "are any of my deps CVE-flagged", "is lodash safe", "any CVEs in our packages", "scan our requirements.txt", "check our Cargo.lock for advisories", or "any GHSA hits in our manifest". For SAST or secret scans on YOUR OWN source code, use security-scan. For lint/test, use lint-and-test. For build/publish, use build-and-release. Read-only.

Run the lint-then-test pipeline (ruff + pytest for Python, npm lint + npm test for Node) on the user's CURRENT repository and return a structured pass/fail report. Default behaviour reads `$PWD` (the repo the user has checked out and is working on); no clone, no network. Use this when the user asks to "lint and test", "run CI checks", "run pytest", "type-check with mypy", "run prettier and the unit tests", "make sure ruff is clean and tests pass", "ESLint + jest", or any combined static-check-plus-test request on the working repo. To inspect a remote GitHub URL without cloning manually, the user can include the URL in their request and the skill will shallow-clone into a sandbox. For dependency CVE checks, use dependency-audit instead. For SAST or hard-coded-secret scans, use security-scan. For building or publishing artifacts, use build-and-release. Read-only.

Scan the user's CURRENT repository's OWN SOURCE CODE (not its dependencies) for SAST findings, hard-coded secrets/credentials, and (optionally) container-image CVEs in a built docker image. Default behaviour reads `$PWD` (no clone, no network). Use this when the user asks to "run semgrep", "run gitleaks", "run SAST", "find SQL injection in our handlers", "any hardcoded passwords in the codebase", "did we leak any API keys", "did we commit a .env", "scan our Dockerfile for misconfigs", or "scan the docker image for CVEs". These are queries about CODE WE WROTE, not LIBRARIES WE IMPORTED. The user may also pass a remote GitHub URL to scan a third-party repo. For known CVEs in third-party packages (lodash, requests, etc.), use dependency-audit instead. For lint/test, use lint-and-test. For build/publish, use build-and-release. Read-only.