Agent skill
implementation-roadmap
Phased rollout plan for SDLC hardening. Foundation to runtime enforcement in 90 days. Prioritized by risk and audit importance.
Install this agent skill to your Project
npx add-skill https://github.com/adaptive-enforcement-lab/claude-skills/tree/main/plugins/enforce/skills/implementation-roadmap
SKILL.md
Implementation Roadmap
When to Use This Skill
You can't harden everything at once. Prioritize controls by risk and audit value.
Phased Rollout
Follow the 12-week timeline to avoid disrupting existing workflows. Skip phases at your own risk.
Three-month plan from foundation to full enforcement.
Implementation
You can't harden everything at once. Prioritize controls by risk and audit value.
Phased Rollout
Follow the 12-week timeline to avoid disrupting existing workflows. Skip phases at your own risk.
Three-month plan from foundation to full enforcement.
Month 1: Foundation
Goal: Core enforcement in place. Evidence collection begins.
Week 1: Branch Protection
Tasks:
- Enable branch protection on
mainand production branches - Require 1+ approving reviews
- Enable
enforce_admins - Require linear history
Validation:
gh api repos/org/repo/branches/main/protection \
| jq '{reviews: .required_pull_request_reviews, admins: .enforce_admins}'
Documentation: Update CONTRIBUTING.md with review requirements.
Week 2: CI/CD Status Checks
Tasks:
- Create
required-checks.ymlworkflow (tests, lint) - Configure branch protection to require checks
- Test on non-critical repository first
Workflow:
See examples.md for detailed code examples.
Validation: Open PR, verify checks block merge until passing.
Week 3: GitHub App Setup
Tasks:
- Create GitHub App for automation (see Setup Guide)
- Configure permissions (releases, PRs, contents)
- Generate and store private key in secrets
- Replace first PAT usage in workflows
Validation:
- name: Test app token
uses: actions/create-github-app-token@v2
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.PRIVATE_KEY }}
Migration tracking: Document remaining PAT usages for month 2.
Week 4: Evidence Archive
Tasks:
- Set up GCS bucket with lifecycle policy (3 year retention)
- Create monthly evidence collection workflow
- Archive first month's data (branch protection config, merged PRs)
Workflow:
See examples.md for detailed code examples.
Validation: Verify files appear in GCS bucket.
Month 2: Hardening
Goal: Add secrets detection, commit signing, and SBOM generation.
Week 5: Secrets Detection
Tasks:
- Add TruffleHog to
.pre-commit-config.yaml - Deploy pre-commit config to all repositories
- Add secrets scan to CI workflow
- Document bypass procedure (
--no-verifytracking)
Pre-commit hook:
repos:
- repo: https://github.com/trufflesecurity/trufflehog
rev: v3.63.0
hooks:
- id: trufflehog
entry: trufflehog filesystem --fail --no-update
Validation: Attempt to commit AWS key, verify block.
See Pre-commit Security Gates for full implementation.
Week 6: Signed Commits
Tasks:
- Generate GPG keys for core team
- Add public keys to GitHub
- Configure Git to sign commits automatically
- Enable
required_signatureson protected branches
Configuration:
git config --global user.signingkey YOUR_GPG_KEY_ID
git config --global commit.gpgsign true
Validation:
git log --show-signature | grep "Good signature"
See Commit Signing for setup guide.
Week 7: SBOM Generation
Tasks:
- Add Syft/Trivy to build pipelines
- Generate SBOM for each container build
- Upload SBOMs to artifact storage
- Verify license compliance (no GPL in proprietary code)
Workflow:
See examples.md for detailed code examples.
Validation: Download artifact, verify SBOM contains expected dependencies.
See SBOM Generation for full implementation.
Week 8: Complete PAT Migration
Tasks:
- Audit all remaining PAT usages (
grep -r GITHUB_TOKEN .github/) - Create additional GitHub Apps for specific use cases
- Replace all PATs with app tokens
- Revoke old PATs
Validation: No PATs referenced in active workflows.
Month 3: Validation & Policy-as-Code
Goal: Simulate audit, fix gaps, add runtime enforcement.
Week 9: Vulnerability Scanning
Tasks:
- Add Trivy/Grype container scanning to CI
- Set severity threshold (HIGH/CRITICAL block merge)
- Configure vulnerability database auto-update
Workflow:
- name: Scan container
run: |
trivy image --severity HIGH,CRITICAL --exit-code 1 \
gcr.io/project/app:${{ github.sha }}
Validation: Introduce test vulnerability, verify build fails.
See Zero-Vulnerability Pipelines.
Week 10: Policy-as-Code (Kyverno)
Tasks:
- Deploy Kyverno to Kubernetes clusters
- Install Policy Reporter for observability
- Implement core policies (resource limits, image sources, labels)
- Configure audit mode first, then enforcement mode
Core policy:
See examples.md for detailed code examples.
Validation: Deploy pod without limits, verify rejection.
See Policy-as-Code with Kyverno for end-to-end implementation.
Week 11: Audit Simulation
Tasks:
- Pull evidence like an auditor would (API queries for March data)
- Generate summary report (PR reviews, check results, signed commits)
- Identify gaps in evidence or controls
- Document findings and remediation plan
Simulation script:
# Verify branch protection
gh api repos/org/repo/branches/main/protection
# Sample March PRs
gh api 'repos/org/repo/pulls?state=closed&base=main' \
--jq '.[] | select(.merged_at | startswith("2025-03"))'
# Check signature coverage
./scripts/signature-coverage.sh 2025-03-01 2025-04-01
Validation: Evidence collection succeeds for sampled period.
Week 12: Remediation & Runbook
Tasks:
- Fix gaps identified in simulation
- Create runbook for responding to audit requests
- Train team on SDLC controls (why they exist, how to use them)
- Document exception processes (emergency bypass, post-review)
Runbook sections:
- How to retrieve branch protection evidence
- How to query PR review history
- How to generate compliance reports
- Exception request template
- Bypass logging procedure
Validation: Team can retrieve evidence without assistance.
Next Steps
- Execution Guide - Progress tracking, audit readiness criteria, rollback planning, cost estimation, success metrics
Week 1: Protection enabled. Week 4: Evidence collected. Week 12: Audit simulation passed. Controls enforced. System hardened.
Month 1: Foundation
Goal: Core enforcement in place. Evidence collection begins.
Week 1: Branch Protection
Tasks:
- Enable branch protection on
mainand production branches - Require 1+ approving reviews
- Enable
enforce_admins - Require linear history
Validation:
gh api repos/org/repo/branches/main/protection \
| jq '{reviews: .required_pull_request_reviews, admins: .enforce_admins}'
Documentation: Update CONTRIBUTING.md with review requirements.
Week 2: CI/CD Status Checks
Tasks:
- Create
required-checks.ymlworkflow (tests, lint) - Configure branch protection to require checks
- Test on non-critical repository first
Workflow:
See examples.md for detailed code examples.
Validation: Open PR, verify checks block merge until passing.
Week 3: GitHub App Setup
Tasks:
- Create GitHub App for automation (see Setup Guide)
- Configure permissions (releases, PRs, contents)
- Generate and store private key in secrets
- Replace first PAT usage in workflows
Validation:
- name: Test app token
uses: actions/create-github-app-token@v2
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.PRIVATE_KEY }}
Migration tracking: Document remaining PAT usages for month 2.
Week 4: Evidence Archive
Tasks:
- Set up GCS bucket with lifecycle policy (3 year retention)
- Create monthly evidence collection workflow
- Archive first month's data (branch protection config, merged PRs)
Workflow:
See examples.md for detailed code examples.
Validation: Verify files appear in GCS bucket.
Month 2: Hardening
Goal: Add secrets detection, commit signing, and SBOM generation.
Week 5: Secrets Detection
Tasks:
- Add TruffleHog to
.pre-commit-config.yaml - Deploy pre-commit config to all repositories
- Add secrets scan to CI workflow
- Document bypass procedure (
--no-verifytracking)
Pre-commit hook:
repos:
- repo: https://github.com/trufflesecurity/trufflehog
rev: v3.63.0
hooks:
- id: trufflehog
entry: trufflehog filesystem --fail --no-update
Validation: Attempt to commit AWS key, verify block.
See Pre-commit Security Gates for full implementation.
Week 6: Signed Commits
Tasks:
- Generate GPG keys for core team
- Add public keys to GitHub
- Configure Git to sign commits automatically
- Enable
required_signatureson protected branches
Configuration:
git config --global user.signingkey YOUR_GPG_KEY_ID
git config --global commit.gpgsign true
Validation:
git log --show-signature | grep "Good signature"
See Commit Signing for setup guide.
Week 7: SBOM Generation
Tasks:
- Add Syft/Trivy to build pipelines
- Generate SBOM for each container build
- Upload SBOMs to artifact storage
- Verify license compliance (no GPL in proprietary code)
Workflow:
See examples.md for detailed code examples.
Validation: Download artifact, verify SBOM contains expected dependencies.
See SBOM Generation for full implementation.
Week 8: Complete PAT Migration
Tasks:
- Audit all remaining PAT usages (
grep -r GITHUB_TOKEN .github/) - Create additional GitHub Apps for specific use cases
- Replace all PATs with app tokens
- Revoke old PATs
Validation: No PATs referenced in active workflows.
Month 3: Validation & Policy-as-Code
Goal: Simulate audit, fix gaps, add runtime enforcement.
Week 9: Vulnerability Scanning
Tasks:
- Add Trivy/Grype container scanning to CI
- Set severity threshold (HIGH/CRITICAL block merge)
- Configure vulnerability database auto-update
Workflow:
- name: Scan container
run: |
trivy image --severity HIGH,CRITICAL --exit-code 1 \
gcr.io/project/app:${{ github.sha }}
Validation: Introduce test vulnerability, verify build fails.
See Zero-Vulnerability Pipelines.
Week 10: Policy-as-Code (Kyverno)
Tasks:
- Deploy Kyverno to Kubernetes clusters
- Install Policy Reporter for observability
- Implement core policies (resource limits, image sources, labels)
- Configure audit mode first, then enforcement mode
Core policy:
See examples.md for detailed code examples.
Validation: Deploy pod without limits, verify rejection.
See Policy-as-Code with Kyverno for end-to-end implementation.
Week 11: Audit Simulation
Tasks:
- Pull evidence like an auditor would (API queries for March data)
- Generate summary report (PR reviews, check results, signed commits)
- Identify gaps in evidence or controls
- Document findings and remediation plan
Simulation script:
# Verify branch protection
gh api repos/org/repo/branches/main/protection
# Sample March PRs
gh api 'repos/org/repo/pulls?state=closed&base=main' \
--jq '.[] | select(.merged_at | startswith("2025-03"))'
# Check signature coverage
./scripts/signature-coverage.sh 2025-03-01 2025-04-01
Validation: Evidence collection succeeds for sampled period.
Week 12: Remediation & Runbook
Tasks:
- Fix gaps identified in simulation
- Create runbook for responding to audit requests
- Train team on SDLC controls (why they exist, how to use them)
- Document exception processes (emergency bypass, post-review)
Runbook sections:
- How to retrieve branch protection evidence
- How to query PR review history
- How to generate compliance reports
- Exception request template
- Bypass logging procedure
Validation: Team can retrieve evidence without assistance.
Next Steps
- Execution Guide - Progress tracking, audit readiness criteria, rollback planning, cost estimation, success metrics
Week 1: Protection enabled. Week 4: Evidence collected. Week 12: Audit simulation passed. Controls enforced. System hardened.
Examples
See examples.md for code examples.
Full Reference
See reference.md for complete documentation.
References
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
github-token-permissions-overview
Understanding GITHUB_TOKEN scope, default permissions, and implementing least-privilege principle for GitHub Actions workflows.
secure
Find and fix security issues before they become incidents. Vulnerability scanning, SBOM generation, supply chain security, and secure authentication workflows.
complete-workflow-examples
Copy-paste hardened CI/CD workflows with SHA-pinned actions, minimal GITHUB_TOKEN permissions, OIDC authentication, and comprehensive security scanning for GitHub Actions.
ephemeral-runner-patterns
Disposable runner patterns for GitHub Actions. Container-based, VM-based, and ARC deployment strategies with complete state isolation between jobs.
action-pinning-overview
Why pinning GitHub Actions to SHA-256 commits matters for supply chain security. Attack vectors from unpinned actions and comparison of tag vs SHA pinning.
github-actions-security-patterns-hub
Complete security patterns for GitHub Actions covering action pinning, GITHUB_TOKEN permissions, third-party action risks, secret management, and runner security.
Didn't find tool you were looking for?