### Install Single All-in-One Command (Bash) Source: https://github.com/snyk/studio-recipes/blob/main/command_directives/synchronous_remediation/command/README.md Installs a Snyk Studio single all-in-one command by copying a markdown file to the project's rules directory. This approach offers simpler installation. ```bash cp single_all_in_one_command/snyk-fix.md /path/to/project/.cursor/rules/ ``` -------------------------------- ### Implement Dockerfile Security Best Practices Source: https://github.com/snyk/studio-recipes/blob/main/command_directives/synchronous_remediation/skills/container-security/SKILL.md This section provides code examples for several Dockerfile security best practices. It covers using specific base image tags, running containers as a non-root user, utilizing multi-stage builds for smaller images, and minimizing installed packages to reduce the attack surface. ```dockerfile # Bad - unpredictable FROM node:latest # Good - specific version FROM node:20.10.0-alpine3.19 ``` ```dockerfile # Add before CMD RUN addgroup -g 1001 appgroup && \ adduser -u 1001 -G appgroup -D appuser USER appuser ``` ```dockerfile # Build stage FROM node:20 AS builder WORKDIR /app COPY . . RUN npm ci && npm run build # Production stage - smaller, fewer vulns FROM node:20-alpine COPY --from=builder /app/dist /app CMD ["node", "/app/index.js"] ``` ```dockerfile # Bad RUN apt-get install -y curl wget vim nano # Good - only what's needed RUN apt-get install -y --no-install-recommends curl ``` -------------------------------- ### Install Snyk skills via command line Source: https://github.com/snyk/studio-recipes/blob/main/command_directives/synchronous_remediation/skills/README.md Commands to install a specific skill module into either a local project directory or a global configuration directory for the AI assistant. ```bash # Per-Project Installation cp -r skills/ /path/to/project/.claude/skills/ # Global Installation cp -r skills/ ~/.claude/skills/ ``` -------------------------------- ### Verify Lockfile Update (npm example) Source: https://github.com/snyk/studio-recipes/blob/main/command_directives/synchronous_remediation/command/composit_commands/snyk-sca-fix.md This bash command provides an example of how to verify if a lockfile has been updated after a dependency installation. It specifically shows how to check the entry for 'lodash' in a package-lock.json file. ```bash # Example for npm grep -A2 ""lodash"":" package-lock.json ``` -------------------------------- ### Install Git Pre-Commit Hooks (Bash) Source: https://context7.com/snyk/studio-recipes/llms.txt Installs Git pre-commit hooks to automatically scan for new security vulnerabilities before allowing a commit. It includes SAST/SCA protection and smart filtering for new vulnerabilities. The installation script places necessary files in the .git/hooks directory and .kiro directory. ```bash # Installation cd your-project bash path/to/studio-recipes/guardrail_directives/secure_at_inception/kiro_hooks/install.sh # Files installed: # .git/hooks/pre-commit # .git/hooks/lib/*.py # .kiro/hooks/kiro_background_scanner.py # .kiro/hooks/background-security-scan.kiro.hook # Usage - hooks run automatically git add . git commit -m "my changes" # If blocked, copy fix command to AI assistant: # /snyk-fix-batch javascript/PT@server.ts:45, sca:lodash # Configuration environment variables: SNYK_HOOK_DEBUG=1 # Enable verbose output SNYK_HOOK_QUICK=1 # Skip old version comparison (faster) SNYK_HOOK_NO_CACHE=1 # Disable cache (force fresh scans) # Cache management: python3 .git/hooks/lib/cache.py --stats # View statistics python3 .git/hooks/lib/cache.py --clear # Clear all entries python3 .git/hooks/lib/cache.py --cleanup # Remove expired only # Bypass in emergencies (use sparingly): git commit --no-verify -m "emergency fix" ``` -------------------------------- ### Install Composite Commands (Bash) Source: https://github.com/snyk/studio-recipes/blob/main/command_directives/synchronous_remediation/command/README.md Installs Snyk Studio composite commands by creating a rules directory and copying markdown files into it. This approach is recommended for modularity and granular control. ```bash mkdir -p .cursor/rules cp composit_commands/*.md /path/to/project/.cursor/rules/ ``` -------------------------------- ### Install and Authorize Snyk CLI Source: https://github.com/snyk/studio-recipes/blob/main/guardrail_directives/secure_at_inception/hooks_version/cursor/async_cli_version/README.md Installs the Snyk CLI globally using npm and then authenticates the CLI with your Snyk account. This is a prerequisite for using the Snyk security scanning features. ```bash npm install -g snyk && snyk auth ``` -------------------------------- ### Dockerfile Base Image Upgrade Example Source: https://github.com/snyk/studio-recipes/blob/main/command_directives/synchronous_remediation/skills/container-security/SKILL.md Demonstrates how to upgrade the base image in a Dockerfile to address vulnerabilities. It shows a 'before' and 'after' state, highlighting the change in the `FROM` instruction. ```dockerfile # Before FROM node:16-alpine # After FROM node:20-alpine ``` -------------------------------- ### Install Snyk CLI Source: https://github.com/snyk/studio-recipes/blob/main/guardrail_directives/secure_at_inception/kiro_hooks/README.md Installs the Snyk CLI globally using npm and authenticates the CLI with your Snyk account. This is a prerequisite for using Snyk Security Hooks. ```bash # Install Snyk CLI globally npm install -g snyk snyk auth ``` -------------------------------- ### Install Snyk Fix Rule Source: https://github.com/snyk/studio-recipes/blob/main/command_directives/synchronous_remediation/command/single_all_in_one_command/README.md Instructions for installing the snyk-fix command by creating the necessary directory and copying the rule file into the project's rules configuration. ```bash mkdir -p .cursor/rules cp snyk-fix.md /path/to/project/.cursor/rules/ ``` -------------------------------- ### Example SPDX SBOM Structure Source: https://context7.com/snyk/studio-recipes/llms.txt Demonstrates the structure of an SPDX (Software Package Data Exchange) SBOM, a standard for communicating software bill of materials information. It details package information, relationships, and licensing. ```json { "spdxVersion": "SPDX-2.3", "SPDXID": "SPDXRef-DOCUMENT", "packages": [ { "name": "lodash", "versionInfo": "4.17.21", "externalRefs": [{ "referenceType": "purl", "referenceLocator": "pkg:npm/lodash@4.17.21" }] } ] } ``` -------------------------------- ### Example CycloneDX SBOM Structure Source: https://context7.com/snyk/studio-recipes/llms.txt Illustrates the structure of a CycloneDX SBOM, a machine-readable inventory of software components and their dependencies. This format is commonly used for vulnerability management and supply chain security. ```json { "bomFormat": "CycloneDX", "specVersion": "1.5", "components": [ { "type": "library", "name": "lodash", "version": "4.17.21", "purl": "pkg:npm/lodash@4.17.21", "licenses": [{"license": {"id": "MIT"}}] } ] } ``` -------------------------------- ### Minimize Installed Packages in Dockerfile Source: https://github.com/snyk/studio-recipes/blob/main/command_directives/synchronous_remediation/skills/container-security/references/dockerfile-best-practices.md Install only necessary packages. Use `--no-install-recommends` with `apt-get` and clean up package manager caches (`rm -rf /var/lib/apt/lists/*`) to reduce image size and attack surface. ```dockerfile # Bad - installs recommended packages RUN apt-get update && apt-get install -y curl # Good - no recommends, clean up RUN apt-get update && \ apt-get install -y --no-install-recommends curl && \ rm -rf /var/lib/apt/lists/* ``` -------------------------------- ### Install and Configure Snyk Security Hooks for Claude Code Source: https://github.com/snyk/studio-recipes/blob/main/guardrail_directives/secure_at_inception/hooks_version/claude/async_cli_version/README.md This snippet demonstrates the initial setup for integrating Snyk security scanning into Claude Code. It involves copying Python scripts to the Claude hooks directory and configuring the `.claude/settings.json` file to trigger these hooks on code edits and completion. ```bash mkdir -p .claude/hooks/lib cp path/to/async_cli_version/snyk_secure_at_inception.py .claude/hooks/ cp path/to/async_cli_version/lib/*.py .claude/hooks/lib/ chmod +x .claude/hooks/snyk_secure_at_inception.py ``` ```json { "hooks": { "PostToolUse": [ { "matcher": "Edit|Write", "hooks": [ { "type": "command", "command": "python3 \"$CLAUDE_PROJECT_DIR\"/.claude/hooks/snyk_secure_at_inception.py" } ] } ], "Stop": [ { "hooks": [ { "type": "command", "command": "python3 \"$CLAUDE_PROJECT_DIR\"/.claude/hooks/snyk_secure_at_inception.py" } ] } ] } } ``` -------------------------------- ### Improve Dockerfile Security with Snyk Source: https://context7.com/snyk/studio-recipes/llms.txt Provides examples of secure Dockerfile configurations, including using specific base image versions, running as a non-root user, and employing multi-stage builds to reduce the attack surface. ```dockerfile # Example Dockerfile security improvements: # Bad - unpredictable base FROM node:latest # Good - specific version with security benefits FROM node:20.10.0-alpine3.19 # Add non-root user RUN addgroup -g 1001 appgroup && \ adduser -u 1001 -G appgroup -D appuser USER appuser # Multi-stage build for smaller attack surface FROM node:20 AS builder WORKDIR /app COPY . . RUN npm ci && npm run build FROM node:20-alpine COPY --from=builder /app/dist /app CMD ["node", "/app/index.js"] ``` -------------------------------- ### Implement secure version pinning in Docker Source: https://github.com/snyk/studio-recipes/blob/main/command_directives/synchronous_remediation/skills/container-security/references/base-image-recommendations.md Examples of best practices for pinning Docker base images using specific versions or content digests to ensure build reproducibility, contrasted with insecure practices like using floating tags. ```dockerfile # Good Practices # Pin major.minor.patch FROM node:20.10.0-alpine3.19 # Pin digest for reproducibility FROM node:20.10.0-alpine3.19@sha256:abc123... # Bad Practices # Never use latest FROM node:latest # Avoid floating tags FROM node:20 FROM node:lts ``` -------------------------------- ### Generate SBOM using Snyk CLI Source: https://context7.com/snyk/studio-recipes/llms.txt Generates a Software Bill of Materials (SBOM) using the Snyk CLI. Supports CycloneDX and SPDX formats, outputting to a JSON file. Ensure Snyk CLI is installed and authenticated. ```bash snyk sbom --format=cyclonedx1.5+json > sbom.json snyk sbom --format=spdx2.3+json > sbom.json ``` -------------------------------- ### Install Hook Script and Configure Cursor Hooks Source: https://github.com/snyk/studio-recipes/blob/main/guardrail_directives/package_enforcement/cursor/hooks/README.md This snippet demonstrates the installation process for the package enforcement hook script in Cursor IDE. It involves copying the script to the project's hooks directory, making it executable, and configuring the `hooks.json` file to trigger the script on specific events. ```bash mkdir -p /path/to/project/.cursor/hooks cp enforce_security_scan_on_new_packages.py /path/to/project/.cursor/hooks/ chmod +x /path/to/project/.cursor/hooks/enforce_security_scan_on_new_packages.py ``` ```json { "version": 1, "hooks": { "afterFileEdit": [ {"command": "python3 hooks/enforce_security_scan_on_new_packages.py"} ], "beforeShellExecution": [ {"command": "python3 hooks/enforce_security_scan_on_new_packages.py"} ], "beforeMCPExecution": [ {"command": "python3 hooks/enforce_security_scan_on_new_packages.py"} ], "stop": [ {"command": "python3 hooks/enforce_security_scan_on_new_packages.py"} ] } } ``` -------------------------------- ### Configure Package Enforcement Hook (Cursor) Source: https://context7.com/snyk/studio-recipes/llms.txt Sets up Cursor hooks to block dependency installation until security scans pass. This 'scan-before-install' gate uses multiple hook events to intercept and control package management commands. ```json // .cursor/hooks/hooks.json { "version": 1, "hooks": { "afterFileEdit": [ {"command": "python3 hooks/enforce_security_scan_on_new_packages.py"} ], "beforeShellExecution": [ {"command": "python3 hooks/enforce_security_scan_on_new_packages.py"} ], "beforeMCPExecution": [ {"command": "python3 hooks/enforce_security_scan_on_new_packages.py"} ], "stop": [ {"command": "python3 hooks/enforce_security_scan_on_new_packages.py"} ] } } ``` -------------------------------- ### Example package.json Dependency Update Source: https://github.com/snyk/studio-recipes/blob/main/command_directives/synchronous_remediation/command/composit_commands/snyk-sca-fix.md This JSON snippet demonstrates a minimal upgrade for a dependency in a package.json file. It shows the 'before' state with an older version and the 'after' state with the lowest version that fixes the vulnerability. ```json // Before "lodash": "^4.17.15" // After - minimal fix "lodash": "^4.17.21" ``` -------------------------------- ### Install Snyk Security Hooks in Project Source: https://github.com/snyk/studio-recipes/blob/main/guardrail_directives/secure_at_inception/kiro_hooks/README.md Installs the Snyk security hooks within your project directory. This involves running an installer script that sets up git pre-commit hooks and Kiro background scanning. ```bash # 2. Run the installer from your project cd your-project bash ../studio-recipes/guardrail_directives/secure_at_inception/kiro_hooks/install.sh ``` ```bash # From your project directory cd my-project # Run the installer (adjust path to where you cloned studio-recipes) bash ../studio-recipes/guardrail_directives/secure_at_inception/kiro_hooks/install.sh # Or with full path bash ~/repos/studio-recipes/guardrail_directives/secure_at_inception/kiro_hooks/install.sh ``` -------------------------------- ### Dockerfile: Go Multi-Stage Build Source: https://github.com/snyk/studio-recipes/blob/main/command_directives/synchronous_remediation/skills/container-security/references/base-image-recommendations.md A multi-stage Dockerfile for Go applications. It uses a Go builder image to compile a static binary, then copies the binary into a minimal distroless image for production, ensuring a small and secure final image. ```dockerfile # Build stage FROM golang:1.22-alpine AS builder WORKDIR /app COPY go.* ./ RUN go mod download COPY . . RUN CGO_ENABLED=0 go build -o /app/server # Production stage FROM gcr.io/distroless/static COPY --from=builder /app/server /server USER nonroot ENTRYPOINT ["/server"] ``` -------------------------------- ### Dockerfile: Debugging Distroless Images Source: https://github.com/snyk/studio-recipes/blob/main/command_directives/synchronous_remediation/skills/container-security/references/base-image-recommendations.md Demonstrates how to use distroless images for production and debugging. The debug variant includes a busybox shell for troubleshooting, while the production variant is minimal. ```dockerfile # Production FROM gcr.io/distroless/static # Debug (has busybox shell) FROM gcr.io/distroless/static:debug ``` -------------------------------- ### Example Code Scan Results Source: https://github.com/snyk/studio-recipes/blob/main/command_directives/synchronous_remediation/command/composit_commands/snyk-code-fix.md An example of output from a code scan, illustrating how multiple instances of the same vulnerability type can appear in different lines within the same file. ```text High Path Traversal src/api/files.ts:45 javascript/PT High Path Traversal src/api/files.ts:112 javascript/PT High XSS src/api/files.ts:78 javascript/XSS ``` -------------------------------- ### Snyk Fix Command Example Source: https://github.com/snyk/studio-recipes/blob/main/guardrail_directives/secure_at_inception/kiro_hooks/README.md An example of a Snyk fix command that can be used to resolve security vulnerabilities identified by the hooks. This command can be passed to an AI assistant for automated fixes. ```bash # 4. If blocked, copy the fix command into your AI assistant /snyk-fix-batch javascript/PT@server.ts:45, sca:lodash ``` -------------------------------- ### Install Snyk Fix Skill Source: https://github.com/snyk/studio-recipes/blob/main/command_directives/synchronous_remediation/skills/snyk-fix/README.md Commands to install the Snyk Fix skill either at the project level or globally in the user's home directory. These commands create the necessary directory structure and copy the skill definition file. ```bash # Project-level installation mkdir -p .claude/skills/snyk-fix cp SKILL.md .claude/skills/snyk-fix/ # Global installation mkdir -p ~/.claude/skills/snyk-fix cp SKILL.md ~/.claude/skills/snyk-fix/ ``` -------------------------------- ### Use COPY Instead of ADD in Dockerfile Source: https://github.com/snyk/studio-recipes/blob/main/command_directives/synchronous_remediation/skills/container-security/references/dockerfile-best-practices.md Prefer the `COPY` instruction over `ADD` for copying local files into the image. `ADD` has additional features like URL fetching and auto-extraction of archives, which can introduce security risks. ```dockerfile # Bad - ADD has extra features that can be exploited ADD https://example.com/file.tar.gz /app/ ADD app.tar.gz /app/ # Good - COPY is explicit COPY app/ /app/ ``` -------------------------------- ### Set Resource Limits at Runtime Source: https://github.com/snyk/studio-recipes/blob/main/command_directives/synchronous_remediation/skills/container-security/references/dockerfile-best-practices.md Configure resource limits (memory and CPU) for containers at runtime using `docker run` options or Docker Compose `deploy.resources` to prevent resource exhaustion and denial-of-service attacks. ```dockerfile # Use at runtime # docker run --memory=512m --cpus=1 myapp # Or in compose # deploy: # resources: # limits: # memory: 512M # cpus: '1' ``` -------------------------------- ### Remediate Unauthorized Security Group Rules Source: https://github.com/snyk/studio-recipes/blob/main/command_directives/synchronous_remediation/skills/drift-detector/references/drift-remediation.md Example of updating Terraform configuration to restrict ingress rules after detecting unauthorized access. ```hcl ingress { from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = ["10.0.0.0/8"] # VPN only } ``` -------------------------------- ### Remove Unnecessary Tools in Dockerfile Source: https://github.com/snyk/studio-recipes/blob/main/command_directives/synchronous_remediation/skills/container-security/references/dockerfile-best-practices.md Remove package managers (like `apt`) and other unnecessary tools from the final image after installing dependencies to minimize the attack surface. ```dockerfile # Remove package managers in production RUN apt-get update && \ apt-get install -y --no-install-recommends app-deps && \ apt-get remove -y apt && \ rm -rf /var/lib/apt/lists/* ``` -------------------------------- ### Run Basic Container Scan Source: https://github.com/snyk/studio-recipes/blob/main/command_directives/synchronous_remediation/skills/container-security/SKILL.md Executes a basic security scan on a specified container image using the `snyk_container_scan` tool. This is the entry point for analyzing container image vulnerabilities. ```bash Run snyk_container_scan with: - image: ``` -------------------------------- ### Use Security Options at Runtime Source: https://github.com/snyk/studio-recipes/blob/main/command_directives/synchronous_remediation/skills/container-security/references/dockerfile-best-practices.md Apply various security options at runtime to enhance container security, such as AppArmor profiles, Seccomp filters, SELinux labels, or read-only root filesystems. ```dockerfile # Example using security options (syntax may vary based on Docker version and OS) # docker run --security-opt apparmor=unconfined myapp # docker run --security-opt seccomp=profile.json myapp ``` -------------------------------- ### Basic IaC Scan with Snyk Source: https://github.com/snyk/studio-recipes/blob/main/command_directives/synchronous_remediation/skills/iac-security/SKILL.md Initiates a security scan for Infrastructure as Code files within a specified directory or for a single file. This is the fundamental command to start the IaC security assessment process. ```bash snyk_iac_scan --path= ``` -------------------------------- ### SCA Fix Summary Report Source: https://github.com/snyk/studio-recipes/blob/main/command_directives/synchronous_remediation/command/composit_commands/snyk-sca-fix.md This markdown snippet represents the beginning of the summary report generated after the Snyk SCA Fix process. It indicates the start of a section detailing the remediation actions taken. ```markdown ## SCA Fix Summary ``` -------------------------------- ### Run Advanced Container Scan with Options Source: https://github.com/snyk/studio-recipes/blob/main/command_directives/synchronous_remediation/skills/container-security/SKILL.md Performs a comprehensive container security scan with advanced options, including specifying a Dockerfile for better remediation advice, enabling application dependency scanning, and setting a severity threshold for filtering results. ```bash Run snyk_container_scan with: - image: - file: # Better remediation advice - app_vulns: true # Scan app dependencies - severity_threshold: "high" # Filter results ``` -------------------------------- ### Dockerfile: Node.js Multi-Stage Build Source: https://github.com/snyk/studio-recipes/blob/main/command_directives/synchronous_remediation/skills/container-security/references/base-image-recommendations.md A multi-stage Dockerfile for Node.js applications. It uses a builder stage with Node.js to compile assets and a minimal production stage to run the application, optimizing for size and security. ```dockerfile # Build stage FROM node:20-alpine AS builder WORKDIR /app COPY package*.json ./ RUN npm ci COPY . . RUN npm run build # Production stage FROM node:20-alpine WORKDIR /app ENV NODE_ENV=production COPY --from=builder /app/dist ./ dist COPY --from=builder /app/node_modules ./node_modules USER node CMD ["node", "dist/index.js"] ``` -------------------------------- ### Secure Terraform Configurations with Snyk Source: https://context7.com/snyk/studio-recipes/llms.txt Demonstrates how to secure Terraform configurations by preventing public access to S3 buckets and restricting access to security groups. Provides examples of insecure and secure resource definitions. ```hcl # Example Terraform fixes: # Insecure - S3 bucket public access resource "aws_s3_bucket" "data" { bucket = "my-bucket" } # Secure - Block public access resource "aws_s3_bucket" "data" { bucket = "my-bucket" } resource "aws_s3_bucket_public_access_block" "data" { bucket = aws_s3_bucket.data.id block_public_acls = true block_public_policy = true ignore_public_acls = true restrict_public_buckets = true } # Insecure - Security group open to world resource "aws_security_group" "web" { ingress { from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } } # Secure - Restricted to internal network resource "aws_security_group" "web" { ingress { from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = ["10.0.0.0/8"] } } ``` -------------------------------- ### Execute Snyk Security Scans Source: https://github.com/snyk/studio-recipes/blob/main/command_directives/synchronous_remediation/skills/secure-at-inception/SKILL.md Pseudo-code examples for invoking Snyk MCP tools for different scan types. These commands utilize the Snyk API to analyze code, dependencies, and infrastructure configurations. ```text # SAST Scan Run snyk_code_scan with: - path: directory containing changed code files (or project root) - severity_threshold: "medium" # SCA Scan Run snyk_sca_scan with: - path: project root or directory containing manifest - all_projects: true - severity_threshold: "medium" # IaC Scan Run snyk_iac_scan with: - path: directory containing IaC files - severity_threshold: "medium" ``` -------------------------------- ### Build secure multi-stage Python Docker image Source: https://github.com/snyk/studio-recipes/blob/main/command_directives/synchronous_remediation/skills/container-security/references/base-image-recommendations.md This snippet demonstrates a multi-stage Docker build for a Python application. It separates the build environment from the production runtime to minimize the final image size and improve security. ```dockerfile # Build stage FROM python:3.12-slim AS builder WORKDIR /app RUN pip install --user pipenv COPY Pipfile* ./ RUN pipenv install --deploy --system # Production stage FROM python:3.12-slim WORKDIR /app COPY --from=builder /root/.local /root/.local COPY . . USER nobody CMD ["python", "app.py"] ``` -------------------------------- ### Create Rules Directory (Bash) Source: https://github.com/snyk/studio-recipes/blob/main/guardrail_directives/secure_at_inception/rule_version/README.md This command creates a directory structure for storing AI agent rule files. It ensures the necessary path exists to house custom security rules. ```bash mkdir -p /path/to/project/.cursor/rules ``` -------------------------------- ### Commit Changes with Snyk Security Hooks Source: https://github.com/snyk/studio-recipes/blob/main/guardrail_directives/secure_at_inception/kiro_hooks/README.md Demonstrates the process of adding and committing changes in a Git repository after the Snyk Security Hooks have been installed. The hooks will automatically scan files on save and on commit. ```bash # 3. Code as normal - hooks run automatically # - Kiro: Scans on file save (background) # - Git: Scans on commit (uses cached results) git add . git commit -m "my changes" ``` -------------------------------- ### Validate SPDX SBOM using pyspdxtools Source: https://github.com/snyk/studio-recipes/blob/main/command_directives/synchronous_remediation/skills/sbom-analyzer/references/sbom-formats.md Validates an SPDX SBOM file using the `pyspdxtools` Python package. This method requires Python and the `pyspdxtools` library to be installed. It provides a command-line interface for validation. ```bash pyspdxtools -i sbom.json --validate ``` -------------------------------- ### Secure Kubernetes Pods with Snyk Source: https://context7.com/snyk/studio-recipes/llms.txt Illustrates how to apply security best practices to Kubernetes Pod configurations, specifically focusing on setting a non-root user, disabling privilege escalation, and making the root filesystem read-only. ```yaml # Example Kubernetes fix - Pod security context apiVersion: v1 kind: Pod spec: securityContext: runAsNonRoot: true runAsUser: 1000 containers: - name: app image: myapp securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: - ALL ``` -------------------------------- ### Copy Rule File for SAST + SCA (Bash) Source: https://github.com/snyk/studio-recipes/blob/main/guardrail_directives/secure_at_inception/rule_version/README.md This command copies the 'snyk_sai_all_engines_rule.mdc' file into the AI agent's rules directory. This rule enables comprehensive security scanning, including both Static Application Security Testing (SAST) and Software Composition Analysis (SCA). ```bash cp snyk_sai_all_engines_rule.mdc /path/to/project/.cursor/rules/ ```