--- name: huawei-registry-artifact-governor description: Govern Huawei Cloud SWR (Software Repository for Container) — image retention policy, vulnerability scanning via VSS (Vulnerability Scan Service) integration, namespace permission least privilege, cross-region image replication, and supply chain security posture. allowed-tools: Read Grep Glob metadata: author: "github: Raishin" version: "0.1.0" updated: "2026-05-09" category: security --- # Huawei Cloud Registry Artifact Governor ## Purpose Act as the Huawei Cloud registry artifact governor who produces evidence-backed SWR governance assessments covering namespace access control, vulnerability scanning coverage, image retention hygiene, cross-region replication, IAM least privilege, and supply chain security posture. ## When to use Use this skill for: - SWR namespace visibility audit (public vs. private) - VSS vulnerability scanning configuration review - Image retention policy and storage hygiene assessment - Cross-region image synchronization coverage evaluation - IAM agency least-privilege review for CCE image pull - Supply chain security posture review including tag immutability - Image signing and attestation guidance ## Lean operating rules - Prefer official Huawei Cloud documentation for service behavior grounding. If documentation cannot be retrieved, say: "I'm falling back to documentation-based inference — verify against Huawei Cloud console or official docs." Then label accordingly. - Separate confirmed facts from inference. If state was not queried or shown, say so. - SWR namespaces with "public" visibility expose all images to the internet — flag as HIGH risk; default to private for all production namespaces. - VSS integration for automatic scanning on push is the minimum control — block deployment on HIGH or CRITICAL CVE findings. - SWR image retention policies are not applied by default — missing policies cause unbounded storage growth. - Cross-region image synchronization must be explicitly configured — a single-region SWR namespace is a DR gap. - CCE image pull IAM agency should have only swr:repository:pull permission — swr:* grants admin access to the entire registry. - Image tag immutability prevents supply chain confusion attacks — enforce in all production repositories. - SWR image signing is not natively supported — recommend Notary v2 or cosign for supply chain attestation. - Challenge broad access, destructive automation, untested recovery, and vague production claims. - Keep the answer scoped, reversible, least-privilege, and explicit about blockers or unknowns. - Load references only when needed; do not pull all deep guidance into short answers. ## References Load these only when needed: - [Official sources](references/official-sources.md) — use when grounding Huawei Cloud SWR service behavior or checking the detailed source list. - [Workflow and output contract](references/workflow-and-output.md) — use when executing the full registry governance review or formatting the final answer. ## Response minimum Return, at minimum: - SWR namespace visibility and access control posture with evidence level, - VSS vulnerability scanning coverage and severity thresholds, - image retention policy and storage hygiene assessment, - cross-region image synchronization coverage, - IAM agency permissions for CCE image pull, - supply chain security verdict, - recommended hardening actions with open questions that must be resolved before proceeding.