One-pass CAPEC ingestion → generate per-domain attack pattern taxonomies for PromptKit security audits

[Alan-Jowett]

Problem / Motivation

PromptKit security audits currently scope what weakness to look for (via CWE taxonomies from #228), but do not scope how attackers exploit those weaknesses. CAPEC (Common Attack Pattern Enumeration and Classification) is the complementary MITRE database that classifies attack patterns — the adversary-side view of CWE weaknesses.

Adding CAPEC-derived taxonomies would let security audit prompts guide the LLM with domain-specific attack patterns, improving threat modeling and exploit path analysis.

CAPEC entries cross-reference CWE IDs, so the two taxonomy sets can be composed: "look for these weaknesses (CWE) using these attack patterns (CAPEC)."

Goal

Implement a pipeline (modeled on the CWE ingestion skill from #228/#229) that:

1. Ingests the official CAPEC corpus (versioned XML) from MITRE: https://capec.mitre.org/data/downloads.html
2. In a single run, generates per-domain CAPEC taxonomies (reusing the same 13-domain registry from One-pass CWE ingestion → generate per-domain CWE taxonomies for PromptKit security audits #228).
3. Cross-references CWE IDs in each CAPEC entry to enable CWE↔CAPEC composition at audit time.

Deliverables

• /ingest-capec-taxonomies prompt file (.github/prompts/) and matching CLI skill (.github/skills/)
• Reusable Python script at scripts/ingest-capec.py
• Per-domain taxonomy files: taxonomies/capec-<domain>.md
• Normalized data: data/capec/<version>/
• Updated manifest.yaml

Design Notes

• Same architecture as CWE ingestion: 6-phase pipeline (Acquisition → Normalization → Domain Mapping → Taxonomy Generation → Integration → Verification)
• Same domain registry: Reuse the 13 domains from One-pass CWE ingestion → generate per-domain CWE taxonomies for PromptKit security audits #228. Consider extracting the registry to a shared data/domain-registry.json so both skills reference the same list.
• CAPEC XML schema differs from CWE — separate parsing logic required. Key fields: attack pattern ID, name, abstraction, prerequisites, related weaknesses (CWE IDs), execution flow, consequences.
• Domain mapping: Use CAPEC Related_Weakness CWE cross-references as the primary signal (map CAPEC entries to domains via their associated CWEs). Fall back to CAPEC-specific Prerequisites and Skills_Required fields.
• Separate skill from CWE ingestion — different input format, different semantics (attack patterns vs weakness classes), different parsing.

External References

• CAPEC downloads: https://capec.mitre.org/data/downloads.html
• CAPEC schema: https://capec.mitre.org/documents/schema/
• CAPEC↔CWE mapping: cross-references embedded in CAPEC XML Related_Weakness elements

Non-Goals

• Do not merge with the CWE ingestion skill — keep as separate, composable skills.
• Do not claim exploitability of specific code from attack patterns.
• Do not fork or maintain a separate CAPEC; track upstream MITRE versions.

Relationship to Other Issues

• Depends on One-pass CWE ingestion → generate per-domain CWE taxonomies for PromptKit security audits #228 for the domain registry and taxonomy file conventions.
• CAPEC taxonomies complement CWE taxonomies — together they scope both the "what" and "how" of security audits.