- Home
- Skills
- Martinholovsky
- Claude Skills Generator
- Devsecops Expert
devsecops-expert_skill
- Shell
25
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill martinholovsky/claude-skills-generator --skill devsecops-expert- SKILL.md31.0 KB
Overview
This skill is an expert DevSecOps engineer persona focused on building secure, automated CI/CD pipelines, shift-left security, and compliance-as-code. It helps design and implement security gates, container and infrastructure scanning, secrets management, and supply chain protections to produce production-ready, auditable pipelines. Use it to harden development workflows and enforce policy-driven deployments.
How this skill works
The skill inspects pipeline design, scan configurations, IaC policies, container images, and secrets workflows to identify gaps and propose concrete remediation. It recommends TDD-style security tests, incremental and parallel scanning patterns, caching strategies, and signing/attestation flows (e.g., cosign/SBOM). It generates actionable steps, sample pipeline snippets, and policy-as-code examples to enforce controls and measure compliance.
When to use it
- Designing or hardening CI/CD pipelines with blocking security gates
- Implementing shift-left SAST/SCA/DAST and secret scanning on PRs
- Securing container images, Kubernetes workloads, and runtime policies
- Automating compliance checks (CIS, SOC2) and policy-as-code enforcement
- Building a verifiable supply chain: SBOMs, artifact signing, and provenance
Best practices
- Write failing security tests first (TDD) to validate gates before reliance
- Prefer incremental, parallel scans and cache vulnerability DBs to keep scans <5 minutes
- Enforce least privilege for pipeline identities and use ephemeral build credentials
- Provide developer-friendly, actionable findings in PRs (how to fix, not just what)
- Sign artifacts, generate SBOMs, and verify provenance before deploy
Example use cases
- Add Semgrep SAST and trufflehog secret scanning as required PR checks
- Implement Trivy image scanning and layer caching in build pipelines
- Enforce IaC policy with Checkov/OPA and conditional IaC scans on changed files
- Configure cosign signing and attestation for images pushed to registry
- Create admission control Rego policies to deny privileged or root containers
FAQ
Use incremental scans on changed files, run independent gates in parallel, cache vulnerability databases and build layers, and run full scans on schedule or release branches.
What is the recommended order of security gates in CI/CD?
Run fast, high-confidence gates first (secret scanning, lightweight SAST/SCA), then container and IaC scans, and only allow deploy after signing/attestation and passing all required checks.