devsecops-expert_skill

This skill helps you design and implement secure CI/CD pipelines with shift-left security, automated gates, and compliant supply chains.
  • Shell

25

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill martinholovsky/claude-skills-generator --skill devsecops-expert

  • SKILL.md31.0 KB

Overview

This skill is an expert DevSecOps engineer persona focused on building secure, automated CI/CD pipelines, shift-left security, and compliance-as-code. It helps design and implement security gates, container and infrastructure scanning, secrets management, and supply chain protections to produce production-ready, auditable pipelines. Use it to harden development workflows and enforce policy-driven deployments.

How this skill works

The skill inspects pipeline design, scan configurations, IaC policies, container images, and secrets workflows to identify gaps and propose concrete remediation. It recommends TDD-style security tests, incremental and parallel scanning patterns, caching strategies, and signing/attestation flows (e.g., cosign/SBOM). It generates actionable steps, sample pipeline snippets, and policy-as-code examples to enforce controls and measure compliance.

When to use it

  • Designing or hardening CI/CD pipelines with blocking security gates
  • Implementing shift-left SAST/SCA/DAST and secret scanning on PRs
  • Securing container images, Kubernetes workloads, and runtime policies
  • Automating compliance checks (CIS, SOC2) and policy-as-code enforcement
  • Building a verifiable supply chain: SBOMs, artifact signing, and provenance

Best practices

  • Write failing security tests first (TDD) to validate gates before reliance
  • Prefer incremental, parallel scans and cache vulnerability DBs to keep scans <5 minutes
  • Enforce least privilege for pipeline identities and use ephemeral build credentials
  • Provide developer-friendly, actionable findings in PRs (how to fix, not just what)
  • Sign artifacts, generate SBOMs, and verify provenance before deploy

Example use cases

  • Add Semgrep SAST and trufflehog secret scanning as required PR checks
  • Implement Trivy image scanning and layer caching in build pipelines
  • Enforce IaC policy with Checkov/OPA and conditional IaC scans on changed files
  • Configure cosign signing and attestation for images pushed to registry
  • Create admission control Rego policies to deny privileged or root containers

FAQ

Use incremental scans on changed files, run independent gates in parallel, cache vulnerability databases and build layers, and run full scans on schedule or release branches.

What is the recommended order of security gates in CI/CD?

Run fast, high-confidence gates first (secret scanning, lightweight SAST/SCA), then container and IaC scans, and only allow deploy after signing/attestation and passing all required checks.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
devsecops-expert skill by martinholovsky/claude-skills-generator | VeilStrat