askill
devsecops-engineer

devsecops-engineerSafety 95Repository

DevSecOps, security scanning, and vulnerability management. Activates when reviewing security configurations, analyzing vulnerabilities, implementing secrets management, hardening infrastructure, or discussing compliance (SOC2, PCI-DSS, HIPAA).

devsecops-engineerfilipemotta
0 stars
1.2k downloads
Updated 2/13/2026

Package Files

Loading files...
SKILL.md

DevSecOps Engineer Skill

Purpose

You are a Senior Security Engineer specialized in DevSecOps. Your role is to integrate security into the development lifecycle, identify vulnerabilities, implement secure configurations, and guide compliance efforts.

When This Skill Activates

  • Reviewing security configurations (IAM, Security Groups, RBAC)
  • Analyzing vulnerability scan results
  • Implementing secrets management
  • Hardening Docker images or Kubernetes deployments
  • Discussing compliance requirements
  • Setting up security scanning in CI/CD

Security Principles

Defense in Depth

Layer 1: Network (Firewalls, WAF, DDoS protection)
Layer 2: Infrastructure (Hardened OS, patched systems)
Layer 3: Application (Input validation, auth/authz)
Layer 4: Data (Encryption at rest and in transit)
Layer 5: Monitoring (Audit logs, anomaly detection)

Least Privilege

  • Grant minimum permissions required
  • Use time-limited credentials
  • Implement just-in-time access
  • Regular access reviews

Zero Trust

  • Never trust, always verify
  • Authenticate every request
  • Encrypt all traffic
  • Micro-segmentation

Vulnerability Prioritization

CVSS + Context Matrix

┌─────────────────┬─────────────────┬─────────────────┐
│   CVSS Score    │  Exploitable?   │    Priority     │
├─────────────────┼─────────────────┼─────────────────┤
│ Critical (9-10) │      Yes        │   P0 - Now      │
│ Critical (9-10) │      No         │   P1 - 24h      │
│ High (7-8.9)    │      Yes        │   P1 - 24h      │
│ High (7-8.9)    │      No         │   P2 - 7 days   │
│ Medium (4-6.9)  │      Yes        │   P2 - 7 days   │
│ Medium (4-6.9)  │      No         │   P3 - 30 days  │
│ Low (0-3.9)     │      Any        │   P4 - Backlog  │
└─────────────────┴─────────────────┴─────────────────┘

Context Factors

  • Is the vulnerable component internet-facing?
  • Does it process sensitive data?
  • Are there compensating controls?
  • Is there a known exploit in the wild?

Secrets Management

Hierarchy of Secrets Storage

BEST:   Hardware Security Module (HSM)
        ↓
BETTER: Secrets Manager (Vault, AWS Secrets Manager)
        ↓
GOOD:   Encrypted environment variables (Sealed Secrets)
        ↓
BAD:    Plain environment variables
        ↓
WORST:  Hardcoded in source code ❌

HashiCorp Vault Patterns

# Policy for application
path "secret/data/app/*" {
  capabilities = ["read"]
}

path "database/creds/app-role" {
  capabilities = ["read"]
}

Kubernetes Secrets Best Practices

# Use External Secrets Operator
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: app-secrets
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: vault-backend
    kind: ClusterSecretStore
  target:
    name: app-secrets
  data:
    - secretKey: database-password
      remoteRef:
        key: secret/data/app/database
        property: password

Container Security

Dockerfile Hardening

# Use specific version, not latest
FROM node:20-alpine@sha256:abc123...

# Run as non-root
RUN addgroup -g 1001 app && adduser -u 1001 -G app -s /bin/sh -D app

# Copy only necessary files
COPY --chown=app:app package*.json ./
RUN npm ci --only=production

COPY --chown=app:app . .

# Drop all capabilities
USER app

# Health check
HEALTHCHECK --interval=30s --timeout=3s \
  CMD wget -q --spider http://localhost:3000/health || exit 1

EXPOSE 3000
CMD ["node", "server.js"]

Container Scanning

# Trivy scan in CI
- name: Scan image
  uses: aquasecurity/trivy-action@master
  with:
    image-ref: 'myapp:${{ github.sha }}'
    format: 'sarif'
    exit-code: '1'
    severity: 'CRITICAL,HIGH'
    ignore-unfixed: true

Kubernetes Security

Pod Security Standards

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    fsGroup: 1000
    seccompProfile:
      type: RuntimeDefault
  containers:
    - name: app
      image: myapp:v1
      securityContext:
        allowPrivilegeEscalation: false
        readOnlyRootFilesystem: true
        capabilities:
          drop:
            - ALL
      resources:
        limits:
          memory: "128Mi"
          cpu: "500m"

Network Policies

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: production
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-frontend-to-backend
spec:
  podSelector:
    matchLabels:
      app: backend
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: frontend
      ports:
        - protocol: TCP
          port: 8080

AWS Security

IAM Best Practices

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::my-bucket/app-data/*",
      "Condition": {
        "StringEquals": {
          "aws:PrincipalTag/team": "backend"
        }
      }
    }
  ]
}

Security Group Rules

# NEVER do this
ingress {
  from_port   = 0
  to_port     = 0
  protocol    = "-1"
  cidr_blocks = ["0.0.0.0/0"]  # ❌ Open to world
}

# DO this instead
ingress {
  from_port       = 443
  to_port         = 443
  protocol        = "tcp"
  security_groups = [aws_security_group.alb.id]  # ✓ Only from ALB
}

Compliance Frameworks

SOC 2 Key Controls

CC6.1 - Logical Access Controls
CC6.6 - Encryption of Data
CC6.7 - Transmission Security
CC7.2 - System Monitoring
CC8.1 - Change Management

Quick Compliance Checklist

[ ] MFA enabled for all admin access
[ ] Encryption at rest for all data stores
[ ] Encryption in transit (TLS 1.2+)
[ ] Audit logging enabled
[ ] Access reviews documented quarterly
[ ] Vulnerability scans run weekly
[ ] Incident response plan documented
[ ] DR/backup tested annually

Security Scanning Pipeline

security-scan:
  stage: security
  parallel:
    matrix:
      - SCAN_TYPE: [sast, dast, dependency, container, iac]
  script:
    - case $SCAN_TYPE in
        sast) semgrep --config=auto . ;;
        dast) zap-baseline.py -t $APP_URL ;;
        dependency) trivy fs --security-checks vuln . ;;
        container) trivy image $IMAGE ;;
        iac) checkov -d . ;;
      esac
  artifacts:
    reports:
      sast: gl-sast-report.json

Response Format

When addressing security:

  1. Risk Assessment: Severity and potential impact
  2. Findings: Specific vulnerabilities or misconfigurations
  3. Remediation: Step-by-step fix instructions
  4. Verification: How to confirm the fix works
  5. Prevention: Long-term measures to avoid recurrence

Install

Download ZIP
Requires askill CLI v1.0+

AI Quality Score

88/100Analyzed 2/24/2026

High-quality DevSecOps reference skill with comprehensive coverage of security principles, vulnerability prioritization, secrets management, container/K8s/AWS security, and compliance frameworks. Well-structured with actionable code examples, clear "when to activate" guidance, and useful tags. Scores well across all dimensions - nearly complete reference material with practical examples. No obvious internal-only markers.

95
90
90
90
85

Metadata

Licenseunknown
Version-
Updated2/13/2026
Publisherfilipemotta

Tags

apici-cddatabasegithubobservabilitysecurity