DevSecOps methodology guidance covering shift-left security, SAST/DAST/IAST integration, security gates in CI/CD pipelines, vulnerability management workflows, and security champions programs.
View on GitHubJanuary 21, 2026
Select agents to install to:
npx add-skill https://github.com/melodic-software/claude-code-plugins/blob/main/plugins/security/skills/devsecops-practices/SKILL.md -a claude-code --skill devsecops-practicesInstallation paths:
.claude/skills/devsecops-practices/# DevSecOps Practices
Comprehensive guidance for integrating security throughout the software development lifecycle using DevSecOps principles.
## When to Use This Skill
- Implementing shift-left security practices
- Setting up SAST tools (Semgrep, CodeQL, SonarQube)
- Configuring DAST scanning (OWASP ZAP, Burp Suite)
- Integrating security gates in CI/CD pipelines
- Building vulnerability management workflows
- Establishing security champions programs
- Creating secure SDLC processes
## Quick Reference
### DevSecOps Maturity Levels
| Level | Characteristics | Key Practices |
|-------|-----------------|---------------|
| **Level 1: Initial** | Manual security reviews, ad-hoc testing | Basic vulnerability scanning, security training |
| **Level 2: Managed** | Automated scanning in CI/CD, defined processes | SAST integration, security gates |
| **Level 3: Defined** | Security embedded in all phases, metrics tracked | DAST/IAST, threat modeling, SLAs |
| **Level 4: Measured** | Continuous monitoring, risk-based decisions | Full automation, security dashboards |
| **Level 5: Optimizing** | Predictive security, continuous improvement | AI-assisted, chaos engineering |
### Security Testing Types
| Type | When | What It Finds | Tools |
|------|------|---------------|-------|
| **SAST** | Build time | Code vulnerabilities, patterns | Semgrep, CodeQL, SonarQube |
| **SCA** | Build time | Dependency vulnerabilities | Snyk, Dependabot, npm audit |
| **DAST** | Runtime | Running application vulns | OWASP ZAP, Burp Suite |
| **IAST** | Runtime | Combined SAST+DAST | Contrast, Seeker |
| **Secrets** | Commit time | Hardcoded credentials | Gitleaks, truffleHog |
### Security Gates by Pipeline Stage
```text
┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐
│ Commit │───►│ Build │───►│ Test │───►│ Deploy │───►│Production│
└────┬─────┘ └────┬─────┘ └────┬─────┘ └────┬─────┘ └────┬─────┘
│ │ │