Back to Skills

devsecops-practices

verified

DevSecOps methodology guidance covering shift-left security, SAST/DAST/IAST integration, security gates in CI/CD pipelines, vulnerability management workflows, and security champions programs.

View on GitHub

Marketplace

melodic-software

melodic-software/claude-code-plugins

Plugin

security

Repository
Verified Org

melodic-software/claude-code-plugins
13stars

plugins/security/skills/devsecops-practices/SKILL.md

Last Verified

January 21, 2026

Install Skill

Select agents to install to:

Scope:
npx add-skill https://github.com/melodic-software/claude-code-plugins/blob/main/plugins/security/skills/devsecops-practices/SKILL.md -a claude-code --skill devsecops-practices

Installation paths:

Claude
.claude/skills/devsecops-practices/
Powered by add-skill CLI

Instructions

# DevSecOps Practices

Comprehensive guidance for integrating security throughout the software development lifecycle using DevSecOps principles.

## When to Use This Skill

- Implementing shift-left security practices
- Setting up SAST tools (Semgrep, CodeQL, SonarQube)
- Configuring DAST scanning (OWASP ZAP, Burp Suite)
- Integrating security gates in CI/CD pipelines
- Building vulnerability management workflows
- Establishing security champions programs
- Creating secure SDLC processes

## Quick Reference

### DevSecOps Maturity Levels

| Level | Characteristics | Key Practices |
|-------|-----------------|---------------|
| **Level 1: Initial** | Manual security reviews, ad-hoc testing | Basic vulnerability scanning, security training |
| **Level 2: Managed** | Automated scanning in CI/CD, defined processes | SAST integration, security gates |
| **Level 3: Defined** | Security embedded in all phases, metrics tracked | DAST/IAST, threat modeling, SLAs |
| **Level 4: Measured** | Continuous monitoring, risk-based decisions | Full automation, security dashboards |
| **Level 5: Optimizing** | Predictive security, continuous improvement | AI-assisted, chaos engineering |

### Security Testing Types

| Type | When | What It Finds | Tools |
|------|------|---------------|-------|
| **SAST** | Build time | Code vulnerabilities, patterns | Semgrep, CodeQL, SonarQube |
| **SCA** | Build time | Dependency vulnerabilities | Snyk, Dependabot, npm audit |
| **DAST** | Runtime | Running application vulns | OWASP ZAP, Burp Suite |
| **IAST** | Runtime | Combined SAST+DAST | Contrast, Seeker |
| **Secrets** | Commit time | Hardcoded credentials | Gitleaks, truffleHog |

### Security Gates by Pipeline Stage

```text
┌──────────┐    ┌──────────┐    ┌──────────┐    ┌──────────┐    ┌──────────┐
│  Commit  │───►│  Build   │───►│  Test    │───►│  Deploy  │───►│Production│
└────┬─────┘    └────┬─────┘    └────┬─────┘    └────┬─────┘    └────┬─────┘
     │               │               │

Validation Details

Front Matter
Required Fields
Valid Name Format
Valid Description
Has Sections
Allowed Tools
Instruction Length:
19632 chars