Skill

devsecops-architecture

CI/CD security hardening, SLSA supply chain levels, secrets management, SAST/DAST integration, and shift-left security practices. Trigger: "devsecops", "CI/CD security", "SLSA", "supply chain", "SAST", "DAST", "shift-left security".

From sovereign-architect

Install

Run in your terminal

npx claudepluginhub javimontano/mao-sovereign-architect

Tool Access

This skill is limited to using the following tools:

ReadGlobGrepBashAgent

Supporting Assets

View in Repository

evals/evals.json

examples/sample-output.md

prompts/use-case-prompts.md

references/body-of-knowledge.md

Skill Content

DevSecOps Architecture

Design and implement security throughout the software delivery lifecycle: CI/CD pipeline security, SLSA supply chain compliance, secrets management, SAST/DAST integration, and shift-left security practices.

Guiding Principle

"Security that is not automated is security that will be skipped — embed it in every pipeline stage so that secure delivery is the path of least resistance."

Procedure

Step 1 — Pipeline Security Assessment

Audit CI/CD pipeline configuration for security gaps
Check build environment isolation: ephemeral runners, network policies
Verify artifact integrity: signing, checksums, provenance attestation
Assess secret exposure risk: environment variables, build logs, artifact contents
Evaluate pipeline-as-code security: branch protection, approval gates, audit trails

Step 2 — Supply Chain Security (SLSA)

Assess current SLSA level (0-4) for each build pipeline
Implement source integrity: signed commits, branch protection, code review requirements
Implement build integrity: hermetic builds, reproducible outputs, build provenance
Generate and verify SBOM (Software Bill of Materials) for all artifacts
Implement dependency scanning with vulnerability alerting and auto-patching

Step 3 — Security Testing Integration

Integrate SAST (Static Application Security Testing) into build pipeline
Integrate DAST (Dynamic Application Security Testing) into staging deployment
Implement SCA (Software Composition Analysis) for dependency vulnerability scanning
Configure container image scanning for base image and layer vulnerabilities
Establish security gate thresholds: block on critical/high, warn on medium

Step 4 — Secrets Management & Runtime Security

Design secrets management: vault integration, dynamic credentials, rotation
Implement least-privilege access for CI/CD service accounts
Design runtime security monitoring: container runtime protection, anomaly detection
Implement security event logging and alerting for production workloads
Establish incident response procedures for security findings in pipelines

Quality Criteria

Zero hardcoded secrets in codebase (verified by automated scanning)
SLSA Level 2+ achieved for all production build pipelines
SAST/DAST runs on every PR with findings triaged within 48 hours
SBOM generated and stored for every released artifact

Anti-Patterns

Security scanning that runs but whose results nobody reviews
Secrets in environment variables visible in build logs
Building on shared, long-lived CI runners with accumulated state
Dependency updates blocked indefinitely due to security scanning false positives

Similar Skills

agent-harness-construction

Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.

everything-claude-code

138.0k

agent-payment-x402

Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.

everything-claude-code

138.0k

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

everything-claude-code

138.0k

Stats

Stars0

Forks0

Last CommitMar 28, 2026

Actions

View Source View Plugin View on GitHub View README

Procedure

Step 1 — Pipeline Security Assessment

Audit CI/CD pipeline configuration for security gaps

Check build environment isolation: ephemeral runners, network policies

Verify artifact integrity: signing, checksums, provenance attestation

Assess secret exposure risk: environment variables, build logs, artifact contents

Evaluate pipeline-as-code security: branch protection, approval gates, audit trails

Step 2 — Supply Chain Security (SLSA)

Assess current SLSA level (0-4) for each build pipeline

Implement source integrity: signed commits, branch protection, code review requirements

Implement build integrity: hermetic builds, reproducible outputs, build provenance

Generate and verify SBOM (Software Bill of Materials) for all artifacts

Implement dependency scanning with vulnerability alerting and auto-patching

Step 3 — Security Testing Integration

Integrate SAST (Static Application Security Testing) into build pipeline

Integrate DAST (Dynamic Application Security Testing) into staging deployment

Implement SCA (Software Composition Analysis) for dependency vulnerability scanning

Configure container image scanning for base image and layer vulnerabilities

Establish security gate thresholds: block on critical/high, warn on medium

Step 4 — Secrets Management & Runtime Security

Design secrets management: vault integration, dynamic credentials, rotation

Implement least-privilege access for CI/CD service accounts

Design runtime security monitoring: container runtime protection, anomaly detection

Implement security event logging and alerting for production workloads

Establish incident response procedures for security findings in pipelines