implementing-devsecops-security-scanning

Featured

Integrates Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software Composition Analysis (SCA) into CI/CD pipelines using open-source tools. Covers Semgrep for SAST, Trivy for SCA and container scanning, OWASP ZAP for DAST, and Gitleaks for secrets detection. Activates for requests involving DevSecOps pipeline setup, automated security scanning in CI/CD, SAST/DAST/SCA integration, or shift-left security implementation.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Implementing DevSecOps Security Scanning ## When to Use - Setting up automated security scanning in a new or existing CI/CD pipeline - Shifting security left by catching vulnerabilities before code reaches production - Meeting compliance requirements (SOC 2, PCI-DSS, ISO 27001) that mandate automated security testing - Integrating SAST, DAST, and SCA together to achieve comprehensive application security coverage - Establishing security gates that block deployments containing critical or high-severity vulnerabilities **Do not use** as a replacement for manual penetration testing. Automated scanning catches common vulnerability patterns but cannot replace human-driven security assessments for business logic flaws and complex attack chains. ## Prerequisites - CI/CD platform: GitHub Actions, GitLab CI, Jenkins, or Azure DevOps - Container runtime (Docker) for running scanning tools - A staging environment URL for DAST scanning (DAST cannot test static code) - Repository access with permissions to modify CI/CD workflow files - Tool-specific requirements: - Semgrep: free for open-source rulesets (`p/security-audit`, `p/owasp-top-ten`) - Trivy: free, no account required - OWASP ZAP: free, Docker image available - Gitleaks: free, no account required ## Workflow ### Step 1: Add Secrets Detection with Gitleaks Secrets detection runs first because leaked credentials are the highest-priority finding. Add to `.github/workflows/security.yml`: ```yaml name: DevSecOps Sec...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Integrates with

Azure · Cloud GitHub · DevTools GitLab · DevTools Jenkins · DevTools Docker · Infrastructure

Similar Skills

Semantically similar based on skill content — not just same category

DevOps & Infrastructure Featured

building-devsecops-pipeline-with-gitlab-ci

Design and implement a comprehensive DevSecOps pipeline in GitLab CI/CD integrating SAST, DAST, container scanning, dependency scanning, and secret detection.

12,642 Updated today
mukul975
AI & Automation Featured

implementing-secret-scanning-with-gitleaks

This skill covers implementing Gitleaks for detecting and preventing hardcoded secrets in git repositories. It addresses configuring pre-commit hooks, CI/CD pipeline integration, custom rule authoring for organization-specific secrets, baseline management for existing repositories, and remediation workflows for exposed credentials.

12,642 Updated today
mukul975
DevOps & Infrastructure Featured

implementing-secrets-scanning-in-ci-cd

Integrate gitleaks and trufflehog into CI/CD pipelines to detect leaked secrets before deployment

12,642 Updated today
mukul975
AI & Automation Featured

integrating-sast-into-github-actions-pipeline

This skill covers integrating Static Application Security Testing (SAST) tools—CodeQL and Semgrep—into GitHub Actions CI/CD pipelines. It addresses configuring automated code scanning on pull requests and pushes, tuning rules to reduce false positives, uploading SARIF results to GitHub Advanced Security, and establishing quality gates that block merges when high-severity vulnerabilities are detected.

12,642 Updated today
mukul975
Code & Development Solid

secrets-gitleaks

Hardcoded secret detection and prevention in git repositories and codebases using Gitleaks. Identifies passwords, API keys, tokens, and credentials through regex-based pattern matching and entropy analysis. Use when: (1) Scanning repositories for exposed secrets and credentials, (2) Implementing pre-commit hooks to prevent secret leakage, (3) Integrating secret detection into CI/CD pipelines, (4) Auditing codebases for compliance violations (PCI-DSS, SOC2, GDPR), (5) Establishing baseline secret detection and tracking new exposures, (6) Remediating historical secret exposures in git history.

335 Updated today
aiskillstore