senior-secops
Senior SecOps engineer skill for application security, vulnerability management, compliance verification, and secure development practices. Runs SAST/DAST scans, generates CVE remediation plans, checks dependency vulnerabilities, creates security policies, enforces secure coding patterns, and automates compliance checks against SOC2, PCI-DSS, HIPAA, and GDPR. Use when conducting a security review or audit, responding to a CVE or security incident, hardening infrastructure, implementing authentication or secrets management, running penetration test prep, checking OWASP Top 10 exposure, or enforcing security controls in CI/CD pipelines.
90
88%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that thoroughly covers specific capabilities, includes a comprehensive 'Use when...' clause with diverse trigger scenarios, and uses natural keywords that security practitioners would actually use. The description is well-structured, uses third person voice correctly, and carves out a distinct niche that would be easily distinguishable from other skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: runs SAST/DAST scans, generates CVE remediation plans, checks dependency vulnerabilities, creates security policies, enforces secure coding patterns, and automates compliance checks against named frameworks (SOC2, PCI-DSS, HIPAA, GDPR). | 3 / 3 |
Completeness | Clearly answers both 'what' (runs SAST/DAST scans, generates CVE remediation plans, checks dependencies, creates policies, automates compliance checks) and 'when' with an explicit 'Use when...' clause listing seven distinct trigger scenarios. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: security review, audit, CVE, security incident, hardening, authentication, secrets management, penetration test, OWASP Top 10, CI/CD pipelines, SAST, DAST, dependency vulnerabilities, compliance, SOC2, PCI-DSS, HIPAA, GDPR. | 3 / 3 |
Distinctiveness Conflict Risk | Occupies a clear security/SecOps niche with highly specific triggers like CVE remediation, SAST/DAST, OWASP Top 10, and named compliance frameworks. Unlikely to conflict with general coding or DevOps skills due to the security-specific terminology. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured, highly actionable security operations skill with strong workflow clarity including explicit validation gates and exit code checks. Its main weakness is length — several sections (Best Practices, Secret Scanning Tools, Supply Chain Security) could be moved to reference files to improve conciseness and progressive disclosure. The core scanner workflows and CI/CD integration are excellent and immediately usable.
Suggestions
Move the Best Practices, Secret Scanning Tools, and Supply Chain Security sections to separate reference files, keeping only a one-line summary and link in the main SKILL.md.
Remove basic secure coding examples (SQL injection, XSS, bcrypt) that Claude already knows, or condense them to a single-line pattern reference rather than full code blocks.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably efficient but includes some content Claude already knows (e.g., basic SQL injection prevention, XSS prevention patterns, bcrypt usage). The compliance framework summaries and OWASP table add value, but the Best Practices section largely restates common secure coding knowledge. The document is long (~350 lines) and could be tightened by moving Best Practices and some reference tables to separate files. | 2 / 3 |
Actionability | Provides fully executable CLI commands with specific flags, complete CI/CD YAML configurations, copy-paste ready code examples across Python and JavaScript, and concrete tool configurations (pre-commit hooks, GitHub Actions). Exit codes are clearly documented for programmatic use. | 3 / 3 |
Workflow Clarity | Workflows are clearly sequenced with explicit STOP gates tied to exit codes (e.g., 'STOP if exit code 2 — resolve critical findings before continuing'). The CVE Triage workflow includes time-bound SLAs, escalation criteria, and a verify-then-deploy feedback loop. The Incident Response workflow has phased timelines. Missing validation is addressed by exit code checks throughout. | 3 / 3 |
Progressive Disclosure | References to external files exist (references/security_standards.md, compliance_requirements.md, vulnerability_management_guide.md) and cross-references to other skills are noted. However, a significant amount of content that could live in reference files is inline — the Best Practices section, OWASP quick-check table, Secret Scanning Tools comparison, and Supply Chain Security section make the main file quite long. The Table of Contents helps navigation but the document would benefit from more aggressive splitting. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (506 lines); consider splitting into references/ and linking | Warning |
Total | 10 / 11 Passed | |
- Repository
- alirezarezvani/claude-skills
- Commit
f567c61
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.