senior-secops
Senior SecOps engineer skill for application security, vulnerability management, compliance verification, and secure development practices. Runs SAST/DAST scans, generates CVE remediation plans, checks dependency vulnerabilities, creates security policies, enforces secure coding patterns, and automates compliance checks against SOC2, PCI-DSS, HIPAA, and GDPR. Use when conducting a security review or audit, responding to a CVE or security incident, hardening infrastructure, implementing authentication or secrets management, running penetration test prep, checking OWASP Top 10 exposure, or enforcing security controls in CI/CD pipelines.
93
92%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, well-crafted skill description that excels across all dimensions. It provides specific concrete actions, rich natural trigger terms spanning security terminology users would actually use, explicit 'Use when' guidance with multiple scenarios, and a clearly distinct security-focused niche. The description uses proper third-person voice throughout.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: runs SAST/DAST scans, generates CVE remediation plans, checks dependency vulnerabilities, creates security policies, enforces secure coding patterns, and automates compliance checks against named frameworks (SOC2, PCI-DSS, HIPAA, GDPR). | 3 / 3 |
Completeness | Clearly answers both 'what' (SAST/DAST scans, CVE remediation plans, dependency checks, security policies, compliance automation) and 'when' with an explicit 'Use when...' clause listing seven distinct trigger scenarios. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: security review, audit, CVE, security incident, hardening, authentication, secrets management, penetration test, OWASP Top 10, CI/CD pipelines, SAST, DAST, SOC2, PCI-DSS, HIPAA, GDPR, dependency vulnerabilities, secure coding. | 3 / 3 |
Distinctiveness Conflict Risk | Occupies a clear security/SecOps niche with highly specific triggers like CVE remediation, OWASP Top 10, SAST/DAST, and named compliance frameworks. Unlikely to conflict with general development or DevOps skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
85%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured, comprehensive SecOps skill with strong actionability and workflow clarity. The tool reference section with exit codes and the gate-based audit workflow are particularly effective. The main weakness is moderate verbosity in the Best Practices section, which covers secure coding patterns Claude already knows well, though the content serves as a useful quick-reference checklist.
Suggestions
Trim the Best Practices section significantly — Claude already knows SQL injection prevention, XSS prevention, and bcrypt usage. Keep only the project-specific patterns or move to a reference file.
Consider moving the Security Headers and Authentication code examples to references/security_standards.md to reduce the main skill's token footprint while preserving the information.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably efficient but includes some content Claude already knows (e.g., basic SQL injection prevention, XSS prevention patterns, bcrypt usage). The compliance framework summaries and OWASP table are useful reference material, but the Best Practices section largely teaches basic secure coding patterns that Claude is already well-versed in. The overall length (~350 lines) is substantial but mostly justified by the breadth of the skill. | 2 / 3 |
Actionability | The skill provides concrete, executable commands for all three scanner tools with specific flags, exit codes, and output formats. The CI/CD workflow includes a complete GitHub Actions YAML. Code examples for secure coding patterns are copy-paste ready across Python and JavaScript. The CVE triage workflow has specific time windows and CVSS thresholds. | 3 / 3 |
Workflow Clarity | Workflows are clearly sequenced with explicit validation checkpoints using exit codes (STOP if exit code 2). The Security Audit workflow has a clear gate-based progression. The CVE Triage workflow includes time-boxed phases with escalation criteria. The Incident Response workflow has phased steps with clear timelines. Feedback loops are present (run scanner → fix → re-run to verify). | 3 / 3 |
Progressive Disclosure | The skill has a clear table of contents, well-organized sections, and appropriately references external files (references/security_standards.md, references/compliance_requirements.md, references/vulnerability_management_guide.md) for deep-dive content. Cross-references to related skills (security-pen-testing, dependency-auditor) are clearly signaled. The reference documentation table at the end provides clean navigation. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (506 lines); consider splitting into references/ and linking | Warning |
Total | 10 / 11 Passed | |
- Repository
- alirezarezvani/claude-skills
- Commit
967fe01
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.