devsecops-expert

Expert DevSecOps engineer specializing in secure CI/CD pipelines, shift-left security, security automation, and compliance as code. Use when implementing security gates, container security, infrastructure scanning, secrets management, or building secure supply chains.

Quality

72%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Risky

Do not use without reviewing

Optimize this skill with Tessl

npx tessl skill review --optimize ./skills/devsecops-expert/SKILL.md

Quality

Content

55%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This skill provides highly actionable, executable DevSecOps guidance with excellent workflow clarity and concrete examples. However, it severely violates token efficiency by being excessively verbose (700+ lines), explaining concepts Claude already knows, and failing to use progressive disclosure to split content into manageable reference files.

Suggestions

Reduce content by 60-70% by removing explanations of basic concepts (what SAST is, what containers are, security principles Claude already knows) and keeping only the actionable patterns and code examples

Split into multiple files: SKILL.md (overview + quick start), PATTERNS.md (implementation patterns), POLICIES.md (OPA/Kyverno examples), CHECKLISTS.md (pre-implementation checklists)

Remove the 'Core Responsibilities' section entirely - it describes what DevSecOps does rather than providing actionable guidance

Consolidate redundant examples - the same concepts (non-root containers, secret management) appear multiple times in different sections

Dimension	Reasoning	Score
Conciseness	Extremely verbose at 700+ lines with significant redundancy. Explains concepts Claude already knows (what SAST/DAST are, basic security principles, what containers are). The overview section lists expertise areas that don't add actionable value, and many patterns are repeated across sections.	1 / 3
Actionability	Excellent executable examples throughout - complete GitHub Actions workflows, Dockerfiles, Kubernetes manifests, OPA policies, and test scripts are all copy-paste ready. Concrete commands and configurations with specific tool versions.	3 / 3
Workflow Clarity	Clear TDD workflow with explicit steps (write failing test → implement minimum gates → refactor → verify). Security gate patterns include validation checkpoints, and the pre-implementation checklist provides explicit verification steps for each phase.	3 / 3
Progressive Disclosure	Monolithic wall of text with no references to external files. All content is inline despite being 700+ lines. No clear navigation structure - content that should be in separate reference files (patterns, policies, checklists) is all embedded in one document.	1 / 3
	Total	8 / 12 Passed

Description

89%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is a strong description with excellent trigger term coverage and a clear 'Use when' clause that explicitly lists activation scenarios. The main weakness is the role-based framing ('Expert DevSecOps engineer specializing in...') rather than action-oriented language describing what the skill does. The description would be slightly stronger with verb-based capabilities instead of expertise claims.

Suggestions

Reframe from role-based ('Expert DevSecOps engineer specializing in...') to action-based language (e.g., 'Implements secure CI/CD pipelines, automates security gates, scans containers and infrastructure...')

Dimension	Reasoning	Score
Specificity	Names the domain (DevSecOps, CI/CD) and lists several action areas (security gates, container security, infrastructure scanning, secrets management, secure supply chains), but uses role-based framing ('Expert DevSecOps engineer') rather than concrete actions like 'implement', 'configure', or 'scan'.	2 / 3
Completeness	Clearly answers both what (DevSecOps specializing in secure CI/CD, shift-left security, security automation, compliance as code) and when (explicit 'Use when' clause listing five specific trigger scenarios).	3 / 3
Trigger Term Quality	Includes strong natural keywords users would say: 'CI/CD pipelines', 'shift-left security', 'security gates', 'container security', 'infrastructure scanning', 'secrets management', 'secure supply chains', 'compliance as code' - these are terms practitioners commonly use.	3 / 3
Distinctiveness Conflict Risk	Highly distinctive niche combining DevSecOps, CI/CD security, and compliance automation - unlikely to conflict with general security or general DevOps skills due to specific focus on pipeline security and shift-left practices.	3 / 3
	Total	11 / 12 Passed

Validation

75%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 12 / 16 Passed

Validation for skill structure

Criteria	Description	Result
skill_md_line_count	SKILL.md is long (1225 lines); consider splitting into references/ and linking	Warning
metadata_version	'metadata' field is not a dictionary	Warning
license_field	'license' field is missing	Warning
frontmatter_unknown_keys	Unknown frontmatter key(s) found; consider removing or moving to metadata	Warning

	Total	12 / 16 Passed

Repository: martinholovsky/claude-skills-generator
Commit: 1086ef2

Reviewed: 4 months ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.