devsecops-expert
Expert DevSecOps engineer specializing in secure CI/CD pipelines, shift-left security, security automation, and compliance as code. Use when implementing security gates, container security, infrastructure scanning, secrets management, or building secure supply chains.
73
Quality
72%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/devsecops-expert/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong description with excellent trigger term coverage and a clear 'Use when' clause that explicitly lists activation scenarios. The main weakness is the role-based framing ('Expert DevSecOps engineer specializing in...') rather than action-oriented language describing what the skill does. The description would be slightly stronger with verb-based capabilities instead of expertise claims.
Suggestions
Reframe from role-based ('Expert DevSecOps engineer specializing in...') to action-based language (e.g., 'Implements secure CI/CD pipelines, automates security gates, scans containers and infrastructure...')
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (DevSecOps, CI/CD) and lists several action areas (security gates, container security, infrastructure scanning, secrets management, secure supply chains), but uses role-based framing ('Expert DevSecOps engineer') rather than concrete actions like 'implement', 'configure', or 'scan'. | 2 / 3 |
Completeness | Clearly answers both what (DevSecOps specializing in secure CI/CD, shift-left security, security automation, compliance as code) and when (explicit 'Use when' clause listing five specific trigger scenarios). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'CI/CD pipelines', 'shift-left security', 'security gates', 'container security', 'infrastructure scanning', 'secrets management', 'secure supply chains', 'compliance as code' - these are terms practitioners commonly use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche combining DevSecOps, CI/CD security, and compliance automation - unlikely to conflict with general security or general DevOps skills due to specific focus on pipeline security and shift-left practices. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
55%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides highly actionable, executable DevSecOps guidance with excellent workflow clarity and concrete examples. However, it severely violates token efficiency by being excessively verbose (700+ lines), explaining concepts Claude already knows, and failing to use progressive disclosure to split content into manageable reference files.
Suggestions
Reduce content by 60-70% by removing explanations of basic concepts (what SAST is, what containers are, security principles Claude already knows) and keeping only the actionable patterns and code examples
Split into multiple files: SKILL.md (overview + quick start), PATTERNS.md (implementation patterns), POLICIES.md (OPA/Kyverno examples), CHECKLISTS.md (pre-implementation checklists)
Remove the 'Core Responsibilities' section entirely - it describes what DevSecOps does rather than providing actionable guidance
Consolidate redundant examples - the same concepts (non-root containers, secret management) appear multiple times in different sections
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at 700+ lines with significant redundancy. Explains concepts Claude already knows (what SAST/DAST are, basic security principles, what containers are). The overview section lists expertise areas that don't add actionable value, and many patterns are repeated across sections. | 1 / 3 |
Actionability | Excellent executable examples throughout - complete GitHub Actions workflows, Dockerfiles, Kubernetes manifests, OPA policies, and test scripts are all copy-paste ready. Concrete commands and configurations with specific tool versions. | 3 / 3 |
Workflow Clarity | Clear TDD workflow with explicit steps (write failing test → implement minimum gates → refactor → verify). Security gate patterns include validation checkpoints, and the pre-implementation checklist provides explicit verification steps for each phase. | 3 / 3 |
Progressive Disclosure | Monolithic wall of text with no references to external files. All content is inline despite being 700+ lines. No clear navigation structure - content that should be in separate reference files (patterns, policies, checklists) is all embedded in one document. | 1 / 3 |
Total | 8 / 12 Passed |
Validation
75%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 12 / 16 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (1225 lines); consider splitting into references/ and linking | Warning |
metadata_version | 'metadata' field is not a dictionary | Warning |
license_field | 'license' field is missing | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 12 / 16 Passed | |
- Repository
- martinholovsky/claude-skills-generator
- Commit
1086ef2
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.