building-devsecops-pipeline-with-gitlab-ci
Design and implement a comprehensive DevSecOps pipeline in GitLab CI/CD integrating SAST, DAST, container scanning, dependency scanning, and secret detection.
72
66%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/building-devsecops-pipeline-with-gitlab-ci/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description excels at specificity and distinctiveness by naming concrete security scanning tools and anchoring them to GitLab CI/CD. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill over others. Adding trigger guidance would elevate this from a good to an excellent description.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about setting up security scanning in GitLab, configuring CI/CD security pipelines, or integrating SAST/DAST into their GitLab workflow.'
Consider adding common variations and synonyms users might say, such as 'security pipeline', '.gitlab-ci.yml security stages', 'shift-left security', or 'GitLab security templates'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: SAST, DAST, container scanning, dependency scanning, and secret detection, all within the context of designing and implementing a DevSecOps pipeline in GitLab CI/CD. | 3 / 3 |
Completeness | Clearly answers 'what does this do' (design and implement a DevSecOps pipeline with specific security scanning tools), but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this dimension at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'DevSecOps', 'pipeline', 'GitLab CI/CD', 'SAST', 'DAST', 'container scanning', 'dependency scanning', 'secret detection'. These are terms practitioners naturally use when requesting this type of work. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive due to the specific combination of GitLab CI/CD, DevSecOps, and the enumerated security scanning types. Unlikely to conflict with generic CI/CD or general security skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides a strong, executable GitLab CI/CD pipeline configuration that is directly usable, which is its primary strength. However, it is significantly padded with explanatory content about what each security scanner does (knowledge Claude already possesses), generic 'When to Use' boilerplate, and UI feature descriptions. The workflow lacks explicit validation/triage steps for handling detected vulnerabilities, which is critical for a security pipeline.
Suggestions
Remove the 'Core Security Scanning Stages' section entirely—Claude already knows what SAST, DAST, container scanning, dependency scanning, and secret detection are. Keep only the configuration specifics.
Add explicit validation and triage steps: what to do when scanners find critical vulnerabilities (e.g., how to review the vulnerability report, when to block vs. allow merges, how to dismiss false positives via API or UI).
Remove or drastically shorten the 'When to Use' section and 'Security Dashboard and Vulnerability Management' section, which describe concepts rather than provide actionable instructions.
Consider splitting the custom ruleset configuration, security policies setup, and monitoring metrics into separate referenced files to keep SKILL.md as a lean overview.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Significant verbosity throughout. The 'Core Security Scanning Stages' section explains what SAST, DAST, container scanning, dependency scanning, and secret detection are—concepts Claude already knows. The 'When to Use' section is generic filler. The 'Security Dashboard and Vulnerability Management' section describes GitLab UI features rather than providing actionable configuration. The metrics table and overview paragraph add bulk without instructional value. | 1 / 3 |
Actionability | The complete pipeline YAML configuration is executable and copy-paste ready. The custom SAST ruleset TOML is concrete. The security approval policy steps, while UI-based, are specific enough to follow. The pipeline variables and override patterns are directly usable. | 3 / 3 |
Workflow Clarity | The pipeline stages are clearly sequenced (build → test → security → deploy-staging → dast → deploy-production) with proper `needs` dependencies and manual gates. However, there are no validation checkpoints or feedback loops for when security scans fail—no guidance on what to do when vulnerabilities are detected mid-pipeline, how to review/triage findings before proceeding, or how to handle scanner failures. For a security pipeline involving potentially destructive deployment decisions, this is a significant gap. | 2 / 3 |
Progressive Disclosure | The content is structured with clear headers and sections, and external references are provided at the end. However, the document is monolithic—the explanatory sections on each scanner type, the dashboard/vulnerability management details, and the metrics table could be split into separate reference files. The inline content is heavy for a SKILL.md overview. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.