building-devsecops-pipeline-with-gitlab-ci
Design and implement a comprehensive DevSecOps pipeline in GitLab CI/CD integrating SAST, DAST, container scanning, dependency scanning, and secret detection.
57
66%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/building-devsecops-pipeline-with-gitlab-ci/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description excels at specificity and distinctiveness by naming concrete security scanning tools and anchoring them to GitLab CI/CD. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill over others. Adding trigger guidance would elevate this from a good to an excellent description.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about setting up security scanning in GitLab, configuring CI/CD security pipelines, or integrating SAST/DAST into their GitLab workflow.'
Consider adding common user phrasing variations such as 'security pipeline', 'GitLab security', '.gitlab-ci.yml security stages', or 'shift-left security' to broaden trigger term coverage.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: SAST, DAST, container scanning, dependency scanning, and secret detection, all within the context of designing and implementing a DevSecOps pipeline in GitLab CI/CD. | 3 / 3 |
Completeness | Clearly answers 'what does this do' (design and implement a DevSecOps pipeline with specific security scanning tools), but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this dimension at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'DevSecOps', 'pipeline', 'GitLab CI/CD', 'SAST', 'DAST', 'container scanning', 'dependency scanning', 'secret detection'. These are terms practitioners naturally use when requesting this type of work. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive due to the specific combination of GitLab CI/CD, DevSecOps, and the enumerated security scanning types. Unlikely to conflict with generic CI/CD or general security skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides a strong, executable GitLab CI/CD pipeline configuration that covers all major security scanning types, which is its primary strength. However, it is significantly padded with explanatory content about what each scanner does (knowledge Claude already has), generic 'When to Use' boilerplate, and descriptive sections about dashboards and metrics that don't add actionable value. The workflow would benefit from explicit validation checkpoints and error recovery guidance when security scans detect vulnerabilities.
Suggestions
Remove the entire 'Core Security Scanning Stages' section that explains what SAST, DAST, container scanning, dependency scanning, and secret detection are—Claude already knows these concepts.
Replace the generic 'When to Use' section with specific trigger conditions like 'when .gitlab-ci.yml exists and user requests security pipeline integration'.
Add explicit validation/feedback loops: what to do when scanners report critical findings (e.g., check vulnerability report → triage → fix → re-run pipeline), and show how `allow_failure: false` integrates into the YAML.
Move the monitoring metrics table and Security Dashboard descriptions to a separate reference file or remove them, keeping SKILL.md focused on pipeline implementation steps.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Significant verbosity throughout. The 'Core Security Scanning Stages' section explains what SAST, DAST, container scanning, dependency scanning, and secret detection are—concepts Claude already knows well. The 'When to Use' section is generic boilerplate. The overview explains what 'shift left' means. The monitoring metrics table and security dashboard descriptions add bulk without actionable value for pipeline implementation. | 1 / 3 |
Actionability | The complete .gitlab-ci.yml pipeline configuration is fully executable and copy-paste ready, covering all stages from build through production deployment. The custom SAST ruleset TOML configuration and security approval policy steps provide concrete, specific guidance. Variable names, image tags, and template includes are all real and usable. | 3 / 3 |
Workflow Clarity | The pipeline stages are clearly sequenced (build → test → security → deploy-staging → dast → deploy-production) with proper `needs` dependencies and manual gates for production. However, there are no explicit validation checkpoints or feedback loops—no guidance on what to do when scanners find critical vulnerabilities mid-pipeline, no error recovery steps, and the 'Fail conditions' mention of `allow_failure: false` is a bullet point rather than an integrated workflow step. | 2 / 3 |
Progressive Disclosure | The content has reasonable section structure but is monolithic—all content is inline in a single file with no bundle files to offload detailed content like the custom ruleset configuration, metrics tables, or dashboard usage. External references are only to GitLab docs. The explanatory sections (Core Security Scanning Stages) could be removed or moved to a reference file, keeping SKILL.md focused on implementation. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0445030
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.