Tessl • The package manager for agent skills

building-devsecops-pipeline-with-gitlab-ci

Design and implement a comprehensive DevSecOps pipeline in GitLab CI/CD integrating SAST, DAST, container scanning, dependency scanning, and secret detection.

Quality

—

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Advisory

Suggest reviewing before use

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The body is highly actionable with a complete, executable pipeline configuration and concrete configuration artifacts. It loses points for restating well-known scanner definitions, lacking explicit validation feedback loops, and failing to surface the provided reference/script/asset bundle files from the entry point.

Suggestions

Link the existing bundle files from the body, e.g. add a '## References' section pointing to references/api-reference.md, references/standards.md, references/workflows.md, scripts/agent.py, and assets/template.md, rather than leaving them orphaned.

Move inline material that should be separate (the full .gitlab-ci.yml and metrics tables) into the reference files and summarize them in SKILL.md to reduce token load.

Add an explicit validation/feedback step for the deploy and security-gating workflows (e.g. verify scan results, block on critical findings, fix and re-scan before proceeding).

Dimension	Reasoning	Score
Conciseness	Mostly efficient with a complete pipeline and concrete examples, but the per-scanner prose ('SAST analyzes source code for vulnerabilities before compilation') restates concepts Claude already knows and could be tightened.	2 / 3
Actionability	Provides a complete, copy-paste-ready .gitlab-ci.yml with real template includes and job overrides, a concrete sast-ruleset.toml, and numbered policy steps, matching the 'fully executable, copy-paste ready' anchor.	3 / 3
Workflow Clarity	Pipeline stages are clearly sequenced, but there are no explicit validation checkpoints or validate->fix->retry feedback loops for batch/destructive operations like deploys and security gating, which caps workflow clarity at 2.	2 / 3
Progressive Disclosure	The body is well-sectioned, but the provided bundle files (references/, scripts/, assets/) are never linked or signaled from SKILL.md and content like the full pipeline YAML and metrics could live in them, matching the 'content that should be separate is inline; references not clearly signaled' anchor.	2 / 3
	Total	9 / 12 Passed

Description

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is specific and distinctive, clearly naming the domain and five concrete scanner integrations. Its main weakness is the absence of an explicit 'Use when...' trigger clause, leaving the 'when to use' guidance implied rather than stated.

Suggestions

Add an explicit 'Use when...' trigger clause, e.g. 'Use when setting up GitLab CI/CD security scanning, or when the user mentions SAST, DAST, container/dependency scanning, or secret detection in GitLab.'

Include a few additional natural phrasings users might say ('CI security', 'security scanning pipeline', 'shift-left security') to broaden trigger coverage.

Dimension	Reasoning	Score
Specificity	Names the domain and lists five concrete constituent actions ('integrating SAST, DAST, container scanning, dependency scanning, and secret detection'), matching the 'lists multiple specific concrete actions' anchor.	3 / 3
Completeness	It clearly answers 'what' but provides no 'Use when...' clause or equivalent explicit trigger guidance, which caps completeness at 2 per the judging guidelines.	2 / 3
Trigger Term Quality	Uses natural terms a user would say when requesting this skill ('DevSecOps pipeline', 'GitLab CI/CD', 'SAST, DAST, container scanning, dependency scanning, secret detection'), giving good coverage rather than only a few keywords.	3 / 3
Distinctiveness Conflict Risk	The GitLab CI/CD multi-scanner DevSecOps niche is specific and unlikely to trigger for the wrong skill, matching the 'clear niche with distinct triggers' anchor.	3 / 3
	Total	11 / 12 Passed

Validation

93%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 15 / 16 Passed

Validation for skill structure

Criteria	Description	Result
frontmatter_unknown_keys	Unknown frontmatter key(s) found; consider removing or moving to metadata	Warning

	Total	15 / 16 Passed

Repository: mukul975/Anthropic-Cybersecurity-Skills
Commit: 673da1f

Reviewed: about 23 hours ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.