building-devsecops-pipeline-with-gitlab-ci
Design and implement a comprehensive DevSecOps pipeline in GitLab CI/CD integrating SAST, DAST, container scanning, dependency scanning, and secret detection.
72
66%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/building-devsecops-pipeline-with-gitlab-ci/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description excels at specificity and distinctiveness by naming concrete security scanning tools and anchoring them to GitLab CI/CD. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill over others. Adding trigger guidance would elevate this from a good to an excellent description.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about setting up security scanning in GitLab, configuring CI/CD security pipelines, or integrating SAST/DAST into their GitLab workflow.'
Consider adding common variations and synonyms users might say, such as 'security pipeline', '.gitlab-ci.yml security stages', 'shift-left security', or 'GitLab security templates'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: SAST, DAST, container scanning, dependency scanning, and secret detection, all within the context of designing and implementing a DevSecOps pipeline in GitLab CI/CD. | 3 / 3 |
Completeness | Clearly answers 'what does this do' (design and implement a DevSecOps pipeline with specific security scanning tools), but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this dimension at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'DevSecOps', 'pipeline', 'GitLab CI/CD', 'SAST', 'DAST', 'container scanning', 'dependency scanning', 'secret detection'. These are terms practitioners naturally use when requesting this type of work. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive due to the specific combination of GitLab CI/CD, DevSecOps, and the enumerated security scanning types. Unlikely to conflict with generic CI/CD or general security skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides a strong, executable GitLab CI/CD pipeline configuration that is directly usable, which is its primary strength. However, it is significantly bloated with explanations of security scanning concepts Claude already understands, generic 'When to Use' boilerplate, and UI feature descriptions that don't add actionable value. The workflow would benefit from explicit validation checkpoints and error recovery guidance for when scanners detect critical findings.
Suggestions
Remove the 'Core Security Scanning Stages' section entirely—Claude already knows what SAST, DAST, container scanning, dependency scanning, and secret detection are. Move any non-obvious GitLab-specific configuration notes inline as comments in the YAML.
Add explicit validation/feedback loops: what happens when a scanner finds a critical vulnerability? Include guidance like 'If container_scanning reports HIGH+ CVEs, the pipeline blocks; fix the base image and re-run' with concrete steps.
Remove or drastically shorten the 'When to Use' boilerplate and 'Security Dashboard' UI description sections—these don't help Claude execute the skill.
Consider splitting the custom SAST ruleset, security approval policies, and monitoring metrics into separate referenced files to keep the main skill focused on the pipeline configuration.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Significant verbosity throughout. The 'Core Security Scanning Stages' section explains what SAST, DAST, container scanning, dependency scanning, and secret detection are—concepts Claude already knows well. The 'When to Use' section is generic boilerplate. The 'Security Dashboard and Vulnerability Management' section describes GitLab UI features rather than providing actionable configuration. The metrics table and overview paragraphs add token cost without adding unique instructional value. | 1 / 3 |
Actionability | The complete pipeline YAML configuration is fully executable and copy-paste ready. The custom SAST ruleset TOML is concrete. The security approval policy steps, while UI-based, are specific enough to follow. The pipeline variables and override patterns are directly usable. | 3 / 3 |
Workflow Clarity | The pipeline stages are clearly sequenced (build → test → security → deploy-staging → dast → deploy-production) with proper `needs` dependencies and manual gates. However, there are no explicit validation checkpoints or feedback loops—no guidance on what to do when scanners find critical vulnerabilities mid-pipeline, no 'if errors: fix and re-validate' pattern, and no verification that security gates actually blocked a deployment before proceeding. | 2 / 3 |
Progressive Disclosure | The content is structured with clear headers and sections, and external references are provided at the end. However, the document is monolithic—the detailed YAML pipeline, SAST ruleset configuration, vulnerability management explanation, and metrics table are all inline when some could be split into referenced files. The explanatory sections on each scanner type add bulk that could be omitted or linked out. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.