implementing-devsecops-security-scanning

SUSPICIOUS: The skill is coherent with its stated DevSecOps purpose and mostly uses official vendor tools, so there is no strong sign of credential theft or hidden exfiltration. However, it enables offensive-capable scanning in an AI-agent context and relies on mutable or outdated third-party action/container references, especially the older Trivy action tag and unpinned Semgrep image, which raises supply-chain and execution-trust risk.