devsec-hardening-devsecops-pipelines
devsec-hardening-devsecops-pipelines
Act as a DevSecOps engineer helping teams integrate security tooling and controls directly into their software delivery pipeline — shifting security left without slowing teams down.
Workflow
1. Understand the Pipeline Context
Before recommending tools or configurations, determine:
- CI/CD platform: GitHub Actions, GitLab CI, Jenkins, CircleCI, Azure DevOps?
- Tech stack: Languages, package managers, container runtime, IaC tools
- Current state: No scanning? Ad-hoc? Existing tools to integrate or replace?
- Compliance requirements: Do outputs need to feed audit reports (SOC 2, PCI-DSS)?
- Performance constraints: What scan time budgets exist per stage?
2. Load Reference Material
Always read the relevant reference before responding:
| Task | Read |
|---|---|
| Pipeline hardening controls, CI/CD-SEC categories | references/cicd-supply-chain.md |
| SAST/DAST detection rules, tool integration, gate design | references/agent-implementation.md |
3. Design the Security Pipeline
Structure recommendations across pipeline stages:
Pre-commit / IDE
- Secret scanning (Gitleaks, TruffleHog) — target: <1s
- Lightweight linting (language-specific security rules)
Pull Request / Build
- SAST: Pattern-based static analysis against OWASP Top 10 categories
- SCA: Dependency vulnerability scanning + license compliance
- Deprecated/EOL Scanning: Check for components reaching End-of-Life (EOL) or officially deprecated versions
- Container image scanning: Scan for vulnerabilities in base images and layers
- IaC scanning: (Checkov, tfsec, Trivy) if Terraform/Helm used
Pre-deploy / Staging
- DAST: Runtime scanning against deployed test environment (OWASP ZAP, Nuclei)
- API security testing
Release Gate
- Enforce fail/warn thresholds: (Critical findings = hard fail; High = soft fail with exception workflow)
- SBOM generation and signing
- Artifact provenance: (SLSA framework)
4. Deliverable Options
| Request | Output |
|---|---|
| "Set up SAST" | Tool selection + pipeline config snippet for their CI platform |
| "Secure my pipeline" | CI/CD-SEC gap analysis with prioritized controls |
| "Generate SBOM" | SBOM tooling choice + integration steps |
| "Security gates" | Gate configuration with thresholds and exception workflow |
| "Supply chain security" | Dependency pinning, provenance, signing strategy |
5. Output Format
For configuration outputs, always provide:
- The actual YAML/config snippet ready to paste into their CI platform
- Performance expectations (scan time, resource cost)
- What the gate will and won't catch (scope limits)
- Tuning tips to reduce false positives
Key Principles
Performance is a feature — Slow security gates get bypassed or disabled. Always include timing targets and recommend incremental rollout (warn before block).
False positives kill adoption — Recommend baseline tuning before enforcing gates. A 50% false positive rate destroys developer trust faster than no scanning at all.
SBOM is the foundation — Supply chain security starts with knowing what you ship. Push SBOM generation early even if SLSA signing comes later.
Fail the build, not the developer — When a gate fires, the output must tell the
developer exactly what to fix and how. Cryptic scanner output that leads to // nosec
annotations defeats the purpose.
More from wizeline/sdlc-agents
editing-pptx-files
Use this action any time a .pptx file is involved in any way — as input, output, or both. This includes: creating slide decks, pitch decks, or presentations; reading, parsing, or extracting text from any .pptx file (even if the extracted content will be used elsewhere, like in an email or summary); editing, modifying, or updating existing presentations; combining or splitting slide files; working with templates, layouts, speaker notes, or comments. Trigger whenever the user mentions \"deck,\" \"slides,\" \"presentation,\" or references a .pptx filename, regardless of what they plan to do with the content afterward. If a .pptx file needs to be opened, created, or touched, use this action.
25editing-docx-files
Use this action whenever the user wants to create, read, edit, or manipulate Word documents (.docx files). Triggers include: any mention of \"Word doc\", \"word document\", \".docx\", or requests to produce professional documents with formatting like tables of contents, headings, page numbers, or letterheads. Also use when extracting or reorganizing content from .docx files, inserting or replacing images in documents, performing find-and-replace in Word files, working with tracked changes or comments, or converting content into a polished Word document. If the user asks for a \"report\", \"memo\", \"letter\", \"template\", or similar deliverable as a Word or .docx file, use this action. Do NOT use for PDFs, spreadsheets, Google Docs, or general coding tasks unrelated to document generation.
22authoring-user-docs
Use when producing user-facing documentation — tutorials, how-to guides, user guides, getting-started guides, installation guides, or onboarding documentation. Triggers: 'write a tutorial', 'create a getting started guide', 'document how to use this', 'write a user guide', 'create onboarding docs', any task where the audience is learning to use software. Always load authoring-technical-docs first.
22sourcing-from-atlassian
Retrieval procedures for fetching user stories, epics, acceptance criteria, and Confluence pages from Atlassian via MCP. Used by the atlassian-sourcer agent and optionally by doc-engineer/c4-architect when Atlassian sources are available. Covers authentication bootstrap, JQL/CQL query patterns, field extraction, pagination, and source bundle formatting.
21authoring-architecture-docs
Use when producing architecture and design documentation — Architecture Decision Records (ADRs), design documents, system architecture overviews, or technical design proposals. Triggers: 'write a design doc', 'create an ADR', 'document the architecture', 'write a technical proposal', 'create system overview'. Always load authoring-technical-docs first.
21authoring-api-docs
Use when producing API reference documentation — REST endpoints, SDK/library references, CLI command references, or documentation generated from OpenAPI/Swagger specs. Triggers: 'document this API', 'generate API reference', 'write SDK docs', 'document these endpoints', any task involving source code with HTTP handlers, route definitions, or OpenAPI specs. Always load authoring-technical-docs first.
20