playbooks

home / skills / pluginagentmarketplace / custom-plugin-devops / security

security skill

/skills/security

This skill helps you implement DevSecOps by managing secrets, TLS, access, image scanning, and compliance across pipelines.

npx playbooks add skill pluginagentmarketplace/custom-plugin-devops --skill security

Review the files below or copy the command above to add this skill to your agents.

Files (8)
SKILL.md
815 B
---
name: security
description: DevSecOps practices including secrets management, SSL/TLS, vulnerability scanning, and compliance
sasmp_version: "1.3.0"
bonded_agent: 07-cloud-infrastructure
bond_type: SECONDARY_BOND
---

# Security Skill

## MANDATORY
- Secrets management (Vault, AWS Secrets Manager)
- SSL/TLS certificate management
- SSH key management and hardening
- Container image scanning
- RBAC and access control

## OPTIONAL
- SAST/DAST security testing
- Compliance as Code (OPA, Rego)
- Network security and firewalls
- Identity management (IAM)
- Vulnerability management

## ADVANCED
- Zero-trust architecture
- Security automation and SOAR
- Penetration testing integration
- Incident response automation
- Security chaos engineering

## Assets
- See `assets/security-practices.yaml` for templates

Overview

This skill packages DevSecOps practices for CI/CD and infrastructure automation, focused on secrets, certificates, image scanning, and access control. It helps teams shift security left by integrating secrets management, SSL/TLS lifecycle, and container/image checks into deployment pipelines. The skill is designed for automation with shell-centric tooling and templates to enforce repeatable security controls.

How this skill works

The skill inspects repository and pipeline configurations to locate credentials, certificate usage, SSH keys, and container images. It automates checks and remediation steps: rotate or centralize secrets into vaults, validate and renew SSL/TLS certs, harden SSH configuration, and run container image vulnerability scans. It can also generate RBAC rules and link optional SAST/DAST, OPA policies, or incident automation hooks.

When to use it

  • Integrating security controls into CI/CD pipelines before production deploys
  • Centralizing and rotating secrets from environment variables to a secrets store
  • Validating SSL/TLS certificate coverage and automating renewals
  • Scanning container images and code for vulnerabilities before release
  • Defining RBAC and access controls for cloud and cluster resources

Best practices

  • Enforce secrets-in-vault policy and avoid plaintext credentials in code or CI logs
  • Automate certificate issuance and renewal with ACME or managed PKI
  • Harden SSH by disabling password auth, using forced commands and limited principals
  • Integrate image scanning in pipeline gates and fail builds on critical CVEs
  • Use least-privilege RBAC and codify policies with Rego/OPA for repeatability

Example use cases

  • Migrate CI environment variables to Vault or AWS Secrets Manager and add runtime retrieval
  • Add a pipeline step to scan Docker images with Clair or Trivy and block on high-severity findings
  • Automate Let's Encrypt/ACME certificate issuance and renewal tied to deployment jobs
  • Generate minimal RBAC roles for a team and enforce them via GitOps manifests
  • Wire up SAST and DAST tools to nightly jobs and create a ticket on new high-risk results

FAQ

Does the skill store secrets for me?

No. It integrates and automates use of existing secret stores like Vault or AWS Secrets Manager rather than acting as a new secret repository.

Can it block deployments with critical vulnerabilities?

Yes. It supports pipeline gates that fail builds or prevent promotion when configured policies detect critical CVEs or failed security checks.