edercnj/x-security-pipeline
java/src/main/resources/targets/claude/skills/core/security/x-security-pipeline/SKILL.md
Generate CI/CD pipeline configurations with conditional security stages based on SecurityConfig flags. Support GitHub Actions, GitLab CI, and Azure DevOps with minimal and full stage modes, configurable severity thresholds, and SARIF artifact upload.
development
Updated Apr 26, 2026
$ install --global
skillsauthnpx skillsauth add edercnj/claude-environment x-security-pipelineInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 27, 2026, 1:21 PM274.4s1 file scanned
SKILL.md
- name:
- x-security-pipeline
- description:
- Generate CI/CD pipeline configurations with conditional security stages based on SecurityConfig flags. Support GitHub Actions, GitLab CI, and Azure DevOps with minimal and full stage modes, configurable severity thresholds, and SARIF artifact upload.
- user-invocable:
- true
- allowed-tools:
- Read, Write, Edit, Glob, Grep, Bash, Agent
- argument-hint:
- [--ci github|gitlab|azure] [--stages all|minimal] [--trigger push|pr|schedule] [--fail-on-findings true|false] [--severity-threshold CRITICAL|HIGH|MEDIUM]
Global Output Policy
- Language: English ONLY.
- Tone: Technical, Direct, and Concise.
- Efficiency: Remove all conversational fillers and greetings to save tokens.
Triggers
/x-security-pipeline — GitHub Actions, all stages, pr trigger (default)
/x-security-pipeline --ci github — GitHub Actions security pipeline
/x-security-pipeline --ci gitlab — GitLab CI security pipeline
/x-security-pipeline --ci azure — Azure DevOps security pipeline
/x-security-pipeline --stages minimal — SAST + secret scan + dependency audit only
/x-security-pipeline --stages all — full pipeline with all 9 conditional stages
/x-security-pipeline --trigger schedule — scheduled trigger
Parameters
| Parameter | Type | Default | Description |
|-----------|------|---------|-------------|
| --ci | Enum | github | CI platform: github (GitHub Actions), gitlab (GitLab CI), azure (Azure DevOps) |
| --stages | Enum | all | Stage mode: all (9 conditional stages) or minimal (3 stages: SAST, secret scan, dependency audit) |
| --trigger | Enum | pr | Pipeline trigger: push, pr, schedule |
| --fail-on-findings | Boolean | true | Exit non-zero when findings at or above severity threshold detected |
| --severity-threshold | Enum | HIGH | Minimum severity to fail: CRITICAL, HIGH, MEDIUM |
Output Contract
| Platform | Output File |
|----------|-------------|
| github | .github/workflows/security.yml |
| gitlab | .gitlab-ci.yml (security stages appended) |
| azure | azure-pipelines-security.yml |
All platforms support SARIF artifact upload for GitHub Advanced Security integration. Each enabled stage is a CI job wrapping the corresponding atomic scanning skill reference (RULE-011 — Composability). 9 stages available; conditions and skill references:
| Stage | Skill | Condition |
|-------|-------|-----------|
| Secret Scan | x-security-secrets | security.scanning.secrets = true |
| SAST | x-security-sast | security.scanning.sast = true |
| Dependency Audit | x-dependency-audit | Always |
| SonarQube | x-security-sonar | security.scanning.sonar = true |
| Container Scan | x-security-container | infrastructure.container != none |
| DAST Passive | x-security-dast | security.scanning.dast = true |
| OWASP Scan | x-owasp-scan | security.frameworks contains "owasp" |
| Hardening Eval | x-hardening-eval | security.scanning.hardening = true |
| Quality Gate | x-security-sonar | security.scanning.sonar = true |
Error Envelope
| Scenario | Action |
|----------|--------|
| Unknown CI platform | Default to github; warn user |
| No SecurityConfig flags set | Generate Dependency Audit only (always enabled) |
| All conditions disabled | Generate pipeline with only Dependency Audit |
| Container scan without Dockerfile | Exclude container scan; add to disabledStages |
| Invalid --severity-threshold | Default to HIGH; warn user |
| Invalid --stages mode | Default to all; warn user |
| Validation tool missing | Warn and skip validation (non-blocking) |
Full Protocol
Complete per-platform YAML templates (GitHub Actions, GitLab CI, Azure DevOps), stage-by-stage configuration details (SecurityConfig key→stage mapping, SARIF upload for each platform, caching strategies), severity threshold semantics, tool mapping (Semgrep for SAST, Trivy for container scan, Syft/Grype for dependency audit, detect-secrets for secret scan), composability notes (RULE-011), and integration notes in
references/full-protocol.md.
Related Skills
edercnj/x-generate-docs
tools
VerifiedTrustedCommunity
Documentation automation v2: stack-aware generation from documentation.targets.
SKILL.mdUpdated May 17, 2026
edercnj/x-generate-ci
development
VerifiedTrustedCommunity
Generates or updates CI/CD pipelines per project stack with actionlint validation.
SKILL.mdUpdated May 17, 2026
edercnj/x-generate-adr
tools
VerifiedTrustedCommunity
Generates ADRs from architecture-plan mini-ADRs with sequential numbering and index update.
SKILL.mdUpdated May 17, 2026
edercnj/x-format-code
development
VerifiedTrustedCommunity
Formats source code; first step of the pre-commit chain (format -> lint -> compile).
SKILL.mdUpdated May 17, 2026