ワンクリックで
sdlc-devsecops
DevSecOps: supply chain security, SBOMs, policy-as-code, zero-trust, security automation.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
DevSecOps: supply chain security, SBOMs, policy-as-code, zero-trust, security automation.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
AI/LLM engineering: LLMOps, prompt engineering, model integration, AI safety, production AI systems.
Data engineering: pipelines, data quality, data mesh, data lakehouse, ETL/ELT, streaming architecture.
DevSecOps: supply chain security, SBOMs, policy-as-code, zero-trust, security automation.
Green software engineering: sustainability, carbon-aware computing, energy-efficient architecture, eco-friendly development.
AI/LLM engineering: LLMOps, prompt engineering, model integration, AI safety, production AI systems.
Data engineering: pipelines, data quality, data mesh, data lakehouse, ETL/ELT, streaming architecture.
| name | sdlc-devsecops |
| description | DevSecOps: supply chain security, SBOMs, policy-as-code, zero-trust, security automation. |
| version | 6.3.0 |
| author | Dinoudon |
| license | MIT |
| platforms | ["linux","macos","windows"] |
| metadata | {"hermes":{"tags":["devsecops","supply-chain","sbom","policy-as-code","zero-trust","security-automation"]}} |
Integrate security into the software development lifecycle. Covers supply chain security, SBOMs, policy-as-code, zero-trust, and security automation.
DevSecOps integrates security practices into the DevOps workflow. It shifts security left (earlier in the lifecycle) and makes it continuous (automated at every stage).
Shift left:
- Security earlier in lifecycle
- Catch issues before production
- Reduce cost of fixes
- Developer responsibility
Supply chain security:
- Protect dependencies
- Verify integrity
- Monitor for vulnerabilities
- SBOMs for transparency
Policy-as-code:
- Security rules as code
- Automated enforcement
Supply chain attacks:
- Dependency confusion
- Typosquatting
- Malicious packages
- Compromised build tools
- Stolen credentials
Notable incidents:
- SolarWinds (2020)
- Log4Shell (2021)
- ua-parser-js (2021)
- colors.js (2022)
- xz-utils (2024)
Attack vectors:
What is SBOM:
- Inventory of software components
- Dependencies and versions
- Licenses and vulnerabilities
- Machine-readable format
Why SBOM:
- Transparency
- Vulnerability tracking
- License compliance
- Incident response
- Regulatory requirements
SBOM formats:
SPDX:
OPA (Open Policy Agent):
- General-purpose policy engine
- Rego language
- Kubernetes, API, data policies
- CNCF graduated project
Example policy:
package authz
default allow = false
allow {
input.method == "GET"
input.path == ["api", "users"]
input.user.role == "admin"
Core principles:
1. Never trust, always verify
2. Least privilege access
3. Assume breach
4. Verify explicitly
5. Minimize blast radius
Implementation pillars:
Identity:
- Strong authentication
- Multi-factor authentication
- Continuous verification
- Identity-based access
Device:
SAST (Static Application Security Testing):
- Analyze source code
- Find vulnerabilities early
- IDE integration
Tools:
- SonarQube (multi-language)
- Semgrep (pattern matching)
- CodeQL (GitHub)
- Bandit (Python)
- ESLint Security (JavaScript)
DAST (Dynamic Application Security Testing):
- Test running application
- Find runtime vulnerabilities
Discovery:
- Automated scanning
- Bug bounty programs
- Penetration testing
- Security advisories
Assessment:
- CVSS scoring
- Context analysis
- Exploitability assessment
- Business impact
Prioritization:
- Severity (Critical, High, Medium, Low)
- Exploitability
Types of secrets:
- API keys
- Database credentials
- TLS certificates
- Encryption keys
- OAuth tokens
Storage options:
HashiCorp Vault:
- Dynamic secrets
- Secret rotation
- Audit logging
- High availability
AWS Secrets Manager:
SOC 2:
- Security
- Availability
- Processing integrity
- Confidentiality
- Privacy
GDPR:
- Data protection
- Privacy by design
- Right to erasure
- Data portability
HIPAA:
- Healthcare data
Preparation:
- Incident response team
- Communication channels
- Runbooks and playbooks
- Tools and access
Detection:
- Monitoring and alerting
- Log analysis
- Threat intelligence
- User reports
Containment:
- Isolate affected systems
- Preserve evidence
Vulnerability metrics:
- Mean time to detect (MTTD)
- Mean time to remediate (MTTR)
- Vulnerability density
- Open vulnerability count
Compliance metrics:
- Compliance score
- Audit findings
- Policy violations
- Control effectiveness
Security posture:
- Security coverage
- Security debt