[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-4d50b362-5131-44d8-af31-3b182e5a3a5c":3,"$f0mOfc3HbSS3BgrDc9R3MUPNggH5hcepVsR4cWiNmggw":43},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":34},"4d50b362-5131-44d8-af31-3b182e5a3a5c","senior-secops","高级SecOps工程师技能：应用安全、漏洞管理、合规验证和安全的开发实践。运行SAST\u002FDAST扫描，生成CVE修复计划，检查依赖性漏洞，创建安全策略，强制执行安全编码模式，并自动化针对SOC2、PCI-DSS、HIPAA和GDPR的合规性检查。在执行安全审查或审计、响应CVE或安全事件、加固基础设施、实施身份验证时使用。","cat_coding_review","mod_coding","alirezarezvani,coding","---\nname: \"senior-secops\"\ndescription: Senior SecOps engineer skill for application security, vulnerability management, compliance verification, and secure development practices. Runs SAST\u002FDAST scans, generates CVE remediation plans, checks dependency vulnerabilities, creates security policies, enforces secure coding patterns, and automates compliance checks against SOC2, PCI-DSS, HIPAA, and GDPR. Use when conducting a security review or audit, responding to a CVE or security incident, hardening infrastructure, implementing authentication or secrets management, running penetration test prep, checking OWASP Top 10 exposure, or enforcing security controls in CI\u002FCD pipelines.\n---\n\n# Senior SecOps Engineer\n\nComplete toolkit for Security Operations including vulnerability management, compliance verification, secure coding practices, and security automation.\n\n---\n\n## Table of Contents\n\n- [Core Capabilities](#core-capabilities)\n- [Workflows](#workflows)\n- [Tool Reference](#tool-reference)\n- [Security Standards](#security-standards)\n- [Compliance Frameworks](#compliance-frameworks)\n- [Best Practices](#best-practices)\n\n---\n\n## Core Capabilities\n\n### 1. Security Scanner\n\nScan source code for security vulnerabilities including hardcoded secrets, SQL injection, XSS, command injection, and path traversal.\n\n```bash\n# Scan project for security issues\npython scripts\u002Fsecurity_scanner.py \u002Fpath\u002Fto\u002Fproject\n\n# Filter by severity\npython scripts\u002Fsecurity_scanner.py \u002Fpath\u002Fto\u002Fproject --severity high\n\n# JSON output for CI\u002FCD\npython scripts\u002Fsecurity_scanner.py \u002Fpath\u002Fto\u002Fproject --json --output report.json\n```\n\n**Detects:**\n- Hardcoded secrets (API keys, passwords, AWS credentials, GitHub tokens, private keys)\n- SQL injection patterns (string concatenation, f-strings, template literals)\n- XSS vulnerabilities (innerHTML assignment, unsafe DOM manipulation, React unsafe patterns)\n- Command injection (shell=True, exec, eval with user input)\n- Path traversal (file operations with user input)\n\n### 2. Vulnerability Assessor\n\nScan dependencies for known CVEs across npm, Python, and Go ecosystems.\n\n```bash\n# Assess project dependencies\npython scripts\u002Fvulnerability_assessor.py \u002Fpath\u002Fto\u002Fproject\n\n# Critical\u002Fhigh only\npython scripts\u002Fvulnerability_assessor.py \u002Fpath\u002Fto\u002Fproject --severity high\n\n# Export vulnerability report\npython scripts\u002Fvulnerability_assessor.py \u002Fpath\u002Fto\u002Fproject --json --output vulns.json\n```\n\n**Scans:**\n- `package.json` and `package-lock.json` (npm)\n- `requirements.txt` and `pyproject.toml` (Python)\n- `go.mod` (Go)\n\n**Output:**\n- CVE IDs with CVSS scores\n- Affected package versions\n- Fixed versions for remediation\n- Overall risk score (0-100)\n\n### 3. Compliance Checker\n\nVerify security compliance against SOC 2, PCI-DSS, HIPAA, and GDPR frameworks.\n\n```bash\n# Check all frameworks\npython scripts\u002Fcompliance_checker.py \u002Fpath\u002Fto\u002Fproject\n\n# Specific framework\npython scripts\u002Fcompliance_checker.py \u002Fpath\u002Fto\u002Fproject --framework soc2\npython scripts\u002Fcompliance_checker.py \u002Fpath\u002Fto\u002Fproject --framework pci-dss\npython scripts\u002Fcompliance_checker.py \u002Fpath\u002Fto\u002Fproject --framework hipaa\npython scripts\u002Fcompliance_checker.py \u002Fpath\u002Fto\u002Fproject --framework gdpr\n\n# Export compliance report\npython scripts\u002Fcompliance_checker.py \u002Fpath\u002Fto\u002Fproject --json --output compliance.json\n```\n\n**Verifies:**\n- Access control implementation\n- Encryption at rest and in transit\n- Audit logging\n- Authentication strength (MFA, password hashing)\n- Security documentation\n- CI\u002FCD security controls\n\n---\n\n## Workflows\n\n### Workflow 1: Security Audit\n\nComplete security assessment of a codebase.\n\n```bash\n# Step 1: Scan for code vulnerabilities\npython scripts\u002Fsecurity_scanner.py . --severity medium\n# STOP if exit code 2 — resolve critical findings before continuing\n```\n\n```bash\n# Step 2: Check dependency vulnerabilities\npython scripts\u002Fvulnerability_assessor.py . --severity high\n# STOP if exit code 2 — patch critical CVEs before continuing\n```\n\n```bash\n# Step 3: Verify compliance controls\npython scripts\u002Fcompliance_checker.py . --framework all\n# STOP if exit code 2 — address critical gaps before proceeding\n```\n\n```bash\n# Step 4: Generate combined reports\npython scripts\u002Fsecurity_scanner.py . --json --output security.json\npython scripts\u002Fvulnerability_assessor.py . --json --output vulns.json\npython scripts\u002Fcompliance_checker.py . --json --output compliance.json\n```\n\n### Workflow 2: CI\u002FCD Security Gate\n\nIntegrate security checks into deployment pipeline.\n\n```yaml\n# .github\u002Fworkflows\u002Fsecurity.yml\nname: \"security-scan\"\n\non:\n  pull_request:\n    branches: [main, develop]\n\njobs:\n  security-scan:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions\u002Fcheckout@v4\n\n      - name: \"set-up-python\"\n        uses: actions\u002Fsetup-python@v5\n        with:\n          python-version: '3.11'\n\n      - name: \"security-scanner\"\n        run: python scripts\u002Fsecurity_scanner.py . --severity high\n\n      - name: \"vulnerability-assessment\"\n        run: python scripts\u002Fvulnerability_assessor.py . --severity critical\n\n      - name: \"compliance-check\"\n        run: python scripts\u002Fcompliance_checker.py . --framework soc2\n```\n\nEach step fails the pipeline on its respective exit code — no deployment proceeds past a critical finding.\n\n### Workflow 3: CVE Triage\n\nRespond to a new CVE affecting your application.\n\n```\n1. ASSESS (0-2 hours)\n   - Identify affected systems using vulnerability_assessor.py\n   - Check if CVE is being actively exploited\n   - Determine CVSS environmental score for your context\n   - STOP if CVSS 9.0+ on internet-facing system — escalate immediately\n\n2. PRIORITIZE\n   - Critical (CVSS 9.0+, internet-facing): 24 hours\n   - High (CVSS 7.0-8.9): 7 days\n   - Medium (CVSS 4.0-6.9): 30 days\n   - Low (CVSS \u003C 4.0): 90 days\n\n3. REMEDIATE\n   - Update affected dependency to fixed version\n   - Run security_scanner.py to verify fix (must return exit code 0)\n   - STOP if scanner still flags the CVE — do not deploy\n   - Test for regressions\n   - Deploy with enhanced monitoring\n\n4. VERIFY\n   - Re-run vulnerability_assessor.py\n   - Confirm CVE no longer reported\n   - Document remediation actions\n```\n\n### Workflow 4: Incident Response\n\nSecurity incident handling procedure.\n\n```\nPHASE 1: DETECT & IDENTIFY (0-15 min)\n- Alert received and acknowledged\n- Initial severity assessment (SEV-1 to SEV-4)\n- Incident commander assigned\n- Communication channel established\n\nPHASE 2: CONTAIN (15-60 min)\n- Affected systems identified\n- Network isolation if needed\n- Credentials rotated if compromised\n- Preserve evidence (logs, memory dumps)\n\nPHASE 3: ERADICATE (1-4 hours)\n- Root cause identified\n- Malware\u002Fbackdoors removed\n- Vulnerabilities patched (run security_scanner.py; must return exit code 0)\n- Systems hardened\n\nPHASE 4: RECOVER (4-24 hours)\n- Systems restored from clean backup\n- Services brought back online\n- Enhanced monitoring enabled\n- User access restored\n\nPHASE 5: POST-INCIDENT (24-72 hours)\n- Incident timeline documented\n- Root cause analysis complete\n- Lessons learned documented\n- Preventive measures implemented\n- Stakeholder report delivered\n```\n\n---\n\n## Tool Reference\n\n### security_scanner.py\n\n| Option | Description |\n|--------|-------------|\n| `target` | Directory or file to scan |\n| `--severity, -s` | Minimum severity: critical, high, medium, low |\n| `--verbose, -v` | Show files as they're scanned |\n| `--json` | Output results as JSON |\n| `--output, -o` | Write results to file |\n\n**Exit Codes:** `0` = no critical\u002Fhigh findings · `1` = high severity findings · `2` = critical severity findings\n\n### vulnerability_assessor.py\n\n| Option | Description |\n|--------|-------------|\n| `target` | Directory containing dependency files |\n| `--severity, -s` | Minimum severity: critical, high, medium, low |\n| `--verbose, -v` | Show files as they're scanned |\n| `--json` | Output results as JSON |\n| `--output, -o` | Write results to file |\n\n**Exit Codes:** `0` = no critical\u002Fhigh vulnerabilities · `1` = high severity vulnerabilities · `2` = critical severity vulnerabilities\n\n### compliance_checker.py\n\n| Option | Description |\n|--------|-------------|\n| `target` | Directory to check |\n| `--framework, -f` | Framework: soc2, pci-dss, hipaa, gdpr, all |\n| `--verbose, -v` | Show checks as they run |\n| `--json` | Output results as JSON |\n| `--output, -o` | Write results to file |\n\n**Exit Codes:** `0` = compliant (90%+ score) · `1` = non-compliant (50-69% score) · `2` = critical gaps (\u003C50% score)\n\n---\n\n## Security Standards\n\nSee `references\u002Fsecurity_standards.md` for OWASP Top 10 full guidance, secure coding standards, authentication requirements, and API security controls.\n\n### Secure Coding Checklist\n\n```markdown\n## Input Validation\n- [ ] Validate all input on server side\n- [ ] Use allowlists over denylists\n- [ ] Sanitize for specific context (HTML, SQL, shell)\n\n## Output Encoding\n- [ ] HTML encode for browser output\n- [ ] URL encode for URLs\n- [ ] JavaScript encode for script contexts\n\n## Authentication\n- [ ] Use bcrypt\u002Fargon2 for passwords\n- [ ] Implement MFA for sensitive operations\n- [ ] Enforce strong password policy\n\n## Session Management\n- [ ] Generate secure random session IDs\n- [ ] Set HttpOnly, Secure, SameSite flags\n- [ ] Implement session timeout (15 min idle)\n\n## Error Handling\n- [ ] Log errors with context (no secrets)\n- [ ] Return generic messages to users\n- [ ] Never expose stack traces in production\n\n## Secrets Management\n- [ ] Use environment variables or secrets manager\n- [ ] Never commit secrets to version control\n- [ ] Rotate credentials regularly\n```\n\n---\n\n## Compliance Frameworks\n\nSee `references\u002Fcompliance_requirements.md` for full control mappings. Run `compliance_checker.py` to verify the controls below:\n\n### SOC 2 Type II\n- **CC6** Logical Access: authentication, authorization, MFA\n- **CC7** System Operations: monitoring, logging, incident response\n- **CC8** Change Management: CI\u002FCD, code review, deployment controls\n\n### PCI-DSS v4.0\n- **Req 3\u002F4**: Encryption at rest and in transit (TLS 1.2+)\n- **Req 6**: Secure development (input validation, secure coding)\n- **Req 8**: Strong authentication (MFA, password policy)\n- **Req 10\u002F11**: Audit logging, SAST\u002FDAST\u002Fpenetration testing\n\n### HIPAA Security Rule\n- Unique user IDs and audit trails for PHI access (164.312(a)(1), 164.312(b))\n- MFA for person\u002Fentity authentication (164.312(d))\n- Transmission encryption via TLS (164.312(e)(1))\n\n### GDPR\n- **Art 25\u002F32**: Privacy by design, encryption, pseudonymization\n- **Art 33**: Breach notification within 72 hours\n- **Art 17\u002F20**: Right to erasure and data portability\n\n---\n\n## Best Practices\n\n### Secrets Management\n\n```python\n# BAD: Hardcoded secret\nAPI_KEY = \"sk-1234567890abcdef\"\n\n# GOOD: Environment variable\nimport os\nAPI_KEY = os.environ.get(\"API_KEY\")\n\n# BETTER: Secrets manager\nfrom your_vault_client import get_secret\nAPI_KEY = get_secret(\"api\u002Fkey\")\n```\n\n### SQL Injection Prevention\n\n```python\n# BAD: String concatenation\nquery = f\"SELECT * FROM users WHERE id = {user_id}\"\n\n# GOOD: Parameterized query\ncursor.execute(\"SELECT * FROM users WHERE id = %s\", (user_id,))\n```\n\n### XSS Prevention\n\n```javascript\n\u002F\u002F BAD: Direct innerHTML assignment is vulnerable\n\u002F\u002F GOOD: Use textContent (auto-escaped)\nelement.textContent = userInput;\n\n\u002F\u002F GOOD: Use sanitization library for HTML\nimport DOMPurify from 'dompurify';\nconst safeHTML = DOMPurify.sanitize(userInput);\n```\n\n### Authentication\n\n```javascript\n\u002F\u002F Password hashing\nconst bcrypt = require('bcrypt');\nconst SALT_ROUNDS = 12;\n\n\u002F\u002F Hash password\nconst hash = await bcrypt.hash(password, SALT_ROUNDS);\n\n\u002F\u002F Verify password\nconst match = await bcrypt.compare(password, hash);\n```\n\n### Security Headers\n\n```javascript\n\u002F\u002F Express.js security headers\nconst helmet = require('helmet');\napp.use(helmet());\n\n\u002F\u002F Or manually set headers:\napp.use((req, res, next) => {\n  res.setHeader('X-Content-Type-Options', 'nosniff');\n  res.setHeader('X-Frame-Options', 'DENY');\n  res.setHeader('X-XSS-Protection', '1; mode=block');\n  res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');\n  res.setHeader('Content-Security-Policy', \"default-src 'self'\");\n  next();\n});\n```\n\n---\n\n## OWASP Top 10 Quick-Check\n\nRapid 15-minute assessment — run through each category and note pass\u002Ffail. For deep-dive testing, hand off to the **security-pen-testing** skill.\n\n| # | Category | One-Line Check |\n|---|----------|----------------|\n| A01 | Broken Access Control | Verify role checks on every endpoint; test horizontal privilege escalation |\n| A02 | Cryptographic Failures | Confirm TLS 1.2+ everywhere; no secrets in logs or source |\n| A03 | Injection | Run parameterized query audit; check ORM raw-query usage |\n| A04 | Insecure Design | Review threat model exists for critical flows |\n| A05 | Security Misconfiguration | Check default credentials removed; error pages generic |\n| A06 | Vulnerable Components | Run `vulnerability_assessor.py`; zero critical\u002Fhigh CVEs |\n| A07 | Auth Failures | Verify MFA on admin; brute-force protection active |\n| A08 | Software & Data Integrity | Confirm CI\u002FCD pipeline signs artifacts; no unsigned deps |\n| A09 | Logging & Monitoring | Validate audit logs capture auth events; alerts configured |\n| A10 | SSRF | Test internal URL filters; block metadata endpoints (169.254.169.254) |\n\n> **Deep dive needed?** Hand off to `security-pen-testing` for full OWASP Testing Guide coverage.\n\n---\n\n## Secret Scanning Tools\n\nChoose the right scanner for each stage of your workflow:\n\n| Tool | Best For | Language | Pre-commit | CI\u002FCD | Custom Rules |\n|------|----------|----------|:----------:|:-----:|:------------:|\n| **gitleaks** | CI pipelines, full-repo scans | Go | Yes | Yes | TOML regexes |\n| **detect-secrets** | Pre-commit hooks, incremental | Python | Yes | Partial | Plugin-based |\n| **truffleHog** | Deep history scans, entropy | Go | No | Yes | Regex + entropy |\n\n**Recommended setup:** Use `detect-secrets` as a pre-commit hook (catches secrets before they enter history) and `gitleaks` in CI (catches anything that slips through).\n\n```bash\n# detect-secrets pre-commit hook (.pre-commit-config.yaml)\n- repo: https:\u002F\u002Fgithub.com\u002FYelp\u002Fdetect-secrets\n  rev: v1.4.0\n  hooks:\n    - id: detect-secrets\n      args: ['--baseline', '.secrets.baseline']\n\n# gitleaks in GitHub Actions\n- name: gitleaks\n  uses: gitleaks\u002Fgitleaks-action@v2\n  env:\n    GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}\n```\n\n---\n\n## Supply Chain Security\n\nProtect against dependency and artifact tampering with SBOM generation, artifact signing, and SLSA compliance.\n\n**SBOM Generation:**\n- **syft** — generates SBOMs from container images or source dirs (SPDX, CycloneDX formats)\n- **cyclonedx-cli** — CycloneDX-native tooling; merge multiple SBOMs for mono-repos\n\n```bash\n# Generate SBOM from container image\nsyft packages ghcr.io\u002Forg\u002Fapp:latest -o cyclonedx-json > sbom.json\n```\n\n**Artifact Signing (Sigstore\u002Fcosign):**\n```bash\n# Sign a container image (keyless via OIDC)\ncosign sign ghcr.io\u002Forg\u002Fapp:latest\n# Verify signature\ncosign verify ghcr.io\u002Forg\u002Fapp:latest --certificate-identity=ci@org.com --certificate-oidc-issuer=https:\u002F\u002Ftoken.actions.githubusercontent.com\n```\n\n**SLSA Levels Overview:**\n| Level | Requirement | What It Proves |\n|-------|-------------|----------------|\n| 1 | Build process documented | Provenance exists |\n| 2 | Hosted build service, signed provenance | Tamper-resistant provenance |\n| 3 | Hardened build platform, non-falsifiable provenance | Tamper-proof build |\n| 4 | Two-party review, hermetic builds | Maximum supply-chain assurance |\n\n> **Cross-references:** `security-pen-testing` (vulnerability exploitation testing), `dependency-auditor` (license and CVE audit for dependencies).\n\n---\n\n## Reference Documentation\n\n| Document | Description |\n|----------|-------------|\n| `references\u002Fsecurity_standards.md` | OWASP Top 10, secure coding, authentication, API security |\n| `references\u002Fvulnerability_management_guide.md` | CVE triage, CVSS scoring, remediation workflows |\n| `references\u002Fcompliance_requirements.md` | SOC 2, PCI-DSS, HIPAA, GDPR full control mappings |\n","","imported","https:\u002F\u002Fgithub.com\u002Falirezarezvani\u002Fclaude-skills","user_system_seed","SkillOPIC",true,200,544,"2026-05-16 13:58:06",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"编程开发","coding","mdi-code-braces","代码生成、调试、审查，提升开发效率",2,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":32,"skillCount":33,"createdAt":26},"代码审查","review","mdi-magnify-scan","代码质量分析、安全审查",4,145,[35],{"id":36,"skillId":4,"version":37,"fileName":38,"fileSize":39,"filePath":40,"fileHash":41,"manifest":42,"createdAt":19},"e09bf222-bb73-41b0-9b9a-8834eb120bf4","1.0.0","senior-secops.zip",43343,"uploads\u002Fskills\u002F4d50b362-5131-44d8-af31-3b182e5a3a5c\u002Fsenior-secops.zip","da40c0432658e24807d9d809a34c0597df706326eabfe27218a9d734079ec458","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":16062},{\"path\":\"references\u002Fcompliance_requirements.md\",\"isDirectory\":false,\"size\":23807},{\"path\":\"references\u002Fsecurity_standards.md\",\"isDirectory\":false,\"size\":19246},{\"path\":\"references\u002Fvulnerability_management_guide.md\",\"isDirectory\":false,\"size\":14297},{\"path\":\"scripts\u002Fcompliance_checker.py\",\"isDirectory\":false,\"size\":38622},{\"path\":\"scripts\u002Fsecurity_scanner.py\",\"isDirectory\":false,\"size\":16570},{\"path\":\"scripts\u002Fvulnerability_assessor.py\",\"isDirectory\":false,\"size\":20415}]",{"code":17,"message":44,"data":45},"success",{"items":46,"stats":47,"page":50},[],{"averageRating":48,"totalRatings":48,"ratingCounts":49},0,[48,48,48,48,48],{"limit":51,"offset":48,"hasMore":52,"nextOffset":51,"ratedOnly":16},15,false]