Senior Secops
by @alirezarezvani
Senior SecOps engineer skill for application security, vulnerability management, compliance verification, and secure development practices. Runs SAST/DAST sc...
clawhub install senior-secopsπ About This Skill
name: "senior-secops" description: Senior SecOps engineer skill for application security, vulnerability management, compliance verification, and secure development practices. Runs SAST/DAST scans, generates CVE remediation plans, checks dependency vulnerabilities, creates security policies, enforces secure coding patterns, and automates compliance checks against SOC2, PCI-DSS, HIPAA, and GDPR. Use when conducting a security review or audit, responding to a CVE or security incident, hardening infrastructure, implementing authentication or secrets management, running penetration test prep, checking OWASP Top 10 exposure, or enforcing security controls in CI/CD pipelines.
Senior SecOps Engineer
Complete toolkit for Security Operations including vulnerability management, compliance verification, secure coding practices, and security automation.
Table of Contents
Core Capabilities
1. Security Scanner
Scan source code for security vulnerabilities including hardcoded secrets, SQL injection, XSS, command injection, and path traversal.
# Scan project for security issues
python scripts/security_scanner.py /path/to/projectFilter by severity
python scripts/security_scanner.py /path/to/project --severity highJSON output for CI/CD
python scripts/security_scanner.py /path/to/project --json --output report.json
Detects:
2. Vulnerability Assessor
Scan dependencies for known CVEs across npm, Python, and Go ecosystems.
# Assess project dependencies
python scripts/vulnerability_assessor.py /path/to/projectCritical/high only
python scripts/vulnerability_assessor.py /path/to/project --severity highExport vulnerability report
python scripts/vulnerability_assessor.py /path/to/project --json --output vulns.json
Scans:
package.json and package-lock.json (npm)requirements.txt and pyproject.toml (Python)go.mod (Go)Output:
3. Compliance Checker
Verify security compliance against SOC 2, PCI-DSS, HIPAA, and GDPR frameworks.
# Check all frameworks
python scripts/compliance_checker.py /path/to/projectSpecific framework
python scripts/compliance_checker.py /path/to/project --framework soc2
python scripts/compliance_checker.py /path/to/project --framework pci-dss
python scripts/compliance_checker.py /path/to/project --framework hipaa
python scripts/compliance_checker.py /path/to/project --framework gdprExport compliance report
python scripts/compliance_checker.py /path/to/project --json --output compliance.json
Verifies:
Workflows
Workflow 1: Security Audit
Complete security assessment of a codebase.
# Step 1: Scan for code vulnerabilities
python scripts/security_scanner.py . --severity medium
STOP if exit code 2 β resolve critical findings before continuing
# Step 2: Check dependency vulnerabilities
python scripts/vulnerability_assessor.py . --severity high
STOP if exit code 2 β patch critical CVEs before continuing
# Step 3: Verify compliance controls
python scripts/compliance_checker.py . --framework all
STOP if exit code 2 β address critical gaps before proceeding
# Step 4: Generate combined reports
python scripts/security_scanner.py . --json --output security.json
python scripts/vulnerability_assessor.py . --json --output vulns.json
python scripts/compliance_checker.py . --json --output compliance.json
Workflow 2: CI/CD Security Gate
Integrate security checks into deployment pipeline.
# .github/workflows/security.yml
name: "security-scan"on:
pull_request:
branches: [main, develop]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: "set-up-python"
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: "security-scanner"
run: python scripts/security_scanner.py . --severity high
- name: "vulnerability-assessment"
run: python scripts/vulnerability_assessor.py . --severity critical
- name: "compliance-check"
run: python scripts/compliance_checker.py . --framework soc2
Each step fails the pipeline on its respective exit code β no deployment proceeds past a critical finding.
Workflow 3: CVE Triage
Respond to a new CVE affecting your application.
1. ASSESS (0-2 hours)
- Identify affected systems using vulnerability_assessor.py
- Check if CVE is being actively exploited
- Determine CVSS environmental score for your context
- STOP if CVSS 9.0+ on internet-facing system β escalate immediately2. PRIORITIZE
- Critical (CVSS 9.0+, internet-facing): 24 hours
- High (CVSS 7.0-8.9): 7 days
- Medium (CVSS 4.0-6.9): 30 days
- Low (CVSS < 4.0): 90 days
3. REMEDIATE
- Update affected dependency to fixed version
- Run security_scanner.py to verify fix (must return exit code 0)
- STOP if scanner still flags the CVE β do not deploy
- Test for regressions
- Deploy with enhanced monitoring
4. VERIFY
- Re-run vulnerability_assessor.py
- Confirm CVE no longer reported
- Document remediation actions
Workflow 4: Incident Response
Security incident handling procedure.
PHASE 1: DETECT & IDENTIFY (0-15 min)
Alert received and acknowledged
Initial severity assessment (SEV-1 to SEV-4)
Incident commander assigned
Communication channel established PHASE 2: CONTAIN (15-60 min)
Affected systems identified
Network isolation if needed
Credentials rotated if compromised
Preserve evidence (logs, memory dumps) PHASE 3: ERADICATE (1-4 hours)
Root cause identified
Malware/backdoors removed
Vulnerabilities patched (run security_scanner.py; must return exit code 0)
Systems hardened PHASE 4: RECOVER (4-24 hours)
Systems restored from clean backup
Services brought back online
Enhanced monitoring enabled
User access restored PHASE 5: POST-INCIDENT (24-72 hours)
Incident timeline documented
Root cause analysis complete
Lessons learned documented
Preventive measures implemented
Stakeholder report delivered
Tool Reference
security_scanner.py
| Option | Description |
|--------|-------------|
| target | Directory or file to scan |
| --severity, -s | Minimum severity: critical, high, medium, low |
| --verbose, -v | Show files as they're scanned |
| --json | Output results as JSON |
| --output, -o | Write results to file |
Exit Codes: 0 = no critical/high findings Β· 1 = high severity findings Β· 2 = critical severity findings
vulnerability_assessor.py
| Option | Description |
|--------|-------------|
| target | Directory containing dependency files |
| --severity, -s | Minimum severity: critical, high, medium, low |
| --verbose, -v | Show files as they're scanned |
| --json | Output results as JSON |
| --output, -o | Write results to file |
Exit Codes: 0 = no critical/high vulnerabilities Β· 1 = high severity vulnerabilities Β· 2 = critical severity vulnerabilities
compliance_checker.py
| Option | Description |
|--------|-------------|
| target | Directory to check |
| --framework, -f | Framework: soc2, pci-dss, hipaa, gdpr, all |
| --verbose, -v | Show checks as they run |
| --json | Output results as JSON |
| --output, -o | Write results to file |
Exit Codes: 0 = compliant (90%+ score) Β· 1 = non-compliant (50-69% score) Β· 2 = critical gaps (<50% score)
Security Standards
See references/security_standards.md for OWASP Top 10 full guidance, secure coding standards, authentication requirements, and API security controls.
Secure Coding Checklist
## Input Validation
[ ] Validate all input on server side
[ ] Use allowlists over denylists
[ ] Sanitize for specific context (HTML, SQL, shell) Output Encoding
[ ] HTML encode for browser output
[ ] URL encode for URLs
[ ] JavaScript encode for script contexts Authentication
[ ] Use bcrypt/argon2 for passwords
[ ] Implement MFA for sensitive operations
[ ] Enforce strong password policy Session Management
[ ] Generate secure random session IDs
[ ] Set HttpOnly, Secure, SameSite flags
[ ] Implement session timeout (15 min idle) Error Handling
[ ] Log errors with context (no secrets)
[ ] Return generic messages to users
[ ] Never expose stack traces in production Secrets Management
[ ] Use environment variables or secrets manager
[ ] Never commit secrets to version control
[ ] Rotate credentials regularly
Compliance Frameworks
See references/compliance_requirements.md for full control mappings. Run compliance_checker.py to verify the controls below:
SOC 2 Type II
PCI-DSS v4.0
HIPAA Security Rule
GDPR
Best Practices
Secrets Management
# BAD: Hardcoded secret
API_KEY = "sk-1234567890abcdef"GOOD: Environment variable
import os
API_KEY = os.environ.get("API_KEY")BETTER: Secrets manager
from your_vault_client import get_secret
API_KEY = get_secret("api/key")
SQL Injection Prevention
# BAD: String concatenation
query = f"SELECT * FROM users WHERE id = {user_id}"GOOD: Parameterized query
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
XSS Prevention
// BAD: Direct innerHTML assignment is vulnerable
// GOOD: Use textContent (auto-escaped)
element.textContent = userInput;// GOOD: Use sanitization library for HTML
import DOMPurify from 'dompurify';
const safeHTML = DOMPurify.sanitize(userInput);
Authentication
// Password hashing
const bcrypt = require('bcrypt');
const SALT_ROUNDS = 12;// Hash password
const hash = await bcrypt.hash(password, SALT_ROUNDS);
// Verify password
const match = await bcrypt.compare(password, hash);
Security Headers
// Express.js security headers
const helmet = require('helmet');
app.use(helmet());// Or manually set headers:
app.use((req, res, next) => {
res.setHeader('X-Content-Type-Options', 'nosniff');
res.setHeader('X-Frame-Options', 'DENY');
res.setHeader('X-XSS-Protection', '1; mode=block');
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
res.setHeader('Content-Security-Policy', "default-src 'self'");
next();
});
Reference Documentation
| Document | Description |
|----------|-------------|
| references/security_standards.md | OWASP Top 10, secure coding, authentication, API security |
| references/vulnerability_management_guide.md | CVE triage, CVSS scoring, remediation workflows |
| references/compliance_requirements.md | SOC 2, PCI-DSS, HIPAA, GDPR full control mappings |
π Tips & Best Practices
Secrets Management
# BAD: Hardcoded secret
API_KEY = "sk-1234567890abcdef"GOOD: Environment variable
import os
API_KEY = os.environ.get("API_KEY")BETTER: Secrets manager
from your_vault_client import get_secret
API_KEY = get_secret("api/key")
SQL Injection Prevention
# BAD: String concatenation
query = f"SELECT * FROM users WHERE id = {user_id}"GOOD: Parameterized query
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
XSS Prevention
// BAD: Direct innerHTML assignment is vulnerable
// GOOD: Use textContent (auto-escaped)
element.textContent = userInput;// GOOD: Use sanitization library for HTML
import DOMPurify from 'dompurify';
const safeHTML = DOMPurify.sanitize(userInput);
Authentication
// Password hashing
const bcrypt = require('bcrypt');
const SALT_ROUNDS = 12;// Hash password
const hash = await bcrypt.hash(password, SALT_ROUNDS);
// Verify password
const match = await bcrypt.compare(password, hash);
Security Headers
// Express.js security headers
const helmet = require('helmet');
app.use(helmet());// Or manually set headers:
app.use((req, res, next) => {
res.setHeader('X-Content-Type-Options', 'nosniff');
res.setHeader('X-Frame-Options', 'DENY');
res.setHeader('X-XSS-Protection', '1; mode=block');
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
res.setHeader('Content-Security-Policy', "default-src 'self'");
next();
});