| name | devsecops-lookup |
| description | Looks up OWASP DevSecOps Guideline phases, security tools, and pipeline checks. Returns tool configurations, CWE mappings, and integration patterns for CI/CD security. Use when user asks about "DevSecOps", "SAST", "DAST", "SCA", "container security", "IaC security", "secret detection", "gitleaks", "semgrep", "trivy", "pipeline security", "シークレット検出", "静的解析", "動的解析", "コンテナセキュリティ", "セキュリティゲート". |
DevSecOps Guideline Lookup
Reference for OWASP DevSecOps Guideline phases, tools, and security checks.
Pipeline Phases
| Phase | Activity | Key Tools |
|---|---|---|
| Develop | Pre-commit checks, Secret detection | Gitleaks, TruffleHog, pre-commit |
| Build | SAST, SCA, Container, IaC | Semgrep, Trivy, Hadolint, tfsec |
| Test | DAST, API Security, IAST | OWASP ZAP, Nuclei, Postman |
| Deploy | Security Gates, Config validation | Policy-as-code, Admission controllers |
| Operate | Monitoring, Vulnerability management | CNAPP, SIEM, Pentesting |
Lookup Workflow
Identify the Query Type:
- Pipeline phase (develop, build, test, deploy, operate)
- Tool name (gitleaks, semgrep, trivy, etc.)
- Security activity (SAST, SCA, DAST, etc.)
- CWE reference
Search the Indexes:
# Phase lookup cat ${CLAUDE_PLUGIN_ROOT}/skills/devsecops-lookup/pipeline-phases-index.json | jq '.phases["build"]' # Tool lookup cat ${CLAUDE_PLUGIN_ROOT}/skills/devsecops-lookup/tools-index.json | jq '.tools["semgrep"]' # Search by keyword cat ${CLAUDE_PLUGIN_ROOT}/skills/devsecops-lookup/tools-index.json | jq '[.tools | to_entries[] | select(.value.keywords | map(ascii_downcase) | any(contains("sast")))]' # CWE to phase mapping cat ${CLAUDE_PLUGIN_ROOT}/skills/devsecops-lookup/pipeline-phases-index.json | jq '[.phases | to_entries[] | select(.value.cwes | any(contains("CWE-798")))]'Return Results with:
- What it does (summary)
- Installation command
- Usage example
- CI/CD integration pattern
- Official references
Response Format
### [Tool/Activity Name]
**Phase**: [develop|build|test|deploy|operate]
**Category**: [secret-detection|sast|sca|container|iac|dast|misconfig]
**What It Does**:
[1-2 sentence summary]
**Installation**:
\`\`\`bash
[install command]
\`\`\`
**Basic Usage**:
\`\`\`bash
[usage command]
\`\`\`
**CI/CD Integration** (GitHub Actions):
\`\`\`yaml
[workflow snippet]
\`\`\`
**CWE Coverage**: [list of CWEs]
**References**:
- [Tool URL]
- [OWASP DevSecOps Guideline URL]
Quick Reference: Tools by Phase
Develop (Pre-commit)
| Tool | Purpose | Install |
|---|---|---|
| Gitleaks | Secret detection | brew install gitleaks |
| pre-commit | Hook management | pip install pre-commit |
| detect-secrets | Secret patterns | pip install detect-secrets |
Build (CI)
| Tool | Purpose | Install |
|---|---|---|
| Semgrep | SAST | pip install semgrep |
| Trivy | SCA + Container | brew install trivy |
| Hadolint | Dockerfile lint | brew install hadolint |
| tfsec | Terraform security | brew install tfsec |
| Checkov | IaC security | pip install checkov |
Test (CD/Staging)
| Tool | Purpose | Install |
|---|---|---|
| OWASP ZAP | DAST | Docker |
| Nuclei | Vulnerability scanner | go install nuclei |
Index Coverage
pipeline-phases-index.json
- All DevSecOps pipeline phases
- Activities per phase
- Recommended tools
- CWE mappings
- OWASP DevSecOps Guideline references
tools-index.json
- 15+ security tools
- Installation commands
- Usage patterns
- CI/CD integration examples
- Output format specifications
Example Queries
User: "How do I scan for secrets in CI?"
You: Look up gitleaks in tools-index.json
User: "What's the build phase?"
You: Look up build in pipeline-phases-index.json
User: "Terraform security scanning?"
You: Look up tfsec or checkov in tools-index.json
User: "CWE-798 prevention?" You: Search for CWE-798 in phases, return secret detection tools