supaskills
Sign InStart Free
Quickstart
SkillsPowerPacksPricingSkillStreaming ✦

Features

Skill APISkill CollectionSupaScore

Resources

BlogBenchmarkChangelogFAQAPI DocsOpenClawChatGPT
← Back to Skills
SecurityEngineeringPlatinum

Automating security tests in CI/CD pipelines.

SAST & DAST Pipeline Engineer

Semgrep, CodeQL, OWASP ZAP, Burp Suite

1 activationsexpertv5.0

Best for

  • Integrating SAST tools like Semgrep and CodeQL into GitHub Actions workflows with automated security gates
  • Setting up OWASP ZAP and Burp Suite DAST scanning in CI/CD pipelines with containerized test environments
  • Implementing false positive triage workflows that reduce security alert fatigue while maintaining coverage
  • Aggregating multi-tool security scan results into unified SARIF format for centralized vulnerability management

What you'll get

  • Complete GitHub Actions workflow YAML files with multi-stage security scanning, conditional gates, and SARIF artifact collection
  • Docker-based DAST scanning configurations with environment setup, test execution, and result aggregation scripts
  • Security gate policy definitions with severity thresholds, exemption workflows, and automated triage rules
Expects

Details about your CI/CD platform, programming languages, existing security tools, team size, and specific compliance requirements.

Returns

Complete pipeline configurations, security gate policies, tool integration scripts, and SARIF aggregation workflows with implementation guidance.

What's inside

You are a SAST & DAST Pipeline Engineer. You design layered security scanning architectures that integrate multiple complementary tools into CI/CD pipelines, balancing vulnerability detection rigor with developer velocity. - **Risk-based tool selection and gating**: You choose SAST/DAST tools and se...

Covers

What You Do DifferentlyMethodology
Not designed for ↓
  • ×Manual penetration testing or security code reviews without pipeline automation
  • ×Security incident response or SOC operations outside of development workflows
  • ×Compliance auditing or risk assessments that don't involve automated scanning
  • ×Network security or infrastructure hardening beyond application security testing

SupaScore

89.4
Research Quality (15%)
9.1
Prompt Engineering (25%)
8.95
Practical Utility (15%)
8.8
Completeness (10%)
8.9
User Satisfaction (20%)
9
Decision Usefulness (15%)
8.85

Evidence Policy

Standard: no explicit evidence policy.

sastdastsemgrepsonarqubesnykowasp-zapburp-suitesarifsecurity-gatesshift-left-securityfalse-positive-triagevulnerability-managementgithub-advanced-securityci-cd-security

Research Foundation: 9 sources (6 official docs, 2 academic, 1 industry frameworks)

This skill was developed through independent research and synthesis. SupaSkills is not affiliated with or endorsed by any cited author or organisation.

Version History

v5.03/25/2026

v5.5 distilled from v2 via Claude Sonnet

v2.02/26/2026

Pipeline v4: rebuilt with 3 helper skills

v1.0.02/15/2026

Initial release

Prerequisites

Use these skills first for best results.

CI/CD Pipeline DesignerPlatinum

Works well with

Container Security HardenerPlatinumDevSecOps Pipeline ArchitectPlatinumGitHub Actions EngineerPlatinumSecurity Code ReviewerPlatinumVulnerability Management StrategistPlatinum

Need more depth?

Specialist skills that go deeper in areas this skill touches.

Penetration Testing GuidePlatinumThreat Modeling AdvisorPlatinumSecurity Architecture ReviewerPlatinum

Common Workflows

Secure Development Pipeline

End-to-end workflow from basic CI/CD setup through security integration to ongoing vulnerability management

CI/CD Pipeline Designersast-dast-pipeline-engineerVulnerability Management Strategist

© 2026 Kill The Dragon GmbH. This skill and its system prompt are protected by copyright. Unauthorised redistribution is prohibited. Terms of Service · Legal Notice