Techcle Wiki

Devsecops Daily Security Plan

3 min read

Plan: DevSecOps Agent & Daily Security Routines

Summary

Hire a DevSecOps Engineer agent (reports to CTO) with two Paperclip skills executed as a daily routine via Paperclip’s routines API. The routine runs both skills in sequence after platform scheduled tasks complete.

1. Agent: DevSecOps Engineer

FieldValue
NameDevSecOps Engineer
Roleengineer
Reports toCTO
Iconshield
Adapterclaude_local (sonnet)
CapabilitiesDaily security operations: vulnerability triage for managed secure images, internal security posture monitoring across all CascadeGuard repos, GitHub security advisory management, CVE correlation.

2. Skill A: Open Source Secure Images Check-In

Purpose: Daily review of cascadeguard-open-secure-images and managed image repos.

Scope (repos in /workspace/repos):

  • cascadeguard-open-secure-images (primary)
  • Any future managed image repos

What it does:

  • Pull latest Grype/Trivy scan results from CI artifacts or re-run scans
  • Review open Dependabot alerts and PRs
  • Check GHCR for image signing status (Cosign) and SBOM freshness
  • Cross-reference against NVD/OSV vulnerability databases for newly published CVEs affecting base images
  • Flag images with critical/high vulnerabilities unpatched >48 hours

Output:

  • Per-CVE GitHub issues on the affected repo (one issue per CVE+package, images tracked via labels)
  • GitHub security advisories for privately-reported vulnerabilities
  • Summary comment on a recurring Paperclip tracking issue (digest only — no Paperclip issues for individual findings)

Location: /workspace/.ai/skills/devsecops-open-source-checkin/SKILL.md

3. Skill B: Internal Security Posture Audit

Purpose: Proactive security review of all CascadeGuard repos and internal infrastructure.

Scope — All CascadeGuard repos (in /workspace/repos):

  • cascadeguard (org-level repo)
  • cascadeguard-app (private, main product)
  • cascadeguard-docs
  • cascadeguard-exemplar
  • cascadeguard-open-secure-images

Also covers:

  • Platform repos: k8s-lab, ai-dev
  • Components: GitHub org settings, Cloudflare DNS/WAF, container registries
  • Vulnerability databases: NVD, GitHub Advisory Database, OSV

What it does:

  • Check GitHub security tab for each repo: secret scanning alerts, Dependabot alerts, code scanning alerts
  • Review branch protection compliance (using github-repo-setup skill as baseline)
  • Check for leaked credentials or misconfigured secrets
  • Audit CI/CD pipeline security (SHA pinning, permissions, OIDC token usage)
  • Cross-reference dependencies against vulnerability databases
  • Verify private vulnerability reporting is enabled on all public repos

Output:

  • Findings logged as GitHub issues or security advisories on the affected repo (NOT as Paperclip tickets)
  • Critical findings escalated to CTO immediately via Pushover
  • Only create Paperclip issues when a finding requires agent work (code change, config update) AND board approves it via triage digest

Location: /workspace/.ai/skills/devsecops-internal-posture/SKILL.md

4. Implementation: Paperclip Routine

The daily task is implemented as a Paperclip routine (not heartbeat interval scheduling).

Routine Configuration

POST /api/companies/{companyId}/routines
{
  "title": "Daily Security Check-In",
  "description": "Execute open-source image check-in and internal posture audit",
  "assigneeAgentId": "{devsecops-agent-id}",
  "projectId": "{secure-images-mvp-project-id}",
  "priority": "high",
  "concurrencyPolicy": "skip_if_active",
  "catchUpPolicy": "skip_missed"
}

Schedule Trigger

POST /api/routines/{routineId}/triggers
{
  "kind": "schedule",
  "cronExpression": "0 6 * * *",
  "timezone": "UTC"
}

Sequencing: Platform scheduled tasks (02:00 UTC) complete first, then the DevSecOps routine fires at 06:00 UTC to review fresh scan results.

Routine Execution Flow

Each routine run creates an issue assigned to the DevSecOps agent. The agent:

  1. Executes Skill A (Open Source Check-In) — reviews image scan results, flags vulnerabilities
  2. Executes Skill B (Internal Posture Audit) — checks all CG repos + infrastructure
  3. Posts a consolidated summary comment
  4. Creates follow-up issues for any findings (in Platform Stability project)
  5. Marks the routine issue as done

5. Implementation Steps

  1. Create skill files in /workspace/.ai/skills/
  2. Register skills in Paperclip company skill library
  3. Hire DevSecOps Engineer via paperclip-create-agent
  4. Assign skills to the new agent
  5. Create the Paperclip routine with daily schedule trigger
  6. Test with a manual routine run (POST /api/routines/{routineId}/run)

6. Open Questions

  • Should the DevSecOps agent have write access to repos (auto-create PRs for vuln fixes), or read + issue creation only?
  • Cloudflare audit: do we have API access configured, or manual review only?
  • Should weekly deep scans be a separate routine or a flag on the daily one?

Graph View