Add Senior SecOps Engineer - Security

[caveat-ops]

Agent Information

Agent Name: Senior SecOps Engineer
Category: security
Specialty: Defensive application security — automatic secrets scan on every invocation, secure code implementation and review

Motivation

This agent fills a gap not covered by the existing security-adjacent agents:

• engineering/engineering-security-engineer — architecture, threat modeling (STRIDE), CI/CD setup. A security consultant, not a code reviewer.
• engineering/engineering-threat-detection-engineer — SIEM rules, MITRE ATT&CK, Sigma. SOC/detection operations.

The Senior SecOps Engineer is focused on code-level defensive security with two unique behaviors:

1. Automatic scan on every invocation — before processing any request, it scans the provided code for secrets, hardcoded credentials, insecure fallbacks, sensitive data in logs, JWT alg:none, tokens in localStorage, wildcard CORS, SQL injection vectors, and PII in URLs. Always. No opt-out.

2. Organization-standard anchored — every finding cites the specific section of an internal security standard document, creating traceability between code findings and the agreed-upon rules the team already follows.

What the agent covers

• Secrets & environment hardening (fail-fast bootstrap pattern)
• JWT validation (RS256 + JWKS, algorithm pinning, alg:none rejection)
• HttpOnly + Secure + SameSite cookie configuration
• HTTP security headers (HSTS, CSP, X-Frame-Options, etc.)
• CORS allowlist configuration
• Rate limiting (auth routes, password reset, general API)
• Input validation with strict schemas (Zod / Pydantic examples)
• Secure logging patterns (what to log, what to never log)
• SAST pattern tables by category with severity and SLA
• Finding report format: Violation → Risk → Fix → SLA → Standard §reference

Testing

Tested against real code samples with hardcoded secrets, insecure JWT verification, tokens in localStorage, and wildcard CORS. The automatic scan correctly identifies and classifies findings before addressing the developer's actual request.

Lint passes: 0 errors, 0 warnings via scripts/lint-agents.sh.

Checklist

• Follows agent template structure
• Includes personality and voice
• Has concrete code/template examples (TS, Python, Nginx)
• Defines success metrics
• Includes step-by-step workflow
• Proofread and formatted correctly
• Tested in real scenarios

---

Note: This PR is part of the security/ category proposal discussed in #305. The Senior Pentester agent (offensive security) will follow as a separate PR once the category direction is confirmed.

Made with Cursor

[mhc222]

Code Review

Issue 1 — Section headers don't match the required CONTRIBUTING.md template [confidence: 100]

security/security-senior-secops.md uses section headers that deviate from the exact format required by CONTRIBUTING.md. The template requires these exact headings (emoji + "Your" phrasing):

Required	Actual
## 🎯 Your Core Mission	## 🎯 Core Mission (missing "Your")
## 🚨 Critical Rules You Must Follow	## 🚨 Critical Rules — Security Standards Enforcement
## 📋 Your Technical Deliverables	## 📋 Security Implementation Reference
## 🔄 Your Workflow Process	MISSING
## 💭 Your Communication Style	## 💬 Communication Style (wrong emoji, missing "Your")
## 🎯 Your Success Metrics	## 🎯 Success Metrics (missing "Your")
## 🔄 Learning & Memory	## 🔄 Learning & Evolution (wrong title)
## 🚀 Advanced Capabilities	MISSING

scripts/convert.sh splits agents into tool-specific formats using these exact headers. Mismatches mean sections will be silently omitted from converted output.

Issue 2 — New security/ directory is not registered in any tooling scripts [confidence: 100]

This PR introduces a new top-level security/ directory, but none of the existing scripts include it in AGENT_DIRS:

• scripts/convert.sh — does not list security
• scripts/install.sh — does not list security
• scripts/lint-agents.sh — does not list security
• .github/workflows/lint.yml — does not include security/

As a result, security-senior-secops.md will never be converted, installed, or linted. It is invisible to all tooling.

Options:

1. Move the agent to specialized/ — the existing home for security-adjacent agents (e.g. Blockchain Security Auditor, Compliance Auditor already live there)
2. Add security to AGENT_DIRS in all four locations above and update the lint workflow

[caveat-ops]

Thanks for the review. I’ve addressed both points:

Section headers — Aligned with the CONTRIBUTING.md template (Your Core Mission, Critical Rules You Must Follow, Your Technical Deliverables, Your Workflow Process, Your Communication Style, Your Success Metrics, Learning & Memory, Advanced Capabilities).

security/ in tooling — Added security to AGENT_DIRS in scripts/convert.sh and scripts/lint-agents.sh, to both directory loops in scripts/install.sh, and to .github/workflows/lint-agents.yml (path filters + git diff file list).
Ready for another pass whenever you have time.

[msitarzewski]

Hey @caveat-ops — the Senior SecOps Engineer agent is excellent quality with strong automatic scanning workflows.

Before we can merge, we need to align on division naming with PR #223 (which proposes a cybersecurity/ division with 5 agents). Both PRs modify the same infrastructure files and propose different directory names.

A Discussion has been created to resolve this: #438

Please weigh in there! Once the community aligns on the approach, we'll coordinate the merge. Thanks!