Skip to main content

Security & Quality Lifecycle

For every $1 you spend on developing a digital solution, plan to spend at least another $1 to ensure full adoption and scaling.

AI agents build governed. Humans ship trusted. 80% autonomy, 100% accountability.

Golden Path: From Shift-Left to Sustained Quality

Phase 1: Scan (2 min)

Who: devops-security-engineer scans. security-compliance-engineer reviews findings.

What: Static analysis, container scanning, secret detection. Shift-left.

Why: 10x cheaper to fix in dev than prod. Zero critical/high vulnerabilities before merge.

What-if skip: Vulnerabilities ship to production, post-deployment remediation costs 10x more.

How

/security:sast

Output

  • SAST scan results (code + container + secrets)
  • Vulnerability report ranked by severity
  • Remediation recommendations

Quality Gate: Zero CRITICAL/HIGH. All findings acknowledged.

Phase 2: Test (variable)

Who: qa-engineer validates test quality. HITL reviews coverage.

What: 3-tier testing with real APIs. Battle tests, not mock theater.

Why: DRYRUN_OVER_READONLY prevented — real API validation with READONLY profiles. 6,298 real tests.

What-if skip: TESTING_THEATER — inflated pass rates, production surprises despite green CI.

How

/cloudops:theater-check   # Quick theater health check
/cloudops:theater-audit   # Full audit with theater score

Output

  • Theater score (0-100): mock density, orphan count, coverage omit entries
  • Test execution results with real API validation
  • Coverage report against pyproject.toml fail_under

Quality Gate: Theater score under 20 (low theater). Coverage meets fail_under.

Phase 3: Comply (1 hour)

Who: security-compliance-engineer gates. HITL reviews evidence package.

What: SOC2, APRA CPS 234, ISO 27001 evidence generation. Security posture check.

Why: Regulatory risk caught at design time. Audit evidence auto-generated, not manually assembled.

What-if skip: Compliance surprises at quarterly audit, manual evidence taking weeks.

How

/aws:security-posture     # Security Hub findings ranked by severity
/security:cert-inventory  # Multi-cloud certificate expiry triage

Output

  • Security Hub findings: CRITICAL/HIGH/MEDIUM/LOW with SOC2 mapping
  • Certificate inventory with 30/60/90 day risk triage
  • Compliance evidence package for auditors

Quality Gate: All CRITICAL findings have remediation plan. Cert expiry monitored.

Phase 4: Harden (per release)

Who: devops-security-engineer hardens. Hooks enforce deterministically.

What: Supply chain SBOM, Docker registry enforcement, signed container images.

Why: SLSA Level 2+ provenance. Chainguard Wolfi base images are sigstore-signed.

What-if skip: Unsigned images, dependency confusion, supply chain compromise.

How

/devcontainer:validate-registry   # Docker registry compliance scan

Output

  • Registry compliance score (nnthanh101/* only)
  • SBOM generated (CycloneDX format)
  • Trivy scan clean (zero CRITICAL/HIGH)

Quality Gate: Registry 100% compliant. SBOM attestation attached.

Phase 5: Sustain (per sprint)

Who: meta-engineering-expert extracts patterns. HITL decides improvements.

What: Anti-pattern catalog grows. Testing theater audits. Quality ratchet.

Why: Each anti-pattern cost real sessions. The catalog (64 patterns) prevents repeat failures.

What-if skip: Same mistakes repeated, testing theater creeps back, quality degrades.

How

/speckit.retrospective   # Sprint retrospective with action items
/metrics:sprint-review   # Sprint review with DORA actuals

Output

  • Updated anti-pattern catalog entries
  • Quality metrics trend (coverage, theater score, governance score)
  • Improvement actions with owners and deadlines

Quality Gate: Anti-patterns documented. Coverage ratchet maintained.

LEAN/5S Applied to Security & Quality

PrincipleApplicationEvidence
Sort64 anti-patterns catalogued, not ad-hoc.claude/rules/anti-patterns-catalog.md
Set in Order3-tier testing: snapshot / LocalStack / AWS livetesting/battle-conftest skill
Shine104K lines of mock theater deletedconftest 1,157 → 99 lines
StandardizeHook-enforced gates (exit 2 = blocked)detect-testing-theater.sh
SustainCoverage ratchet: fail_under measured, not estimatedpyproject.toml SSOT

By Persona

Security Engineer

Path: /security:sast/devcontainer:validate-registry/aws:security-posture

Time to Value: First SAST scan in under 2 minutes.

QA Lead

Path: /cloudops:theater-check/cloudops:theater-audit/metrics:sprint-review

Time to Value: Testing theater score in under 5 minutes.

Compliance Officer

Path: /aws:security-posture/security:cert-inventorybash scripts/governance-score.sh

Time to Value: Audit evidence package in 1 hour.

Common Mistakes (Anti-Patterns)

MistakeWhy It FailsFix
TESTING_THEATERMocks without assertions inflate pass ratesdetect-testing-theater.sh hook
DRYRUN_OVER_READONLY--dry-run when READONLY profiles existReal execution with READONLY
ADJUSTED_METRIC_EXCLUSIONExpanding coverage omit to inflate ratesdetect-testing-theater.sh blocks
MATURITY_SCORE_WITHOUT_TESTScoring based on file counts, not test resultsCite test execution evidence
PHANTOM_MODULE_IMPORTImport passes --help but crashes at runtimeAST-based test_cli_imports.py
COVERAGE_GATE_MISMATCHCI gate differs from pyproject.tomlSingle SSOT in pyproject.toml

Quick Reference: Command Cheat Sheet

# Scan (shift-left)
/security:sast

# Test (real, not theater)
/cloudops:theater-check
/cloudops:theater-audit

# Comply (evidence generation)
/aws:security-posture
/security:cert-inventory

# Harden (supply chain)
/devcontainer:validate-registry

# Sustain (continuous improvement)
/speckit.retrospective
/metrics:sprint-review

Last Updated: March 2026 | Status: Active | Maintenance: security-compliance-engineer