From threatmodel-skills
Scans container images, dependencies (Go, Python, Node.js, Java), filesystems, and IaC (Terraform, Kubernetes, Dockerfile) for CVEs, misconfigurations using Trivy. Generates SBOMs, SARIF for CI/CD.
npx claudepluginhub agentsecops/secopsagentkit --plugin offsec-skillsThis skill uses the workspace's default tool permissions.
Trivy is a comprehensive security scanner for containers, filesystems, and git repositories. It detects
Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
Designs, implements, and audits WCAG 2.2 AA accessible UIs for Web (ARIA/HTML5), iOS (SwiftUI traits), and Android (Compose semantics). Audits code for compliance gaps.
Trivy is a comprehensive security scanner for containers, filesystems, and git repositories. It detects vulnerabilities (CVEs) in OS packages and application dependencies, IaC misconfigurations, exposed secrets, and software licenses. This skill provides workflows for vulnerability scanning, SBOM generation, CI/CD integration, and remediation prioritization aligned with CVSS and OWASP standards.
Scan a container image for vulnerabilities:
# Install Trivy
brew install trivy # macOS
# or: apt-get install trivy # Debian/Ubuntu
# or: docker pull aquasec/trivy:latest
# Scan container image
trivy image nginx:latest
# Scan local filesystem for dependencies
trivy fs .
# Scan IaC files for misconfigurations
trivy config .
# Generate SBOM
trivy image --format cyclonedx --output sbom.json nginx:latest
Progress:
[ ] 1. Identify target container image (repository:tag)
[ ] 2. Run comprehensive Trivy scan with trivy image <image-name>
[ ] 3. Analyze vulnerability findings by severity (CRITICAL, HIGH, MEDIUM, LOW)
[ ] 4. Map CVE findings to CWE categories and OWASP references
[ ] 5. Check for available patches and updated base images
[ ] 6. Generate prioritized remediation report with upgrade recommendations
Work through each step systematically. Check off completed items.
Scan project dependencies for known vulnerabilities:
# Scan filesystem for all dependencies
trivy fs --severity CRITICAL,HIGH .
# Scan specific package manifest
trivy fs --scanners vuln package-lock.json
# Generate JSON report for analysis
trivy fs --format json --output trivy-report.json .
# Generate SARIF for GitHub/GitLab integration
trivy fs --format sarif --output trivy.sarif .
For each vulnerability:
references/remediation_guide.md for language-specific guidanceDetect misconfigurations in IaC files:
# Scan Terraform configurations
trivy config ./terraform --severity CRITICAL,HIGH
# Scan Kubernetes manifests
trivy config ./k8s --severity CRITICAL,HIGH
# Scan Dockerfile best practices
trivy config --file-patterns dockerfile:Dockerfile .
# Generate report with remediation guidance
trivy config --format json --output iac-findings.json .
Review findings by category:
name: Trivy Security Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload results to GitHub Security
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
trivy-scan:
stage: test
image: aquasec/trivy:latest
script:
- trivy fs --exit-code 1 --severity CRITICAL,HIGH --format json --output trivy-report.json .
artifacts:
reports:
dependency_scanning: trivy-report.json
when: always
allow_failure: false
Use bundled templates from assets/ci_integration/ for additional platforms.
Generate Software Bill of Materials for supply chain transparency:
# Generate CycloneDX SBOM
trivy image --format cyclonedx --output sbom-cyclonedx.json nginx:latest
# Generate SPDX SBOM
trivy image --format spdx-json --output sbom-spdx.json nginx:latest
# SBOM for filesystem/project
trivy fs --format cyclonedx --output project-sbom.json .
SBOM use cases:
--scanners secret to detect exposed credentials in imagesLog the following for compliance and incident response:
scripts/)trivy_scan.py - Comprehensive scanning with JSON/SARIF output and severity filteringsbom_generator.py - SBOM generation with CycloneDX and SPDX format supportvulnerability_report.py - Parse Trivy output and generate remediation reports with CVSS scoresbaseline_manager.py - Baseline creation for tracking new vulnerabilities onlyreferences/)scanner_types.md - Detailed guide for vulnerability, misconfiguration, secret, and license scanningremediation_guide.md - Language and ecosystem-specific remediation strategiescvss_prioritization.md - CVSS score interpretation and vulnerability prioritization frameworkiac_checks.md - Complete list of IaC security checks with CIS benchmark mappingsassets/)trivy.yaml - Custom Trivy configuration with security policies and ignore rulesci_integration/github-actions.yml - Complete GitHub Actions workflow with security gatesci_integration/gitlab-ci.yml - Complete GitLab CI pipeline with dependency scanningci_integration/jenkins.groovy - Jenkins pipeline with Trivy integrationpolicy_template.rego - OPA policy template for custom vulnerability policiesComprehensive security assessment combining multiple scan types:
# 1. Scan container image for vulnerabilities
trivy image --severity CRITICAL,HIGH myapp:latest
# 2. Scan IaC for misconfigurations
trivy config ./infrastructure --severity CRITICAL,HIGH
# 3. Scan filesystem for dependency vulnerabilities
trivy fs --severity CRITICAL,HIGH ./app
# 4. Scan for exposed secrets
trivy fs --scanners secret ./app
# 5. Generate comprehensive SBOM
trivy image --format cyclonedx --output sbom.json myapp:latest
Implement baseline scanning to track only new vulnerabilities:
# Initial scan - create baseline
trivy image --format json --output baseline.json nginx:latest
# Subsequent scans - detect new vulnerabilities
trivy image --format json --output current.json nginx:latest
./scripts/baseline_manager.py --baseline baseline.json --current current.json
Detect license compliance risks:
# Scan for license information
trivy image --scanners license --format json --output licenses.json myapp:latest
# Filter by license type
trivy image --scanners license --severity HIGH,CRITICAL myapp:latest
Review findings:
Apply custom security policies with OPA:
# Create Rego policy in assets/policy_template.rego
# Deny images with CRITICAL vulnerabilities or outdated packages
# Run scan with policy enforcement
trivy image --format json --output scan.json myapp:latest
trivy image --ignore-policy assets/policy_template.rego myapp:latest
aquasecurity/trivy-action with SARIF upload to Security tabSymptoms: Many vulnerabilities reported that don't apply to your use case
Solution:
.trivyignore file to suppress specific CVEs with justificationtrivy image --ignore-unfixed myapp:latest--severity CRITICAL,HIGHreferences/false_positives.md for common patternsSymptoms: Scans taking excessive time or high memory usage
Solution:
trivy image --cache-dir /path/to/cache myapp:latest--scanners vuln (exclude config, secret)--offline-scan--timeout 30m--removed-pkgs to exclude removed packagesSymptoms: Expected CVEs not detected in application dependencies
Solution:
references/scanner_types.md for language-specific requirementsSymptoms: Unable to scan private container images
Solution:
# Use Docker credential helper
docker login registry.example.com
trivy image registry.example.com/private/image:tag
# Or use environment variables
export TRIVY_USERNAME=user
export TRIVY_PASSWORD=pass
trivy image registry.example.com/private/image:tag
# Or use credential file
trivy image --username user --password pass registry.example.com/private/image:tag
Create trivy.yaml configuration file:
# trivy.yaml
vulnerability:
type: os,library
severity: CRITICAL,HIGH,MEDIUM
ignorefile: .trivyignore
ignore-unfixed: false
skip-files:
- "test/**"
- "**/node_modules/**"
cache:
dir: /tmp/trivy-cache
db:
repository: ghcr.io/aquasecurity/trivy-db:latest
output:
format: json
severity-sort: true
Use with: trivy image --config trivy.yaml myapp:latest
Create .trivyignore to suppress specific CVEs:
# .trivyignore
# False positive - patched in vendor fork
CVE-0000-12345
# Risk accepted by security team - JIRA-1234
CVE-0000-67890
# No fix available, compensating controls in place
CVE-0000-11111
For air-gapped environments:
# On internet-connected machine:
trivy image --download-db-only --cache-dir /path/to/db
# Transfer cache to air-gapped environment
# On air-gapped machine:
trivy image --skip-db-update --cache-dir /path/to/db --offline-scan myapp:latest