Skill

implementing-aqua-security-for-container-scanning

Deploys Aqua Security's Trivy scanner to detect vulnerabilities, misconfigurations, secrets, SBOM, and licenses in container images, filesystems, repos, Kubernetes, and IaC via CI/CD.

Docker

Kubernetes

npx claudepluginhub killvxk/cybersecurity-skills-zh

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Aqua Security 提供 Trivy，这是全球最流行的开源通用安全扫描器，旨在发现容器、Kubernetes、代码仓库和云环境中的漏洞、配置错误、敏感信息、SBOM 数据和许可证问题。Trivy 涵盖操作系统软件包（Alpine、Debian、Ubuntu、RHEL 等）和特定语言的依赖项（npm、pip、Maven、Go modules、Cargo 等），漏洞数据库来源于 NVD、供应商公告和 GitHub Security Advisories。企业版 Aqua Platform 在 Trivy 基础上扩展了集中式策略管理、运行时保护和合规性报告功能。

Supporting Assets

LICENSEassets/template.mdreferences/api-reference.mdreferences/standards.mdreferences/workflows.mdscripts/agent.pyscripts/process.py

SKILL.md

Similar Skills

implementing-aqua-security-for-container-scanning

Deploys Aqua Security's Trivy scanner to detect vulnerabilities, misconfigurations, secrets, and license issues in container images across CI/CD pipelines and registries.

asi

implementing-aqua-security-for-container-scanning

5.9k

Deploys Trivy scanner to detect vulnerabilities, misconfigurations, secrets, SBOM, and licenses in container images, repos, and Kubernetes via CI/CD pipelines.

7 files

cybersecurity-skills

performing-container-security-scanning-with-trivy

Scans container images, filesystems, and Kubernetes manifests with Trivy for vulnerabilities, misconfigurations, secrets, and licenses. Generates SBOMs and integrates into CI/CD pipelines like GitHub Actions.

3 files

cybersecurity-skills-zh

Stats

Stars10

Forks1

Last CommitMar 17, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

为容器扫描实施 Aqua Security

概述

前置条件

已安装 Docker 用于本地镜像扫描
CI/CD 平台（GitHub Actions、GitLab CI、Jenkins 等）
容器镜像仓库访问权限（Docker Hub、ECR、GCR、ACR、Harbor）
Trivy CLI（trivy）或用于 Kubernetes 的 Trivy Operator
Aqua Platform 许可证用于企业功能（可选）

核心扫描能力

镜像漏洞扫描

Trivy 逐层扫描容器镜像，识别操作系统软件包和应用程序依赖项中的 CVE。支持扫描本地镜像、远程镜像仓库镜像和 tar 归档文件。

# 扫描远程镜像
trivy image python:3.11-slim

# 按严重性过滤扫描
trivy image --severity HIGH,CRITICAL nginx:latest

# 扫描并在发现严重 CVE 时使 CI 失败
trivy image --exit-code 1 --severity CRITICAL myapp:latest

# 以 CycloneDX 格式生成 SBOM
trivy image --format cyclonedx --output sbom.json myapp:latest

文件系统和仓库扫描

# 扫描项目目录中依赖项的漏洞
trivy fs --scanners vuln,secret,misconfig .

# 扫描特定锁定文件
trivy fs --scanners vuln package-lock.json

# 扫描 git 仓库
trivy repo https://github.com/org/project

使用 Trivy Operator 扫描 Kubernetes

Trivy Operator 在 Kubernetes 集群内运行，持续扫描工作负载：

# 通过 Helm 安装 Trivy Operator
helm repo add aqua https://aquasecurity.github.io/helm-charts/
helm repo update
helm install trivy-operator aqua/trivy-operator \
  --namespace trivy-system \
  --create-namespace \
  --set trivy.severity="HIGH,CRITICAL" \
  --set operator.scanJobTimeout="5m"

Operator 为每个工作负载创建 VulnerabilityReport 和 ConfigAuditReport 自定义资源。

IaC 配置错误扫描

# 扫描 Terraform 文件
trivy config --severity HIGH,CRITICAL ./terraform/

# 扫描 Dockerfile 的配置错误
trivy config Dockerfile

# 扫描 Kubernetes 清单
trivy config ./k8s-manifests/

CI/CD 集成

GitHub Actions

name: Container Security Scan
on:
  push:
    branches: [main]
  pull_request:

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Build Docker image
        run: docker build -t myapp:${{ github.sha }} .

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'myapp:${{ github.sha }}'
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'
          exit-code: '1'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: 'trivy-results.sarif'

GitLab CI

container_scanning:
  stage: security
  image:
    name: aquasec/trivy:latest
    entrypoint: [""]
  variables:
    FULL_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA
  script:
    - trivy image --exit-code 0 --format template --template "@/contrib/gitlab.tpl"
      --output gl-container-scanning-report.json $FULL_IMAGE_NAME
    - trivy image --exit-code 1 --severity CRITICAL $FULL_IMAGE_NAME
  artifacts:
    reports:
      container_scanning: gl-container-scanning-report.json

Jenkins Pipeline

pipeline {
    agent any
    stages {
        stage('Build') {
            steps {
                sh 'docker build -t myapp:${BUILD_NUMBER} .'
            }
        }
        stage('Security Scan') {
            steps {
                sh '''
                    trivy image --exit-code 1 \
                      --severity HIGH,CRITICAL \
                      --format json \
                      --output trivy-report.json \
                      myapp:${BUILD_NUMBER}
                '''
            }
            post {
                always {
                    archiveArtifacts artifacts: 'trivy-report.json'
                }
            }
        }
    }
}

策略配置

使用 OPA/Rego 的 Trivy 策略

创建 .trivy/policy.rego 用于自定义策略执行：

package trivy

deny[msg] {
    input.Results[_].Vulnerabilities[_].Severity == "CRITICAL"
    msg := "Critical vulnerabilities found in image"
}

deny[msg] {
    input.Results[_].Vulnerabilities[vuln]
    vuln.FixedVersion != ""
    vuln.Severity == "HIGH"
    msg := sprintf("Fixable HIGH vulnerability: %s", [vuln.VulnerabilityID])
}

忽略文件配置

创建 .trivyignore 用于已接受的风险：

# Accepted risk: vulnerability in test dependency only
CVE-2023-12345

# Accepted until expiry date
CVE-2024-67890 exp:2025-06-01

SBOM 生成和管理

# 生成 CycloneDX SBOM
trivy image --format cyclonedx --output sbom-cyclonedx.json myapp:latest

# 生成 SPDX SBOM
trivy image --format spdx-json --output sbom-spdx.json myapp:latest

# 扫描现有 SBOM 中的新漏洞
trivy sbom sbom-cyclonedx.json

监控与报告

指标	描述	目标
每日扫描镜像数	通过扫描管道的镜像总数	所有生产镜像
严重 CVE 数量	所有镜像中未修复的严重漏洞	生产环境为 0
平均修复时间	从 CVE 发布到镜像修补的平均天数	< 7 天
SBOM 覆盖率	已生成 SBOM 的生产镜像百分比	100%
扫描时长	每次镜像扫描的平均时间	< 2 分钟

implementing-aqua-security-for-container-scanning

Tool Access

Preview

Supporting Assets

SKILL.md

Similar Skills

Help us improve

Help us improve

implementing-aqua-security-for-container-scanning

Tool Access

Preview

Supporting Assets

SKILL.md

为容器扫描实施 Aqua Security

概述

前置条件

核心扫描能力

镜像漏洞扫描

文件系统和仓库扫描

使用 Trivy Operator 扫描 Kubernetes

IaC 配置错误扫描

CI/CD 集成

GitHub Actions

GitLab CI

Jenkins Pipeline

策略配置

使用 OPA/Rego 的 Trivy 策略

忽略文件配置

SBOM 生成和管理

监控与报告

参考资料

Similar Skills

Help us improve

为容器扫描实施 Aqua Security

概述

前置条件

核心扫描能力

镜像漏洞扫描

文件系统和仓库扫描

使用 Trivy Operator 扫描 Kubernetes

IaC 配置错误扫描

CI/CD 集成

GitHub Actions

GitLab CI

Jenkins Pipeline

策略配置

使用 OPA/Rego 的 Trivy 策略

忽略文件配置

SBOM 生成和管理

监控与报告

参考资料