Skill

vulnerability-scanning

Automates vulnerability scanning for dependencies, code, and containers using Trivy, Snyk, npm audit, Bandit. For CI/CD security gates, pre-deployment audits, CVE detection, outdated packages, license compliance, SBOM generation.

Docker

Node

Install

npx claudepluginhub secondsky/claude-skills --plugin vulnerability-scanning

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Automate security vulnerability detection across code, dependencies, and containers.

SKILL.md

Similar Skills

using-git-worktrees

Creates isolated Git worktrees for feature branches with prioritized directory selection, gitignore safety checks, auto project setup for Node/Python/Rust/Go, and baseline verification.

superpowers

168.3k

subagent-driven-development

3 files

Executes implementation plans in current session by dispatching fresh subagents per independent task, with two-stage reviews: spec compliance then code quality.

superpowers

168.3k

dispatching-parallel-agents

Dispatches parallel agents to independently tackle 2+ tasks like separate test failures or subsystems without shared state or dependencies.

superpowers

168.3k

Stats

Parent Repo Stars99

Parent Repo Forks12

Last CommitApr 2, 2026

Actions

View Source View Plugin View on GitHub View README

Vulnerability Scanning

Automate security vulnerability detection across code, dependencies, and containers.

Dependency Scanning

# npm audit
npm audit --audit-level=high

# Snyk
snyk test --severity-threshold=high

# Safety (Python)
safety check --full-report

Container Scanning (Trivy)

# Scan container image
trivy image myapp:latest --severity HIGH,CRITICAL

# Scan filesystem
trivy fs --scanners vuln,secret .

GitHub Actions Integration

name: Security Scan

on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          severity: 'CRITICAL,HIGH'
          exit-code: '1'

      - name: Run Snyk
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --severity-threshold=high

      - name: npm audit
        run: npm audit --audit-level=high

Code Analysis (Bandit for Python)

bandit -r src/ -ll -ii

Node.js Scanner

const { execSync } = require('child_process');

function runSecurityScan() {
  const results = {
    npm: JSON.parse(execSync('npm audit --json').toString()),
    trivy: JSON.parse(execSync('trivy fs --format json .').toString())
  };

  const critical = results.npm.metadata?.vulnerabilities?.critical || 0;
  if (critical > 0) {
    console.error(`Found ${critical} critical vulnerabilities`);
    process.exit(1);
  }
}

Best Practices

Integrate scanning in CI/CD pipeline
Fail builds on high/critical findings
Scan dependencies and containers
Track vulnerabilities over time
Document accepted false positives

Tools

Trivy (containers, filesystem)
Snyk (dependencies, code)
npm audit / yarn audit
Bandit (Python)
OWASP Dependency-Check