a5c-ai/container-security-scanner
library/specializations/security-compliance/skills/container-security-scanner/SKILL.md
Container image and Kubernetes security scanning for CVEs, misconfigurations, and compliance
$ install --global
skillsauthnpx skillsauth add a5c-ai/babysitter container-security-scannerInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 2, 2026, 2:00 PM56.5s2 files scanned
SKILL.md
- name:
- container-security-scanner
- description:
- Container image and Kubernetes security scanning for CVEs, misconfigurations, and compliance
Container Security Scanner Skill
Purpose
Automated container image and Kubernetes security scanning to identify vulnerabilities, misconfigurations, secrets, and compliance issues in containerized environments.
Capabilities
Image Vulnerability Scanning
- Scan container images for known CVEs using Trivy, Grype, or Anchore
- Detect vulnerabilities in OS packages and application dependencies
- Generate SBOM (Software Bill of Materials) in CycloneDX or SPDX format
- Track vulnerability severity (Critical, High, Medium, Low)
Dockerfile Security Analysis
- Check Dockerfile best practices and security issues
- Identify privileged container configurations
- Detect hardcoded secrets in Dockerfiles
- Verify base image security and freshness
Kubernetes Security Scanning
- Run Kubernetes CIS benchmark checks using kube-bench
- Analyze pod security policies and standards
- Check RBAC configurations for over-permissive access
- Detect insecure network policies
Secrets Detection
- Scan images for embedded secrets and credentials
- Identify API keys, tokens, and passwords in layers
- Check environment variable configurations
Image Signature Verification
- Verify container image signatures using cosign
- Validate image provenance and attestations
- Check image registry security configurations
Compliance Reporting
- Generate compliance reports (CIS, NIST, PCI-DSS)
- Map findings to compliance controls
- Track remediation status and timelines
Integrations
- Trivy: Comprehensive vulnerability scanner for containers
- Grype: Container image vulnerability scanner
- Syft: SBOM generation tool
- kube-bench: Kubernetes CIS benchmark checker
- Falco: Runtime security monitoring
- Anchore: Enterprise container security platform
- cosign: Container image signing and verification
Target Processes
- Container Security Scanning Process
- DevSecOps Pipeline Integration
- IaC Security Scanning
- Kubernetes Security Hardening
- Container Image Build Pipeline
Input Schema
{
"type": "object",
"properties": {
"imageName": {
"type": "string",
"description": "Container image name with tag"
},
"registry": {
"type": "string",
"description": "Container registry URL"
},
"dockerfilePath": {
"type": "string",
"description": "Path to Dockerfile for static analysis"
},
"kubeManifestPath": {
"type": "string",
"description": "Path to Kubernetes manifests"
},
"scanType": {
"type": "array",
"items": {
"type": "string",
"enum": ["vulnerability", "config", "secrets", "compliance", "sbom"]
}
},
"severityThreshold": {
"type": "string",
"enum": ["CRITICAL", "HIGH", "MEDIUM", "LOW"]
}
},
"required": ["imageName"]
}
Output Schema
{
"type": "object",
"properties": {
"scanId": {
"type": "string"
},
"imageName": {
"type": "string"
},
"scanTimestamp": {
"type": "string",
"format": "date-time"
},
"vulnerabilities": {
"type": "object",
"properties": {
"critical": { "type": "integer" },
"high": { "type": "integer" },
"medium": { "type": "integer" },
"low": { "type": "integer" },
"findings": {
"type": "array",
"items": {
"type": "object",
"properties": {
"cveId": { "type": "string" },
"severity": { "type": "string" },
"package": { "type": "string" },
"fixedVersion": { "type": "string" },
"description": { "type": "string" }
}
}
}
}
},
"misconfigurations": {
"type": "array"
},
"secrets": {
"type": "array"
},
"complianceStatus": {
"type": "object"
},
"recommendations": {
"type": "array",
"items": { "type": "string" }
}
}
}
Usage Example
skill: {
name: 'container-security-scanner',
context: {
imageName: 'myapp:v1.2.3',
registry: 'registry.example.com',
scanType: ['vulnerability', 'config', 'secrets'],
severityThreshold: 'HIGH'
}
}
Related Skills
a5c-ai/model-card-generator
development
VerifiedTrustedCommunity
Model documentation skill for generating model cards following Google's model card framework.
680SKILL.mdUpdated Apr 28, 2026
a5c-ai/mlflow-experiment-tracker
development
VerifiedTrustedCommunity
MLflow integration skill for experiment tracking, model registry, and artifact management. Enables LLMs to log experiments, compare runs, manage model lifecycle, and retrieve artifacts through the MLflow API.
680SKILL.mdUpdated Apr 28, 2026
a5c-ai/lime-explainer
data-ai
VerifiedTrustedCommunity
LIME-based local explanation skill for individual predictions across tabular, text, and image data.
680SKILL.mdUpdated Apr 28, 2026
a5c-ai/kubeflow-pipeline-executor
devops
VerifiedTrustedCommunity
Kubeflow Pipelines skill for ML workflow orchestration, component management, and Kubernetes-native ML.
680SKILL.mdUpdated Apr 28, 2026