aiskillstore/sca-trivy
skills/agentsecops/sca-trivy/SKILL.md
Software Composition Analysis (SCA) and container vulnerability scanning using Aqua Trivy for identifying CVE vulnerabilities in dependencies, container images, IaC misconfigurations, and license compliance risks. Use when: (1) Scanning container images and filesystems for vulnerabilities and misconfigurations, (2) Analyzing dependencies for known CVEs across multiple languages (Go, Python, Node.js, Java, etc.), (3) Detecting IaC security issues in Terraform, Kubernetes, Dockerfile, (4) Integrating vulnerability scanning into CI/CD pipelines with SARIF output, (5) Generating Software Bill of Materials (SBOM) in CycloneDX or SPDX format, (6) Prioritizing remediation by CVSS score and exploitability.
$ install --global
skillsauthnpx skillsauth add aiskillstore/marketplace sca-trivyInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 28, 2026, 5:14 PM36.4s2 files scanned
SKILL.md
- name:
- sca-trivy
- description:
- >
- and license compliance risks. Use when:
- (1) Scanning container images and filesystems for
- version:
- 0.1.0
- maintainer:
- SirAppSec
- category:
- devsecops
- tags:
- [sca, trivy, container-security, vulnerability-scanning, sbom, iac-security, dependency-scanning, cvss]
- frameworks:
- [OWASP, CWE, NIST, PCI-DSS, SOC2]
- tools:
- [trivy, docker]
- - https:
- //www.cisa.gov/sbom
Software Composition Analysis with Trivy
Overview
Trivy is a comprehensive security scanner for containers, filesystems, and git repositories. It detects vulnerabilities (CVEs) in OS packages and application dependencies, IaC misconfigurations, exposed secrets, and software licenses. This skill provides workflows for vulnerability scanning, SBOM generation, CI/CD integration, and remediation prioritization aligned with CVSS and OWASP standards.
Quick Start
Scan a container image for vulnerabilities:
# Install Trivy
brew install trivy # macOS
# or: apt-get install trivy # Debian/Ubuntu
# or: docker pull aquasec/trivy:latest
# Scan container image
trivy image nginx:latest
# Scan local filesystem for dependencies
trivy fs .
# Scan IaC files for misconfigurations
trivy config .
# Generate SBOM
trivy image --format cyclonedx --output sbom.json nginx:latest
Core Workflows
Workflow 1: Container Image Security Assessment
Progress:
[ ] 1. Identify target container image (repository:tag)
[ ] 2. Run comprehensive Trivy scan with trivy image <image-name>
[ ] 3. Analyze vulnerability findings by severity (CRITICAL, HIGH, MEDIUM, LOW)
[ ] 4. Map CVE findings to CWE categories and OWASP references
[ ] 5. Check for available patches and updated base images
[ ] 6. Generate prioritized remediation report with upgrade recommendations
Work through each step systematically. Check off completed items.
Workflow 2: Dependency Vulnerability Scanning
Scan project dependencies for known vulnerabilities:
# Scan filesystem for all dependencies
trivy fs --severity CRITICAL,HIGH .
# Scan specific package manifest
trivy fs --scanners vuln package-lock.json
# Generate JSON report for analysis
trivy fs --format json --output trivy-report.json .
# Generate SARIF for GitHub/GitLab integration
trivy fs --format sarif --output trivy.sarif .
For each vulnerability:
- Review CVE details and CVSS score
- Check if fixed version is available
- Consult
references/remediation_guide.mdfor language-specific guidance - Update dependency to patched version
- Re-scan to validate fix
Workflow 3: Infrastructure as Code Security
Detect misconfigurations in IaC files:
# Scan Terraform configurations
trivy config ./terraform --severity CRITICAL,HIGH
# Scan Kubernetes manifests
trivy config ./k8s --severity CRITICAL,HIGH
# Scan Dockerfile best practices
trivy config --file-patterns dockerfile:Dockerfile .
# Generate report with remediation guidance
trivy config --format json --output iac-findings.json .
Review findings by category:
- Security: Authentication, authorization, encryption
- Compliance: CIS benchmarks, security standards
- Best Practices: Resource limits, immutability, least privilege
Workflow 4: CI/CD Pipeline Integration
GitHub Actions
name: Trivy Security Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload results to GitHub Security
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
GitLab CI
trivy-scan:
stage: test
image: aquasec/trivy:latest
script:
- trivy fs --exit-code 1 --severity CRITICAL,HIGH --format json --output trivy-report.json .
artifacts:
reports:
dependency_scanning: trivy-report.json
when: always
allow_failure: false
Use bundled templates from assets/ci_integration/ for additional platforms.
Workflow 5: SBOM Generation
Generate Software Bill of Materials for supply chain transparency:
# Generate CycloneDX SBOM
trivy image --format cyclonedx --output sbom-cyclonedx.json nginx:latest
# Generate SPDX SBOM
trivy image --format spdx-json --output sbom-spdx.json nginx:latest
# SBOM for filesystem/project
trivy fs --format cyclonedx --output project-sbom.json .
SBOM use cases:
- Vulnerability tracking: Monitor dependencies for new CVEs
- License compliance: Identify license obligations and risks
- Supply chain security: Verify component provenance
- Regulatory compliance: Meet CISA SBOM requirements
Security Considerations
Sensitive Data Handling
- Registry credentials: Use environment variables or credential helpers, never hardcode
- Scan reports: Contain vulnerability details and package versions - treat as sensitive
- SBOM files: May reveal internal architecture - control access appropriately
- Secret scanning: Enable with
--scanners secretto detect exposed credentials in images
Access Control
- Container registry access: Requires pull permissions for image scanning
- Filesystem access: Read permissions for dependency manifests and IaC files
- CI/CD integration: Secure API tokens and registry credentials in secrets management
- Report storage: Restrict access to vulnerability reports and SBOM artifacts
Audit Logging
Log the following for compliance and incident response:
- Scan execution timestamps and scope (image, filesystem, repository)
- Vulnerability counts by severity level
- Policy violations and blocking decisions
- SBOM generation and distribution events
- Remediation actions and version updates
Compliance Requirements
- PCI-DSS 6.2: Ensure system components protected from known vulnerabilities
- SOC2 CC7.1: Detect and act upon changes that could affect security
- NIST 800-53 SI-2: Flaw remediation and vulnerability scanning
- CIS Benchmarks: Container and Kubernetes security hardening
- OWASP Top 10 A06: Vulnerable and Outdated Components
- CWE-1104: Use of Unmaintained Third-Party Components
Bundled Resources
Scripts (scripts/)
trivy_scan.py- Comprehensive scanning with JSON/SARIF output and severity filteringsbom_generator.py- SBOM generation with CycloneDX and SPDX format supportvulnerability_report.py- Parse Trivy output and generate remediation reports with CVSS scoresbaseline_manager.py- Baseline creation for tracking new vulnerabilities only
References (references/)
scanner_types.md- Detailed guide for vulnerability, misconfiguration, secret, and license scanningremediation_guide.md- Language and ecosystem-specific remediation strategiescvss_prioritization.md- CVSS score interpretation and vulnerability prioritization frameworkiac_checks.md- Complete list of IaC security checks with CIS benchmark mappings
Assets (assets/)
trivy.yaml- Custom Trivy configuration with security policies and ignore rulesci_integration/github-actions.yml- Complete GitHub Actions workflow with security gatesci_integration/gitlab-ci.yml- Complete GitLab CI pipeline with dependency scanningci_integration/jenkins.groovy- Jenkins pipeline with Trivy integrationpolicy_template.rego- OPA policy template for custom vulnerability policies
Common Patterns
Pattern 1: Multi-Stage Security Scanning
Comprehensive security assessment combining multiple scan types:
# 1. Scan container image for vulnerabilities
trivy image --severity CRITICAL,HIGH myapp:latest
# 2. Scan IaC for misconfigurations
trivy config ./infrastructure --severity CRITICAL,HIGH
# 3. Scan filesystem for dependency vulnerabilities
trivy fs --severity CRITICAL,HIGH ./app
# 4. Scan for exposed secrets
trivy fs --scanners secret ./app
# 5. Generate comprehensive SBOM
trivy image --format cyclonedx --output sbom.json myapp:latest
Pattern 2: Baseline Vulnerability Tracking
Implement baseline scanning to track only new vulnerabilities:
# Initial scan - create baseline
trivy image --format json --output baseline.json nginx:latest
# Subsequent scans - detect new vulnerabilities
trivy image --format json --output current.json nginx:latest
./scripts/baseline_manager.py --baseline baseline.json --current current.json
Pattern 3: License Compliance Scanning
Detect license compliance risks:
# Scan for license information
trivy image --scanners license --format json --output licenses.json myapp:latest
# Filter by license type
trivy image --scanners license --severity HIGH,CRITICAL myapp:latest
Review findings:
- High Risk: GPL, AGPL (strong copyleft)
- Medium Risk: LGPL, MPL (weak copyleft)
- Low Risk: Apache, MIT, BSD (permissive)
Pattern 4: Custom Policy Enforcement
Apply custom security policies with OPA:
# Create Rego policy in assets/policy_template.rego
# Deny images with CRITICAL vulnerabilities or outdated packages
# Run scan with policy enforcement
trivy image --format json --output scan.json myapp:latest
trivy image --ignore-policy assets/policy_template.rego myapp:latest
Integration Points
CI/CD Integration
- GitHub Actions: Native
aquasecurity/trivy-actionwith SARIF upload to Security tab - GitLab CI: Dependency scanning report format for Security Dashboard
- Jenkins: Docker-based scanning with JUnit XML report generation
- CircleCI: Docker executor with artifact storage
- Azure Pipelines: Task-based integration with results publishing
Container Platforms
- Docker: Image scanning before push to registry
- Kubernetes: Admission controllers with trivy-operator for runtime scanning
- Harbor: Built-in Trivy integration for registry scanning
- AWS ECR: Scan images on push with enhanced scanning
- Google Artifact Registry: Vulnerability scanning integration
Security Tools Ecosystem
- SIEM Integration: Export JSON findings to Splunk, ELK, or Datadog
- Vulnerability Management: Import SARIF/JSON into Snyk, Qualys, or Rapid7
- SBOM Tools: CycloneDX and SPDX compatibility with dependency-track and GUAC
- Policy Enforcement: OPA/Rego integration for custom policy as code
Troubleshooting
Issue: High False Positive Rate
Symptoms: Many vulnerabilities reported that don't apply to your use case
Solution:
- Use
.trivyignorefile to suppress specific CVEs with justification - Filter by exploitability:
trivy image --ignore-unfixed myapp:latest - Apply severity filtering:
--severity CRITICAL,HIGH - Review vendor-specific security advisories for false positive validation
- See
references/false_positives.mdfor common patterns
Issue: Performance Issues on Large Images
Symptoms: Scans taking excessive time or high memory usage
Solution:
- Use cached DB:
trivy image --cache-dir /path/to/cache myapp:latest - Skip unnecessary scanners:
--scanners vuln(exclude config, secret) - Use offline mode after initial DB download:
--offline-scan - Increase timeout:
--timeout 30m - Scan specific layers:
--removed-pkgsto exclude removed packages
Issue: Missing Vulnerabilities for Specific Languages
Symptoms: Expected CVEs not detected in application dependencies
Solution:
- Verify language support: Check supported languages and file patterns
- Ensure dependency manifests are present (package.json, go.mod, requirements.txt)
- Include lock files for accurate version detection
- For compiled binaries, scan source code separately
- Consult
references/scanner_types.mdfor language-specific requirements
Issue: Registry Authentication Failures
Symptoms: Unable to scan private container images
Solution:
# Use Docker credential helper
docker login registry.example.com
trivy image registry.example.com/private/image:tag
# Or use environment variables
export TRIVY_USERNAME=user
export TRIVY_PASSWORD=pass
trivy image registry.example.com/private/image:tag
# Or use credential file
trivy image --username user --password pass registry.example.com/private/image:tag
Advanced Configuration
Custom Trivy Configuration
Create trivy.yaml configuration file:
# trivy.yaml
vulnerability:
type: os,library
severity: CRITICAL,HIGH,MEDIUM
ignorefile: .trivyignore
ignore-unfixed: false
skip-files:
- "test/**"
- "**/node_modules/**"
cache:
dir: /tmp/trivy-cache
db:
repository: ghcr.io/aquasecurity/trivy-db:latest
output:
format: json
severity-sort: true
Use with: trivy image --config trivy.yaml myapp:latest
Trivy Ignore File
Create .trivyignore to suppress specific CVEs:
# .trivyignore
# False positive - patched in vendor fork
CVE-0000-12345
# Risk accepted by security team - JIRA-1234
CVE-0000-67890
# No fix available, compensating controls in place
CVE-0000-11111
Offline Air-Gapped Scanning
For air-gapped environments:
# On internet-connected machine:
trivy image --download-db-only --cache-dir /path/to/db
# Transfer cache to air-gapped environment
# On air-gapped machine:
trivy image --skip-db-update --cache-dir /path/to/db --offline-scan myapp:latest
References
- Trivy Official Documentation
- OWASP Dependency Check
- NVD - National Vulnerability Database
- CISA SBOM Guidelines
- CWE-1104: Use of Unmaintained Third-Party Components
- OWASP Top 10 - Vulnerable and Outdated Components
Related Skills
aiskillstore/hig-components-content
development
VerifiedTrustedCommunity
Apple Human Interface Guidelines for content display components. Use this skill when the user asks about charts component, collection view, image view, web view, color well, image well, activity view, lockup, data visualization, content display, displaying images, rendering web content, color pickers, or presenting collections of items in Apple apps. Also use when the user says how should I display charts, what's the best way to show images, should I use a web view, how do I build a grid of items, what component shows media, or how do I present a share sheet. Cross-references: hig-foundations for color/typography/accessibility, hig-patterns for data visualization patterns, hig-components-layout for structural containers, hig-platforms for platform-specific component behavior.
244SKILL.mdUpdated Apr 10, 2026
aiskillstore/helpdesk-automation
tools
VerifiedTrustedCommunity
Automate HelpDesk tasks via Rube MCP (Composio): list tickets, manage views, use canned responses, and configure custom fields. Always search tools first for current schemas.
244SKILL.mdUpdated Apr 10, 2026
aiskillstore/haskell-pro
testing
VerifiedTrustedCommunity
Expert Haskell engineer specializing in advanced type systems, pure functional design, and high-reliability software. Use PROACTIVELY for type-level programming, concurrency, and architecture guidance.
244SKILL.mdUpdated Apr 10, 2026
aiskillstore/graphql
tools
VerifiedTrustedCommunity
GraphQL gives clients exactly the data they need - no more, no less. One endpoint, typed schema, introspection. But the flexibility that makes it powerful also makes it dangerous. Without proper controls, clients can craft queries that bring down your server. This skill covers schema design, resolvers, DataLoader for N+1 prevention, federation for microservices, and client integration with Apollo/urql. Key insight: GraphQL is a contract. The schema is the API documentation. Design it carefully.
244SKILL.mdUpdated Apr 10, 2026