authegg/ci-security-pipeline
skills/ci-security-pipeline/SKILL.md
Generate and enforce security scanning stages in CI/CD pipelines. Use when creating or editing GitHub Actions workflows, GitLab CI, CircleCI, Jenkins, or any CI pipeline that builds Docker images or deploys containers. Covers Dockerfile linting with Hadolint, CVE scanning with Trivy, secret detection, SBOM generation, image signing, and deployment gates. Activates on keywords like "CI pipeline", "GitHub Actions", "security scanning", "Trivy", "Hadolint", "SBOM", or "deploy gate".
$ install --global
skillsauthnpx skillsauth add authegg/agent-skills ci-security-pipelineInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 3, 2026, 11:51 AM13.5s3 files scanned
SKILL.md
- name:
- ci-security-pipeline
- description:
- Generate and enforce security scanning stages in CI/CD pipelines. Use when creating or editing GitHub Actions workflows, GitLab CI, CircleCI, Jenkins, or any CI pipeline that builds Docker images or deploys containers. Covers Dockerfile linting with Hadolint, CVE scanning with Trivy, secret detection, SBOM generation, image signing, and deployment gates. Activates on keywords like "CI pipeline", "GitHub Actions", "security scanning", "Trivy", "Hadolint", "SBOM", or "deploy gate".
- allowed-tools:
- Read, Grep, Glob, Bash, Edit, Write
CI Security Pipeline
Generate CI/CD pipeline configurations with built-in security scanning stages. Supports GitHub Actions, GitLab CI, and generic pipeline patterns.
When to Use
- Creating new CI/CD pipelines for Docker-based projects
- Adding security scanning to existing pipelines
- Setting up deployment gates that block insecure images
- Generating SBOM and image signing workflows
- When the user mentions "CI security", "pipeline scanning", "deploy gate", or any CI system name
Required Pipeline Stages
Every container CI pipeline MUST include these stages in order:
Stage 1: Dockerfile Lint
Catch misconfigurations before building. Use Hadolint.
# GitHub Actions
- name: Lint Dockerfile
uses: hadolint/[email protected]
with:
dockerfile: Dockerfile
failure-threshold: warning
# Generic
hadolint Dockerfile
hadolint --failure-threshold warning Dockerfile
Stage 2: Build Image
Use BuildKit. Never cache from untrusted sources.
- name: Build
run: |
DOCKER_BUILDKIT=1 docker build \
--no-cache \
--tag $IMAGE:$SHA \
.
Stage 3: Vulnerability Scan
Scan the built image for CVEs. Fail on CRITICAL and HIGH.
# GitHub Actions — Trivy
- name: Scan for vulnerabilities
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.IMAGE }}
exit-code: '1'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
# Generic
trivy image --severity HIGH,CRITICAL --exit-code 1 $IMAGE
Stage 4: Config and Secret Scan
Check for misconfigurations and leaked secrets in the repo.
- name: Config scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'config'
scan-ref: '.'
exit-code: '1'
severity: 'CRITICAL,HIGH'
- name: Secret scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
scanners: 'secret'
exit-code: '1'
Stage 5: SBOM Generation
Generate and archive a Software Bill of Materials.
- name: Generate SBOM
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.IMAGE }}
format: 'cyclonedx'
output: 'sbom.json'
- name: Archive SBOM
uses: actions/upload-artifact@v4
with:
name: sbom
path: sbom.json
retention-days: 90
Stage 6: Security Gate
All checks must pass before deployment is allowed.
security-gate:
needs: [lint, scan, sbom]
runs-on: ubuntu-latest
steps:
- run: echo "All security checks passed. Image approved."
Complete GitHub Actions Template
See references/github-actions-template.md for the full ready-to-use workflow file.
Complete GitLab CI Template
See references/gitlab-ci-template.md for the .gitlab-ci.yml version.
Environment Variables
Always set in production CI:
DOCKER_CONTENT_TRUST=1 # Only pull signed images
DOCKER_BUILDKIT=1 # Enable BuildKit features
TRIVY_SEVERITY=CRITICAL,HIGH # Scan threshold
Tool Installation
If not using pre-built actions:
# Trivy
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
# Hadolint
wget -O /usr/local/bin/hadolint https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64
chmod +x /usr/local/bin/hadolint
# Syft (SBOM)
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
# Cosign (Image Signing)
go install github.com/sigstore/cosign/v2/cmd/cosign@latest
Related Skills
authegg/secrets-management
development
VerifiedTrustedCommunity
Enforce secrets management best practices for containers and cloud-native applications. Use when configuring environment variables, Docker secrets, Kubernetes secrets, Vault integration, AWS SSM/Secrets Manager, or any credential handling in Dockerfiles, compose files, Kubernetes manifests, or CI pipelines. Activates on keywords like "secrets", "credentials", "API key", "password", "environment variables", ".env file", "Vault", "sealed secrets", or "secret manager".
3SKILL.mdUpdated Apr 3, 2026
authegg/kubernetes-pod-security
testing
VerifiedTrustedCommunity
Enforce Kubernetes pod and workload security best practices. Use when creating or editing Kubernetes manifests, Helm charts, or Kustomize overlays involving pods, deployments, statefulsets, daemonsets, jobs, or cronjobs. Covers Pod Security Standards (Restricted), SecurityContext hardening, RBAC least privilege, network policies, resource quotas, and admission control. Activates on keywords like "pod security", "K8s manifest", "deployment.yaml", "Helm chart", "securityContext", or "RBAC".
3SKILL.mdUpdated Apr 3, 2026
authegg/docker-security-hardening
development
VerifiedTrustedCommunity
Enforce Docker container security best practices during development. Use when creating or editing Dockerfiles, docker-compose files, Kubernetes manifests, or CI/CD pipelines involving containers. Covers non-root users, slim base images, multi-stage builds, CVE scanning with Trivy, secrets management, capability dropping, network isolation, SBOM generation, and production readiness gates. Activates on keywords like "Dockerfile", "docker-compose", "container security", "image hardening", "Docker deploy", or "production readiness".
3SKILL.mdUpdated Apr 3, 2026
openclaw/openclaw-secret-scanning-maintainer
development
VerifiedTrustedCommunity
Maintainer-only workflow for handling GitHub Secret Scanning alerts on OpenClaw. Use when Codex needs to triage, redact, clean up, and resolve secret leakage found in issue comments, issue bodies, PR comments, or other GitHub content.
357,764SKILL.mdUpdated Apr 15, 2026