cuioss/ext-triage-oci
marketplace/bundles/pm-dev-oci/skills/ext-triage-oci/SKILL.md
Triage extension for OCI container findings during plan-finalize phase
$ install --global
skillsauthnpx skillsauth add cuioss/plan-marshall ext-triage-ociInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 10, 2026, 3:23 AM24.5s4 files scanned
SKILL.md
- name:
- ext-triage-oci
- description:
- Triage extension for OCI container findings during plan-finalize phase
- user-invocable:
- false
- implements:
- plan-marshall:extension-api/standards/ext-point-triage
OCI Container Triage Extension
Provides decision-making knowledge for triaging OCI container and Dockerfile findings during the finalize phase.
Purpose
This skill is a triage extension loaded by the plan-finalize workflow skill when processing OCI container-related findings. It provides domain-specific knowledge for deciding whether to fix, suppress, or accept findings.
Key Principle: This skill provides knowledge, not workflow control. The finalize skill owns the process.
When This Skill is Loaded
Loaded via resolve-workflow-skill-extension --domain oci-containers --type triage during finalize phase when:
- Hadolint reports Dockerfile violations
- Trivy or other scanners report image vulnerabilities
- Docker build failures occur
- Container runtime security issues are flagged
- PR review comments reference Dockerfile or container configuration
- PR review comment disposition is required (FIX, REPLY-AND-RESOLVE, or ESCALATE on bot review threads)
Standards
| Document | Purpose | |----------|---------| | suppression.md | Dockerfile and scanner suppression syntax (hadolint ignore, trivyignore) | | severity.md | OCI-specific severity guidelines and decision criteria | | pr-comment-disposition.md | PR review comment disposition (FIX / REPLY-AND-RESOLVE / ESCALATE) for OCI containers |
Extension Registration
Registered via the plan-marshall-plugin/extension.py in this bundle. The provides_triage() method returns pm-dev-oci:ext-triage-oci, which the plan-marshall workflow discovers at runtime for the oci-containers domain.
Quick Reference
Suppression Methods
| Finding Type | Syntax |
|--------------|--------|
| Hadolint rule | # hadolint ignore=DL3008 (inline) |
| Hadolint global | .hadolint.yaml with ignored list |
| Trivy CVE | .trivyignore file with CVE IDs |
| Trivy inline | # trivy:ignore:CVE-2024-XXXX |
| Docker Scout | .docker/scout-policy.yaml exceptions |
Decision Guidelines
| Severity | Default Action | |----------|----------------| | CRITICAL (CVE) | Fix (mandatory, update base image or dependency) | | HIGH (CVE) | Fix (mandatory for production images) | | DL3xxx error | Fix (Hadolint best practice violation) | | DL3xxx warning | Fix or suppress with justification | | DL3xxx info | Accept or fix opportunistically |
Acceptable to Accept
- Base image CVEs with no available patch (document and track)
- Hadolint style warnings in legacy Dockerfiles with migration plan
- Scanner false positives for vendored or patched dependencies
- Test-only images not deployed to production
Related Documents
pm-dev-oci:oci-standards- OCI container standardspm-dev-oci:oci-security- Container security best practices
Related Skills
cuioss/manage-change-ledger
development
VerifiedTrustedCommunity
The single append-only change-ledger — one worktree_sha-stamped substrate for kind=build and kind=change entries — plus the first-class worktree-sha freshness API
5SKILL.mdUpdated Jun 13, 2026
cuioss/ref-ascii-diagrams
development
VerifiedTrustedCommunity
Authoring standards for ASCII box diagrams in skill and doc source — box-drawing conventions, right-border alignment, and a deterministic check/fix validator over fenced/literal code blocks in .md and .adoc files
5SKILL.mdUpdated Jun 10, 2026
cuioss/recipe-verify-ascii-diagrams
testing
VerifiedTrustedCommunity
Recipe for verifying and fixing alignment of ASCII box diagrams across .md skill source and .adoc documentation, one deliverable per offending file
5SKILL.mdUpdated Jun 10, 2026
cuioss/manage-terminal-title
development
VerifiedTrustedCommunity
Pure platform-agnostic terminal-title composition consumed by platform-runtime via PYTHONPATH
5SKILL.mdUpdated Jun 10, 2026