edercnj/x-security-container
java/src/main/resources/targets/claude/skills/conditional/security/x-security-container/SKILL.md
Scans Docker images for CVEs and Dockerfile best practices violations. Uses Trivy, Grype, or Snyk Container. Produces SARIF output with scoring.
testing
Updated Apr 21, 2026
$ install --global
skillsauthnpx skillsauth add edercnj/claude-environment x-security-containerInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 21, 2026, 8:46 AM53.8s2 files scanned
SKILL.md
- name:
- x-security-container
- description:
- Scans Docker images for CVEs and Dockerfile best practices violations. Uses Trivy, Grype, or Snyk Container. Produces SARIF output with scoring.
- user-invocable:
- true
- allowed-tools:
- Read, Write, Bash, Grep, Glob
- argument-hint:
- [--image name:tag] [--dockerfile path] [--severity-threshold CRITICAL|HIGH|MEDIUM|LOW] [--ignore-unfixed]
Global Output Policy
- Language: English ONLY.
- Tone: Technical, Direct, and Concise.
- Efficiency: Remove all conversational fillers and greetings to save tokens.
Skill: Container Security Scanner
Purpose
Scan Docker container images for known CVEs and analyze Dockerfiles for security best practices violations. Generate a combined SARIF 2.1.0 report with severity scoring and grade assignment.
Activation Condition
Include this skill when container security scanning is required for the project.
Triggers
/x-security-container --image myapp:1.0-- scan image for vulnerabilities/x-security-container --dockerfile ./Dockerfile-- lint Dockerfile for best practices/x-security-container --image myapp:1.0 --dockerfile ./Dockerfile-- combined scan/x-security-container --image myapp:1.0 --ignore-unfixed-- exclude CVEs without available fix
Parameters
| Parameter | Type | Required | Default | Description |
|-----------|------|----------|---------|-------------|
| --image | String | One of image/dockerfile required | (none) | Docker image name:tag to scan |
| --dockerfile | String | One of image/dockerfile required | ./Dockerfile | Path to Dockerfile to analyze |
| --severity-threshold | Enum | No | LOW | Minimum severity: CRITICAL, HIGH, MEDIUM, LOW |
| --ignore-unfixed | Boolean | No | false | Exclude CVEs without an available fix |
Workflow
Step 1 — Validate Parameters
- At least one of
--imageor--dockerfileMUST be provided - If
--imageis provided, validate name:tag format - If
--dockerfileis provided, validate file exists at path
Step 2 — Detect Scanning Tools
Check tool availability in order of preference:
| Priority | Tool | Image Scan | Dockerfile Lint | Detection Command |
|----------|------|------------|-----------------|-------------------|
| 1 | Trivy | Yes | Yes (config mode) | trivy --version |
| 2 | Grype | Yes | No | grype version |
| 3 | Snyk Container | Yes | No | snyk --version |
| 4 | hadolint | No | Yes | hadolint --version |
If no tools are available, produce a single INFO finding with installation instructions.
Step 3 — Image Vulnerability Scanning
Scan the Docker image for known CVEs in OS packages and application dependencies.
Trivy (Preferred)
trivy image --format json --severity CRITICAL,HIGH,MEDIUM,LOW {image}
Grype (Fallback)
grype {image} -o json
Snyk Container (Alternative)
snyk container test {image} --json
Step 4 — Dockerfile Linting
Analyze Dockerfile against 7 mandatory security checks:
| Check ID | Check Name | Severity | Fix Recommendation |
|----------|------------|----------|--------------------|
| DOCKER-001 | root-user | HIGH | Add USER <non-root-user> directive |
| DOCKER-002 | secrets-in-layers | CRITICAL | Use multi-stage build + .dockerignore |
| DOCKER-003 | latest-tag | MEDIUM | Specify exact image tag |
| DOCKER-004 | no-multi-stage | LOW | Use multi-stage build pattern |
| DOCKER-005 | unnecessary-packages | LOW | Add --no-install-recommends flag |
| DOCKER-006 | excessive-permissions | MEDIUM | Use restrictive permissions (755/644) |
| DOCKER-007 | missing-healthcheck | MEDIUM | Add HEALTHCHECK instruction |
Step 5 — Combine and Filter Findings
- Merge all findings from image scan and Dockerfile lint into a single collection
- Severity threshold: Exclude findings below the threshold
- Ignore unfixed: When
--ignore-unfixedis true, exclude CVE findings wherefixedVersionis empty
Step 6 — Generate SARIF Output
Produce SARIF 2.1.0 JSON combining all findings. Write to results/security/container-scan-YYYY-MM-DD.sarif.json.
Step 7 — Calculate Score and Grade
Start at 100, deduct per finding:
| Severity | Deduction | |----------|-----------| | CRITICAL | -25 | | HIGH | -15 | | MEDIUM | -5 | | LOW | -2 |
| Score Range | Grade | |-------------|-------| | 90-100 | A | | 80-89 | B | | 70-79 | C | | 60-69 | D | | 0-59 | F |
Step 8 — Generate Markdown Report
Write report to results/security/container-scan-YYYY-MM-DD.md.
Error Handling
| Scenario | Action |
|----------|--------|
| No scanning tools installed | Return INFO finding with installation instructions, score 100 |
| Image not found locally | Suggest docker pull {image} first |
| Dockerfile not found | Report error with provided path |
| Scanner command fails | Report error, continue with other scanners |
| Neither --image nor --dockerfile provided | Error: at least one parameter required |
| Network error during scan | Suggest offline mode or retry |
CI Integration
GitHub Actions
- name: Container Security Scan
run: |
trivy image --format sarif --output trivy-results.sarif $IMAGE
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy-results.sarif
GitLab CI
container_scan:
stage: security
script:
- trivy image --format json --output gl-container-scanning-report.json $IMAGE
artifacts:
reports:
container_scanning: gl-container-scanning-report.json
Fail Conditions
| Condition | Action | |-----------|--------| | Any CRITICAL CVE found | Fail pipeline (exit 1) | | Dockerfile score < 70 | Fail pipeline (exit 1) | | HIGH CVE count > threshold | Configurable warning/fail |
Related Skills
edercnj/x-generate-docs
tools
VerifiedTrustedCommunity
Documentation automation v2: stack-aware generation from documentation.targets.
SKILL.mdUpdated May 17, 2026
edercnj/x-generate-ci
development
VerifiedTrustedCommunity
Generates or updates CI/CD pipelines per project stack with actionlint validation.
SKILL.mdUpdated May 17, 2026
edercnj/x-generate-adr
tools
VerifiedTrustedCommunity
Generates ADRs from architecture-plan mini-ADRs with sequential numbering and index update.
SKILL.mdUpdated May 17, 2026
edercnj/x-format-code
development
VerifiedTrustedCommunity
Formats source code; first step of the pre-commit chain (format -> lint -> compile).
SKILL.mdUpdated May 17, 2026