How do I handle false positives or accepted risks?

You can use a .trivyignore.yaml file or VEX (Vulnerability Exploitability eXchange) statements to document and skip specific findings that are mitigated or not applicable.

Can Trivy scan my application source code directly?

Yes, while specialized for containers, Trivy can scan filesystems, git repositories, and language-specific dependencies for known CVEs and misconfigurations.

Does this skill provide configurations for GitHub Actions?

Yes, it includes detailed workflow templates for GitHub Actions, including SARIF report uploads to the GitHub Security tab for centralized visibility.

Can I use Trivy in air-gapped or offline environments?

Yes, the skill includes instructions for database caching and manual database updates to allow scanning in environments without direct internet access.

Trivy Container Security Scan

Name: Trivy Container Security Scan
Author: mukul975

bymukul975

•

4,120

•

安全与测试

Integrates Aqua Security's Trivy scanner into CI/CD pipelines to automate container vulnerability detection and enforce security quality gates.

This skill provides specialized guidance for implementing automated security scanning using Trivy within CI/CD workflows. It enables developers to detect OS package vulnerabilities, application dependency CVEs, and infrastructure-as-code misconfigurations in Dockerfiles and Kubernetes manifests. By establishing severity-based quality gates, it ensures that only secure container images reach production environments while providing detailed reporting, SBOM generation, and sophisticated false-positive management using VEX statements and ignore files.

主要功能

01Software Bill of Materials (SBOM) generation in CycloneDX and SPDX formats

024,120 GitHub stars

03Seamless integration patterns for GitHub Actions and GitLab CI/CD pipelines

04Automated container image vulnerability scanning for OS and application packages

05Configurable quality gates with exception handling and database caching for offline scanning

06Dockerfile and IaC misconfiguration detection with severity-based alerts

使用场景

01Preventing deployment of container images with critical or high vulnerabilities in production

02Identifying insecure Dockerfile practices and hardcoded secrets before the build stage

03Ensuring compliance with security standards through automated reporting and audit trails

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills scanning-containers-with-trivy-in-cicd

For use in Claude.ai and ChatGPT

主要功能

01Software Bill of Materials (SBOM) generation in CycloneDX and SPDX formats

024,120 GitHub stars

03Seamless integration patterns for GitHub Actions and GitLab CI/CD pipelines

04Automated container image vulnerability scanning for OS and application packages

05Configurable quality gates with exception handling and database caching for offline scanning

06Dockerfile and IaC misconfiguration detection with severity-based alerts

使用场景

01Preventing deployment of container images with critical or high vulnerabilities in production

02Identifying insecure Dockerfile practices and hardcoded secrets before the build stage

03Ensuring compliance with security standards through automated reporting and audit trails

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills scanning-containers-with-trivy-in-cicd

For use in Claude.ai and ChatGPT