How does Trivy integrate with CI/CD pipelines?

The skill includes pre-configured templates for GitHub Actions and GitLab CI, allowing you to automatically fail builds if critical vulnerabilities are detected.

Does this skill support scanning private container registries?

Yes, it includes guidance for authenticating with and scanning images from private registries including Docker Hub, Amazon ECR, Google GCR, and Azure CR.

How do I handle false positives in scan results?

The skill demonstrates how to use a .trivyignore file to document and skip specific CVEs that are either false positives or accepted risks.

Can I use this skill to generate an SBOM?

Yes, the skill provides specific commands and formats to generate Software Bill of Materials (SBOM) in industry-standard formats like CycloneDX and SPDX.

What types of issues can Trivy detect?

Trivy identifies vulnerabilities (CVEs), misconfigurations in Dockerfiles and Kubernetes manifests, hardcoded secrets, and license compliance issues.

Trivy Container Security Scanner

Name: Trivy Container Security Scanner
Author: micsapp

bymicsapp

0•

安全与测试

Scans Docker images for vulnerabilities, misconfigurations, and secrets using the Aqua Security Trivy engine.

This skill equips Claude with the expertise to perform comprehensive security audits on container images and Kubernetes manifests using Trivy. It provides structured guidance for detecting vulnerabilities in OS packages and language dependencies, identifying hardcoded secrets, and validating infrastructure-as-code configurations. Whether integrated into CI/CD pipelines or used for ad-hoc security assessments, this skill helps developers and security engineers maintain a robust security posture throughout the container lifecycle by providing actionable remediation steps and policy enforcement workflows.

主要功能

01Multi-layer vulnerability scanning for OS and language-specific packages

02CI/CD integration workflows for GitHub Actions and GitLab CI

03Generation of Software Bill of Materials (SBOM) in CycloneDX and SPDX formats

040 GitHub stars

05Automated detection of hardcoded secrets, API keys, and sensitive tokens

06Static analysis of Dockerfiles and Kubernetes manifests for misconfigurations

使用场景

01Automating security gates in CI/CD pipelines to prevent vulnerable production deployments

02Conducting deep-dive security audits of existing containerized environments

03Ensuring software supply chain compliance through license scanning and SBOM generation

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add micsapp/micstec-skills scanning-docker-images-with-trivy

For use in Claude.ai and ChatGPT

主要功能

01Multi-layer vulnerability scanning for OS and language-specific packages

02CI/CD integration workflows for GitHub Actions and GitLab CI

03Generation of Software Bill of Materials (SBOM) in CycloneDX and SPDX formats

040 GitHub stars

05Automated detection of hardcoded secrets, API keys, and sensitive tokens

06Static analysis of Dockerfiles and Kubernetes manifests for misconfigurations

使用场景

01Automating security gates in CI/CD pipelines to prevent vulnerable production deployments

02Conducting deep-dive security audits of existing containerized environments

03Ensuring software supply chain compliance through license scanning and SBOM generation

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add micsapp/micstec-skills scanning-docker-images-with-trivy

For use in Claude.ai and ChatGPT