Which SBOM format should I use?

This skill recommends CycloneDX for DevSecOps and vulnerability tracking due to its lightweight nature, while suggesting SPDX for legal, ISO-standard, or government compliance needs.

Does it work with specific CI/CD platforms?

The logic is platform-agnostic, but it provides specific implementation patterns and YAML examples for GitHub Actions, GitLab CI, and other popular automation tools.

What scanning tools does this skill support?

This skill provides guidance for industry-standard tools including Trivy, Grype, Semgrep, Gitleaks, Snyk, and OWASP ZAP across multiple security layers.

How does it help prioritize security fixes?

It implements a modern risk-based prioritization framework that combines CVSS scores with EPSS (exploitation probability) and CISA's KEV catalog to determine actual risk.

Can this skill help with SBOM compliance?

Yes, it includes detailed patterns for generating CycloneDX and SPDX format SBOMs to meet regulatory requirements like Executive Order 14028.

Vulnerability Management & DevSecOps

Name: Vulnerability Management & DevSecOps
Author: ancoleman

byancoleman

•

158

安全与测试

Implements multi-layer security scanning, SBOM generation, and risk-based vulnerability prioritization within CI/CD pipelines.

关于

This skill empowers Claude to design and implement comprehensive vulnerability management workflows across the entire software development lifecycle. It provides expert guidance on multi-layer scanning strategies—including SAST, DAST, SCA, and container security—while offering actionable frameworks for generating SBOMs and prioritizing remediation based on real-world risk metrics like CVSS, EPSS, and KEV. It is an essential tool for developers and DevOps engineers looking to automate security gates, ensure regulatory compliance, and establish robust DevSecOps practices in AI-assisted development environments.

主要功能

Multi-layer security scanning integration (SAST, DAST, SCA, Secrets)
Container image scanning and remediation workflows with Trivy and Grype
158 GitHub stars
SBOM generation and management using CycloneDX and SPDX standards
Automated CI/CD security gate implementation and policy-as-code
Risk-based prioritization framework using CVSS, EPSS, and KEV metrics

使用场景

Generating and auditing Software Bills of Materials (SBOMs) for regulatory compliance
Establishing an SLA-driven vulnerability remediation strategy for engineering teams
Automating security scanning and compliance gates in GitHub Actions or GitLab CI

关于

主要功能

Multi-layer security scanning integration (SAST, DAST, SCA, Secrets)
Container image scanning and remediation workflows with Trivy and Grype
158 GitHub stars
SBOM generation and management using CycloneDX and SPDX standards
Automated CI/CD security gate implementation and policy-as-code
Risk-based prioritization framework using CVSS, EPSS, and KEV metrics

使用场景

Generating and auditing Software Bills of Materials (SBOMs) for regulatory compliance
Establishing an SLA-driven vulnerability remediation strategy for engineering teams
Automating security scanning and compliance gates in GitHub Actions or GitLab CI