Execute use when you need to work with security and compliance.
This skill provides security scanning and vulnerability detection with comprehensive guidance and automation.
Trigger with phrases like "scan for vulnerabilities", "implement security controls",
or "audit security".
Scan container images and Dockerfiles for vulnerabilities, misconfigurations, and compliance violations using Trivy, Grype, Snyk Container, and Hadolint. Analyze base images, OS packages, application dependencies, and runtime configurations to produce actionable security reports with remediation guidance.
Prerequisites
Container scanning tool installed: trivy, grype, snyk, or docker scout
Dockerfile linter: hadolint for Dockerfile best practice validation
Docker daemon running for local image scanning
Access to the container images to scan (local, registry, or tar archive)
jq for parsing JSON scan results
Instructions
Identify target images for scanning: production images, base images, and CI-built images
Lint Dockerfiles with hadolint Dockerfile to catch misconfigurations before build (privileged instructions, pinned versions, shell best practices)
Scan built images for OS-level vulnerabilities: trivy image <image:tag> or grype <image:tag>
Scan for application dependency vulnerabilities: check language-specific packages (npm, pip, Maven, Go modules) embedded in the image
Check for secrets accidentally baked into image layers: trivy image --scanners secret <image:tag>
Evaluate image against CIS Docker Benchmark: verify non-root user, read-only filesystem capability, health checks defined
Generate a security report with severity classification (Critical, High, Medium, Low) and CVE identifiers
Produce remediation steps: upgrade base image, pin package versions, replace vulnerable dependencies
Integrate scanning into CI/CD pipeline: fail builds on Critical/High vulnerabilities, generate SARIF output for GitHub Security tab
Output
Vulnerability scan report in JSON, table, or SARIF format
Hadolint report with Dockerfile improvement recommendations
Remediation Dockerfile patches (updated base image, pinned package versions)
CI/CD pipeline step configuration for automated image scanning