ABOUTME: Security vulnerability scanning skill using Trivy
ABOUTME: Enforces CRITICAL/HIGH blocking before commits
Trivy Security Scanning Skill
Quick Reference
| Scan Type | Command | When |
|-----------|---------|------|
| Dependencies | trivy fs . | package.json changes |
| Container | trivy image <name> | Dockerfile changes |
| IaC | trivy config . | Terraform changes |
When to Scan
| Trigger | Action |
|---------|--------|
| package.json changed | Scan filesystem |
| package-lock.json changed | Scan filesystem |
| Dockerfile modified | Scan config + image |
| *.tf files changed | Scan IaC config |
| Before commit with deps | MANDATORY scan |
Scan Commands
Filesystem Scan (Dependencies)
# Most common - scan Node.js dependencies
trivy fs \
--severity CRITICAL,HIGH \
--exit-code 1 \
--ignore-unfixed \
--format table \
.
Container Image Scan
# Build image first
docker build -t local-scan:latest .
# Scan the image
trivy image \
--severity CRITICAL,HIGH \
--exit-code 1 \
--ignore-unfixed \
local-scan:latest
IaC Configuration Scan
# Scan Terraform files
trivy config \
--severity CRITICAL,HIGH \
--exit-code 1 \
infra/terraform/
Severity Policy
| Severity | Action | Commit Allowed | |----------|--------|----------------| | CRITICAL | BLOCK - Fix immediately | NO | | HIGH | BLOCK - Fix or upgrade | NO | | MEDIUM | WARN - Plan remediation | YES | | LOW | INFO - Document | YES |
Remediation Strategies
Strategy 1: Upgrade Package
# Check which version fixes the CVE
npm audit
# Upgrade specific package
npm install package@latest
# Or use npm audit fix
npm audit fix
Strategy 2: Find Fixed Version
# Show fixed versions in JSON
trivy fs --severity CRITICAL,HIGH --format json . | \
jq '.Results[].Vulnerabilities[] | {pkg: .PkgName, installed: .InstalledVersion, fixed: .FixedVersion}'
Strategy 3: Override Transitive Dependency
// package.json
{
"overrides": {
"vulnerable-package": "^X.Y.Z"
}
}
Strategy 4: Exclude False Positive
Create .trivyignore:
# CVE-2023-XXXXX: Not exploitable - we don't use affected feature
CVE-2023-XXXXX
WARNING: Every exclusion MUST have documented justification.
Ecommerce-Specific Patterns
Backend Scan
cd apps/backend
trivy fs --severity CRITICAL,HIGH --exit-code 1 .
Frontend Scan
cd apps/frontend
trivy fs --severity CRITICAL,HIGH --exit-code 1 .
Docker Compose Scan
# Build all images
docker-compose -f docker-compose.full.yml build
# Scan each
trivy image ecommerce-demo-backend:latest
trivy image ecommerce-demo-frontend:latest
Terraform Scan
trivy config --severity CRITICAL,HIGH infra/terraform/
CI Integration
The project has Trivy in CI (.github/workflows/backend-ci.yml):
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: 'apps/backend'
format: 'json'
output: 'security/reports/trivy-backend-${{ github.sha }}.json'
Reports saved to security/reports/ for Claude CVE analysis.
CVE Analysis Workflow
When Trivy finds vulnerabilities:
-
Get the report
trivy fs --format json --output report.json . -
Ask Claude to analyze
Analyze report.json for contextual CVE prioritization. For each CVE: - Search codebase for usage of affected library - Evaluate if attack vector is exposed - Provide remediation priority -
Follow remediation plan
Checklist
Before committing with dependency changes:
- [ ] Trivy installed (
brew install trivy) - [ ] Ran
trivy fs --severity CRITICAL,HIGH --exit-code 1 . - [ ] No CRITICAL vulnerabilities
- [ ] No HIGH vulnerabilities (or documented exception)
- [ ] Any
.trivyignoreentries justified - [ ] Container images scanned (if Dockerfile changed)
- [ ] IaC scanned (if Terraform changed)
Troubleshooting
| Issue | Solution |
|-------|----------|
| trivy: command not found | brew install trivy |
| Slow scan | Use --skip-update after first run |
| False positive | Add to .trivyignore with justification |
| Transitive dependency | Use overrides in package.json |
| Old DB | Run trivy --download-db-only |