Agent Skills: Vulnerability Scanning

Automated security scanning for dependencies, code, containers with Trivy, Snyk, npm audit. Use for CI/CD security gates, pre-deployment audits, compliance requirements, or encountering CVE detection, outdated packages, license compliance, SBOM generation errors.

UncategorizedID: secondsky/claude-skills/vulnerability-scanning

Install this agent skill to your local

pnpm dlx add-skill https://github.com/secondsky/claude-skills/tree/HEAD/plugins/vulnerability-scanning/skills/vulnerability-scanning

Skill Files

Browse the full folder contents for vulnerability-scanning.

Download Skill

Loading file tree…

plugins/vulnerability-scanning/skills/vulnerability-scanning/SKILL.md

Skill Metadata

Name
vulnerability-scanning
Description
Automated security scanning for dependencies, code, containers with Trivy, Snyk, npm audit. Use for CI/CD security gates, pre-deployment audits, compliance requirements, or encountering CVE detection, outdated packages, license compliance, SBOM generation errors.

Vulnerability Scanning

Automate security vulnerability detection across code, dependencies, and containers.

Dependency Scanning

# npm audit
npm audit --audit-level=high

# Snyk
snyk test --severity-threshold=high

# Safety (Python)
safety check --full-report

Container Scanning (Trivy)

# Scan container image
trivy image myapp:latest --severity HIGH,CRITICAL

# Scan filesystem
trivy fs --scanners vuln,secret .

GitHub Actions Integration

name: Security Scan

on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          severity: 'CRITICAL,HIGH'
          exit-code: '1'

      - name: Run Snyk
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --severity-threshold=high

      - name: npm audit
        run: npm audit --audit-level=high

Code Analysis (Bandit for Python)

bandit -r src/ -ll -ii

Node.js Scanner

const { execSync } = require('child_process');

function runScan(command) {
  try {
    return JSON.parse(execSync(command, { stdio: ['pipe', 'pipe', 'ignore'] }).toString());
  } catch (err) {
    // A tool may be missing, exit non-zero, or print non-JSON output (e.g.
    // trivy progress text when not on a TTY). Treat that as "no parseable
    // result" rather than crashing the scanner.
    console.warn(`Scan command failed or returned non-JSON: ${command}`);
    return null;
  }
}

function runSecurityScan() {
  const results = {
    npm: runScan('npm audit --json'),
    trivy: runScan('trivy fs --quiet --format json .')
  };

  if (!results.npm || !results.npm.metadata) {
    console.warn('npm audit produced no metadata; skipping npm checks');
  } else {
    const critical = results.npm.metadata?.vulnerabilities?.critical || 0;
    if (critical > 0) {
      console.error(`Found ${critical} critical vulnerabilities`);
      process.exit(1);
    }
  }
}

Best Practices

  • Integrate scanning in CI/CD pipeline
  • Fail builds on high/critical findings
  • Scan dependencies and containers
  • Track vulnerabilities over time
  • Document accepted false positives

Tools

  • Trivy (containers, filesystem)
  • Snyk (dependencies, code)
  • npm audit / yarn audit
  • Bandit (Python)
  • OWASP Dependency-Check