Vulnerability Scanning
Automate security vulnerability detection across code, dependencies, and containers.
Dependency Scanning
# npm audit
npm audit --audit-level=high
# Snyk
snyk test --severity-threshold=high
# Safety (Python)
safety check --full-report
Container Scanning (Trivy)
# Scan container image
trivy image myapp:latest --severity HIGH,CRITICAL
# Scan filesystem
trivy fs --scanners vuln,secret .
GitHub Actions Integration
name: Security Scan
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
severity: 'CRITICAL,HIGH'
exit-code: '1'
- name: Run Snyk
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high
- name: npm audit
run: npm audit --audit-level=high
Code Analysis (Bandit for Python)
bandit -r src/ -ll -ii
Node.js Scanner
const { execSync } = require('child_process');
function runScan(command) {
try {
return JSON.parse(execSync(command, { stdio: ['pipe', 'pipe', 'ignore'] }).toString());
} catch (err) {
// A tool may be missing, exit non-zero, or print non-JSON output (e.g.
// trivy progress text when not on a TTY). Treat that as "no parseable
// result" rather than crashing the scanner.
console.warn(`Scan command failed or returned non-JSON: ${command}`);
return null;
}
}
function runSecurityScan() {
const results = {
npm: runScan('npm audit --json'),
trivy: runScan('trivy fs --quiet --format json .')
};
if (!results.npm || !results.npm.metadata) {
console.warn('npm audit produced no metadata; skipping npm checks');
} else {
const critical = results.npm.metadata?.vulnerabilities?.critical || 0;
if (critical > 0) {
console.error(`Found ${critical} critical vulnerabilities`);
process.exit(1);
}
}
}
Best Practices
- Integrate scanning in CI/CD pipeline
- Fail builds on high/critical findings
- Scan dependencies and containers
- Track vulnerabilities over time
- Document accepted false positives
Tools
- Trivy (containers, filesystem)
- Snyk (dependencies, code)
- npm audit / yarn audit
- Bandit (Python)
- OWASP Dependency-Check