home / skills / a5c-ai / babysitter / container-security-scanner

container-security-scanner skill

safe

/plugins/babysitter/skills/babysit/process/specializations/security-compliance/skills/container-security-scanner

This skill analyzes container images and Kubernetes configs to identify vulnerabilities, misconfigurations, and compliance gaps, improving security posture and

npx playbooks add skill a5c-ai/babysitter --skill container-security-scanner

Review the files below or copy the command above to add this skill to your agents.

Files (2)

SKILL.md

4.4 KB

---
name: container-security-scanner
description: Container image and Kubernetes security scanning for CVEs, misconfigurations, and compliance
allowed-tools:
  - Bash
  - Read
  - Write
  - Glob
  - Grep
  - WebFetch
---

# Container Security Scanner Skill

## Purpose

Automated container image and Kubernetes security scanning to identify vulnerabilities, misconfigurations, secrets, and compliance issues in containerized environments.

## Capabilities

### Image Vulnerability Scanning
- Scan container images for known CVEs using Trivy, Grype, or Anchore
- Detect vulnerabilities in OS packages and application dependencies
- Generate SBOM (Software Bill of Materials) in CycloneDX or SPDX format
- Track vulnerability severity (Critical, High, Medium, Low)

### Dockerfile Security Analysis
- Check Dockerfile best practices and security issues
- Identify privileged container configurations
- Detect hardcoded secrets in Dockerfiles
- Verify base image security and freshness

### Kubernetes Security Scanning
- Run Kubernetes CIS benchmark checks using kube-bench
- Analyze pod security policies and standards
- Check RBAC configurations for over-permissive access
- Detect insecure network policies

### Secrets Detection
- Scan images for embedded secrets and credentials
- Identify API keys, tokens, and passwords in layers
- Check environment variable configurations

### Image Signature Verification
- Verify container image signatures using cosign
- Validate image provenance and attestations
- Check image registry security configurations

### Compliance Reporting
- Generate compliance reports (CIS, NIST, PCI-DSS)
- Map findings to compliance controls
- Track remediation status and timelines

## Integrations

- **Trivy**: Comprehensive vulnerability scanner for containers
- **Grype**: Container image vulnerability scanner
- **Syft**: SBOM generation tool
- **kube-bench**: Kubernetes CIS benchmark checker
- **Falco**: Runtime security monitoring
- **Anchore**: Enterprise container security platform
- **cosign**: Container image signing and verification

## Target Processes

- Container Security Scanning Process
- DevSecOps Pipeline Integration
- IaC Security Scanning
- Kubernetes Security Hardening
- Container Image Build Pipeline

## Input Schema

```json
{
  "type": "object",
  "properties": {
    "imageName": {
      "type": "string",
      "description": "Container image name with tag"
    },
    "registry": {
      "type": "string",
      "description": "Container registry URL"
    },
    "dockerfilePath": {
      "type": "string",
      "description": "Path to Dockerfile for static analysis"
    },
    "kubeManifestPath": {
      "type": "string",
      "description": "Path to Kubernetes manifests"
    },
    "scanType": {
      "type": "array",
      "items": {
        "type": "string",
        "enum": ["vulnerability", "config", "secrets", "compliance", "sbom"]
      }
    },
    "severityThreshold": {
      "type": "string",
      "enum": ["CRITICAL", "HIGH", "MEDIUM", "LOW"]
    }
  },
  "required": ["imageName"]
}
```

## Output Schema

```json
{
  "type": "object",
  "properties": {
    "scanId": {
      "type": "string"
    },
    "imageName": {
      "type": "string"
    },
    "scanTimestamp": {
      "type": "string",
      "format": "date-time"
    },
    "vulnerabilities": {
      "type": "object",
      "properties": {
        "critical": { "type": "integer" },
        "high": { "type": "integer" },
        "medium": { "type": "integer" },
        "low": { "type": "integer" },
        "findings": {
          "type": "array",
          "items": {
            "type": "object",
            "properties": {
              "cveId": { "type": "string" },
              "severity": { "type": "string" },
              "package": { "type": "string" },
              "fixedVersion": { "type": "string" },
              "description": { "type": "string" }
            }
          }
        }
      }
    },
    "misconfigurations": {
      "type": "array"
    },
    "secrets": {
      "type": "array"
    },
    "complianceStatus": {
      "type": "object"
    },
    "recommendations": {
      "type": "array",
      "items": { "type": "string" }
    }
  }
}
```

## Usage Example

```javascript
skill: {
  name: 'container-security-scanner',
  context: {
    imageName: 'myapp:v1.2.3',
    registry: 'registry.example.com',
    scanType: ['vulnerability', 'config', 'secrets'],
    severityThreshold: 'HIGH'
  }
}
```

Overview

This skill performs automated container image and Kubernetes security scanning to find CVEs, misconfigurations, embedded secrets, and compliance gaps. It produces SBOMs, vulnerability summaries by severity, and actionable remediation guidance for DevSecOps pipelines. The skill integrates common tools to verify image provenance and enforce security gates during builds and deployments.

How this skill works

The skill inspects a container image, Dockerfile, and optional Kubernetes manifests to run vulnerability scans, configuration checks, secrets detection, and compliance tests. It orchestrates scanners like Trivy/Grype for CVEs, Syft for SBOMs, kube-bench for CIS checks, and cosign for signature verification, aggregating results into a single structured report. Outputs include counts by severity, detailed findings (CVE IDs, packages, fixed versions), misconfiguration lists, secret detections, compliance mappings, and prioritized recommendations.

When to use it

Scan images before publishing to a registry or CI/CD artifact store
Validate Dockerfiles and build pipelines for insecure practices
Perform pre-deployment checks on Kubernetes manifests and cluster configurations
Generate SBOMs and compliance evidence for audits
Enforce security gates in automated release pipelines

Best practices

Run scans as part of CI jobs on every image build and on a scheduled cadence for registries
Set a severity threshold (e.g., HIGH or CRITICAL) to block promotions until remediated
Combine static image scans with runtime monitoring for full coverage
Keep scanner databases and base images up to date to reduce false positives
Map findings to owners and track remediation with ticketing or SCM hooks

Example use cases

CI pipeline step: scan new image tag and fail pipeline on critical/high CVEs
Pre-release audit: produce SBOM and compliance report for NIST/CIS/PCI-DSS evidence
Kubernetes hardening: run kube-bench and RBAC checks across manifests before apply
Secrets hygiene: scan image layers and Dockerfiles for embedded keys and environment secrets
Image provenance validation: verify cosign signatures and registry attestations before deployment

FAQ

Which inputs are required to run a scan?

At minimum provide imageName (including tag). Adding registry, dockerfilePath, kubeManifestPath, and scanType customizes scope.

Can I adjust which findings block a deployment?

Yes. Use severityThreshold to define the minimum severity (CRITICAL/HIGH/MEDIUM/LOW) that should fail promotion; combine with policy logic in the pipeline.