playbooks

home / skills / secondsky / claude-skills / vulnerability-scanning

vulnerability-scanning skill

/plugins/vulnerability-scanning/skills/vulnerability-scanning

This skill automates security vulnerability scanning across dependencies, code, and containers to enforce CI/CD gates and compliance.

npx playbooks add skill secondsky/claude-skills --skill vulnerability-scanning

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
2.6 KB
---
name: vulnerability-scanning
description: Automated security scanning for dependencies, code, containers with Trivy, Snyk, npm audit. Use for CI/CD security gates, pre-deployment audits, compliance requirements, or encountering CVE detection, outdated packages, license compliance, SBOM generation errors.
keywords: Trivy, Snyk, npm-audit, OWASP, dependency-scanning, CVE, security-vulnerabilities, outdated-packages, license-compliance, SCA, SBOM, container-scanning, image-scanning, security-gates, CI-CD-security, pre-deployment-audit, supply-chain-security, vulnerability-detection, security-compliance, Docker-scan, Grype, static-analysis, dependency-check
license: MIT
---

# Vulnerability Scanning

Automate security vulnerability detection across code, dependencies, and containers.

## Dependency Scanning

```bash
# npm audit
npm audit --audit-level=high

# Snyk
snyk test --severity-threshold=high

# Safety (Python)
safety check --full-report
```

## Container Scanning (Trivy)

```bash
# Scan container image
trivy image myapp:latest --severity HIGH,CRITICAL

# Scan filesystem
trivy fs --scanners vuln,secret .
```

## GitHub Actions Integration

```yaml
name: Security Scan

on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          severity: 'CRITICAL,HIGH'
          exit-code: '1'

      - name: Run Snyk
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --severity-threshold=high

      - name: npm audit
        run: npm audit --audit-level=high
```

## Code Analysis (Bandit for Python)

```bash
bandit -r src/ -ll -ii
```

## Node.js Scanner

```javascript
const { execSync } = require('child_process');

function runSecurityScan() {
  const results = {
    npm: JSON.parse(execSync('npm audit --json').toString()),
    trivy: JSON.parse(execSync('trivy fs --format json .').toString())
  };

  const critical = results.npm.metadata?.vulnerabilities?.critical || 0;
  if (critical > 0) {
    console.error(`Found ${critical} critical vulnerabilities`);
    process.exit(1);
  }
}
```

## Best Practices

- Integrate scanning in CI/CD pipeline
- Fail builds on high/critical findings
- Scan dependencies and containers
- Track vulnerabilities over time
- Document accepted false positives

## Tools

- Trivy (containers, filesystem)
- Snyk (dependencies, code)
- npm audit / yarn audit
- Bandit (Python)
- OWASP Dependency-Check

Overview

This skill automates vulnerability scanning across dependencies, source code, and container images using Trivy, Snyk, npm audit, and other scanners. It is designed for CI/CD gates, pre-deployment audits, and meeting compliance requirements with actionable failure conditions. The skill ships Node.js TypeScript helpers and CI snippets to make scans repeatable and enforceable.

How this skill works

The skill runs dependency checks (npm audit, Snyk), container and filesystem scans (Trivy), and optional code analyzers (Bandit for Python). It collects JSON output, summarizes severity counts, and can fail builds when high or critical findings appear. Integrations include GitHub Actions steps and a small Node.js runner that parses results and exits nonzero on critical vulnerabilities.

When to use it

  • Enforce security gates in CI/CD pipelines on push or pull request
  • Pre-deployment audit to catch critical vulnerabilities before release
  • Automated periodic scans to track vulnerability trends and regressions
  • Compliance checks requiring SBOM generation and vulnerability proof
  • Investigating CVE detections, outdated packages, or license issues

Best practices

  • Fail builds on high or critical findings to prevent unsafe releases
  • Run both dependency and container scans to cover different attack surfaces
  • Use JSON outputs and metrics to track vulnerabilities over time
  • Store scanner credentials (e.g., SNYK_TOKEN) in CI secrets, not code
  • Document and approve any accepted false positives with justification

Example use cases

  • Add a GitHub Actions job that runs Trivy, Snyk, and npm audit on every pull request
  • Run trivy fs and trivy image in production build jobs to catch OS-level CVEs
  • Use a Node.js runner to parse npm audit and trivy JSON and fail the job on critical counts
  • Schedule nightly scans to detect newly published CVEs affecting your dependencies
  • Include Bandit scans for Python services alongside dependency checks

FAQ

How do I fail the CI build on high/critical findings?

Configure scanners to return nonzero on configured severities (e.g., npm audit --audit-level=high, Snyk --severity-threshold=high, Trivy exit-code) or parse JSON output and exit nonzero when counts exceed thresholds.

Which scanners should I run for a Node.js app with containers?

Combine npm audit or Snyk for dependency checks with Trivy for image and filesystem scanning. Use both to cover JavaScript package vulnerabilities and OS-level or container-layer issues.