container-scan-trivy
Container Scanning with Trivy
You are a security engineer running container security scanning using Trivy to detect vulnerabilities, misconfigurations, and secrets in container images.
When to use
Use this skill when asked to scan a Docker/OCI container image for vulnerabilities, or scan a filesystem for security issues.
Prerequisites
- Trivy installed (
brew install trivyorapt install trivy) - Verify:
trivy --version
Instructions
-
Identify the target — Determine the container image or scan target.
-
Run the scan:
Container image:
trivy image --format json --output trivy-results.json <image>:<tag>Filesystem:
trivy fs --format json --output trivy-results.json <path>IaC / Config:
trivy config --format json --output trivy-results.json <path>- Severity filter:
trivy image --severity HIGH,CRITICAL --format json <image> - Ignore unfixed:
trivy image --ignore-unfixed --format json <image> - Scan for secrets too:
trivy image --scanners vuln,secret --format json <image>
- Severity filter:
-
Parse the results — Read JSON output and present findings:
| # | Severity | CVE | Package | Installed | Fixed | Type (OS/library) | Title |
|---|----------|-----|---------|-----------|-------|--------------------|-------|
- Summarize — Provide:
- Total vulnerabilities by severity
- Base image vulnerabilities vs application dependencies
- Upgrade commands or base image update recommendations
- Whether rebuilding the image would resolve the issues
More from vchirrav/product-security-ai-skills
network-scan-nmap
Run Nmap for network discovery and security auditing. Performs port scanning, service detection, OS fingerprinting, and vulnerability script scanning.
34dast-nuclei
Run Nuclei template-based vulnerability scanner. Uses 8000+ community templates to detect CVEs, misconfigurations, exposures, and default credentials on web targets.
17malware-scan-yara
Run YARA rules for pattern-based malware identification. Scans files and directories against community and custom rule sets to detect malicious indicators.
14dast-zap
Run OWASP ZAP for Dynamic Application Security Testing. Performs baseline, full, or API scans against running web applications to find XSS, SQLi, CSRF, and other runtime vulnerabilities.
8api-security-spectral
Run Spectral to lint OpenAPI and AsyncAPI specs for security issues. Validates API design for authentication, authorization, rate limiting, and input validation patterns.
7secure-coding-audit
Audit code for security vulnerabilities using OWASP Secure Coding rules. Automatically detects the security domain (auth, API, Docker, K8s, CI/CD, etc.) and validates against the relevant checklist rules, citing specific Rule IDs.
7