MCP.directory

sca-trivy

by rohunj
0
0
Source

Software Composition Analysis (SCA) and container vulnerability scanning using Aqua Trivy for identifying CVE vulnerabilities in dependencies, container images, IaC misconfigurations, and license compliance risks. Use when: (1) Scanning container images and filesystems for vulnerabilities and misconfigurations, (2) Analyzing dependencies for known CVEs across multiple languages (Go, Python, Node.js, Java, etc.), (3) Detecting IaC security issues in Terraform, Kubernetes, Dockerfile, (4) Integrating vulnerability scanning into CI/CD pipelines with SARIF output, (5) Generating Software Bill of Materials (SBOM) in CycloneDX or SPDX format, (6) Prioritizing remediation by CVSS score and exploitability.

Install

mkdir -p .claude/skills/sca-trivy && curl -L -o skill.zip "https://mcp.directory/api/skills/download/5822" && unzip -o skill.zip -d .claude/skills/sca-trivy && rm skill.zip

Installs to .claude/skills/sca-trivy

About this skill

Software Composition Analysis with Trivy

Overview

Trivy is a comprehensive security scanner for containers, filesystems, and git repositories. It detects vulnerabilities (CVEs) in OS packages and application dependencies, IaC misconfigurations, exposed secrets, and software licenses. This skill provides workflows for vulnerability scanning, SBOM generation, CI/CD integration, and remediation prioritization aligned with CVSS and OWASP standards.

Quick Start

Scan a container image for vulnerabilities:

# Install Trivy
brew install trivy  # macOS
# or: apt-get install trivy  # Debian/Ubuntu
# or: docker pull aquasec/trivy:latest

# Scan container image
trivy image nginx:latest

# Scan local filesystem for dependencies
trivy fs .

# Scan IaC files for misconfigurations
trivy config .

# Generate SBOM
trivy image --format cyclonedx --output sbom.json nginx:latest

Core Workflows

Workflow 1: Container Image Security Assessment

Progress: [ ] 1. Identify target container image (repository:tag) [ ] 2. Run comprehensive Trivy scan with trivy image <image-name> [ ] 3. Analyze vulnerability findings by severity (CRITICAL, HIGH, MEDIUM, LOW) [ ] 4. Map CVE findings to CWE categories and OWASP references [ ] 5. Check for available patches and updated base images [ ] 6. Generate prioritized remediation report with upgrade recommendations

Work through each step systematically. Check off completed items.

Workflow 2: Dependency Vulnerability Scanning

Scan project dependencies for known vulnerabilities:

# Scan filesystem for all dependencies
trivy fs --severity CRITICAL,HIGH .

# Scan specific package manifest
trivy fs --scanners vuln package-lock.json

# Generate JSON report for analysis
trivy fs --format json --output trivy-report.json .

# Generate SARIF for GitHub/GitLab integration
trivy fs --format sarif --output trivy.sarif .

For each vulnerability:

  1. Review CVE details and CVSS score
  2. Check if fixed version is available
  3. Consult references/remediation_guide.md for language-specific guidance
  4. Update dependency to patched version
  5. Re-scan to validate fix

Workflow 3: Infrastructure as Code Security

Detect misconfigurations in IaC files:

# Scan Terraform configurations
trivy config ./terraform --severity CRITICAL,HIGH

# Scan Kubernetes manifests
trivy config ./k8s --severity CRITICAL,HIGH

# Scan Dockerfile best practices
trivy config --file-patterns dockerfile:Dockerfile .

# Generate report with remediation guidance
trivy config --format json --output iac-findings.json .

Review findings by category:

  • Security: Authentication, authorization, encryption
  • Compliance: CIS benchmarks, security standards
  • Best Practices: Resource limits, immutability, least privilege

Workflow 4: CI/CD Pipeline Integration

GitHub Actions

name: Trivy Security Scan
on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: '.'
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'

      - name: Upload results to GitHub Security
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'

GitLab CI

trivy-scan:
  stage: test
  image: aquasec/trivy:latest
  script:
    - trivy fs --exit-code 1 --severity CRITICAL,HIGH --format json --output trivy-report.json .
  artifacts:
    reports:
      dependency_scanning: trivy-report.json
    when: always
  allow_failure: false

Use bundled templates from assets/ci_integration/ for additional platforms.

Workflow 5: SBOM Generation

Generate Software Bill of Materials for supply chain transparency:

# Generate CycloneDX SBOM
trivy image --format cyclonedx --output sbom-cyclonedx.json nginx:latest

# Generate SPDX SBOM
trivy image --format spdx-json --output sbom-spdx.json nginx:latest

# SBOM for filesystem/project
trivy fs --format cyclonedx --output project-sbom.json .

SBOM use cases:

  • Vulnerability tracking: Monitor dependencies for new CVEs
  • License compliance: Identify license obligations and risks
  • Supply chain security: Verify component provenance
  • Regulatory compliance: Meet CISA SBOM requirements

Security Considerations

Sensitive Data Handling

  • Registry credentials: Use environment variables or credential helpers, never hardcode
  • Scan reports: Contain vulnerability details and package versions - treat as sensitive
  • SBOM files: May reveal internal architecture - control access appropriately
  • Secret scanning: Enable with --scanners secret to detect exposed credentials in images

Access Control

  • Container registry access: Requires pull permissions for image scanning
  • Filesystem access: Read permissions for dependency manifests and IaC files
  • CI/CD integration: Secure API tokens and registry credentials in secrets management
  • Report storage: Restrict access to vulnerability reports and SBOM artifacts

Audit Logging

Log the following for compliance and incident response:

  • Scan execution timestamps and scope (image, filesystem, repository)
  • Vulnerability counts by severity level
  • Policy violations and blocking decisions
  • SBOM generation and distribution events
  • Remediation actions and version updates

Compliance Requirements

  • PCI-DSS 6.2: Ensure system components protected from known vulnerabilities
  • SOC2 CC7.1: Detect and act upon changes that could affect security
  • NIST 800-53 SI-2: Flaw remediation and vulnerability scanning
  • CIS Benchmarks: Container and Kubernetes security hardening
  • OWASP Top 10 A06: Vulnerable and Outdated Components
  • CWE-1104: Use of Unmaintained Third-Party Components

Bundled Resources

Scripts (scripts/)

  • trivy_scan.py - Comprehensive scanning with JSON/SARIF output and severity filtering
  • sbom_generator.py - SBOM generation with CycloneDX and SPDX format support
  • vulnerability_report.py - Parse Trivy output and generate remediation reports with CVSS scores
  • baseline_manager.py - Baseline creation for tracking new vulnerabilities only

References (references/)

  • scanner_types.md - Detailed guide for vulnerability, misconfiguration, secret, and license scanning
  • remediation_guide.md - Language and ecosystem-specific remediation strategies
  • cvss_prioritization.md - CVSS score interpretation and vulnerability prioritization framework
  • iac_checks.md - Complete list of IaC security checks with CIS benchmark mappings

Assets (assets/)

  • trivy.yaml - Custom Trivy configuration with security policies and ignore rules
  • ci_integration/github-actions.yml - Complete GitHub Actions workflow with security gates
  • ci_integration/gitlab-ci.yml - Complete GitLab CI pipeline with dependency scanning
  • ci_integration/jenkins.groovy - Jenkins pipeline with Trivy integration
  • policy_template.rego - OPA policy template for custom vulnerability policies

Common Patterns

Pattern 1: Multi-Stage Security Scanning

Comprehensive security assessment combining multiple scan types:

# 1. Scan container image for vulnerabilities
trivy image --severity CRITICAL,HIGH myapp:latest

# 2. Scan IaC for misconfigurations
trivy config ./infrastructure --severity CRITICAL,HIGH

# 3. Scan filesystem for dependency vulnerabilities
trivy fs --severity CRITICAL,HIGH ./app

# 4. Scan for exposed secrets
trivy fs --scanners secret ./app

# 5. Generate comprehensive SBOM
trivy image --format cyclonedx --output sbom.json myapp:latest

Pattern 2: Baseline Vulnerability Tracking

Implement baseline scanning to track only new vulnerabilities:

# Initial scan - create baseline
trivy image --format json --output baseline.json nginx:latest

# Subsequent scans - detect new vulnerabilities
trivy image --format json --output current.json nginx:latest
./scripts/baseline_manager.py --baseline baseline.json --current current.json

Pattern 3: License Compliance Scanning

Detect license compliance risks:

# Scan for license information
trivy image --scanners license --format json --output licenses.json myapp:latest

# Filter by license type
trivy image --scanners license --severity HIGH,CRITICAL myapp:latest

Review findings:

  • High Risk: GPL, AGPL (strong copyleft)
  • Medium Risk: LGPL, MPL (weak copyleft)
  • Low Risk: Apache, MIT, BSD (permissive)

Pattern 4: Custom Policy Enforcement

Apply custom security policies with OPA:

# Create Rego policy in assets/policy_template.rego
# Deny images with CRITICAL vulnerabilities or outdated packages

# Run scan with policy enforcement
trivy image --format json --output scan.json myapp:latest
trivy image --ignore-policy assets/policy_template.rego myapp:latest

Integration Points

CI/CD Integration

  • GitHub Actions: Native aquasecurity/trivy-action with SARIF upload to Security tab
  • GitLab CI: Dependency scanning report format for Security Dashboard
  • Jenkins: Docker-based scanning with JUnit XML report generation
  • CircleCI: Docker executor with artifact storage
  • Azure Pipelines: Task-based integration with results publishing

Container Platforms

  • Docker: Image scanning before push to registry
  • Kubernetes: Admission controllers with trivy-operator for runtime scanning
  • Harbor: Built-in Trivy integration for registry scanning
  • AWS ECR: Scan images on push with enhanced scanning
  • Google Artifact Registry: Vulnerability scanning integration

Security Tools Ecosystem

  • SIEM Integration: Export JSON findings to Splunk, ELK, or Datadog
  • Vulnerability Management: Import SARIF/JSON into Snyk, Qualys, or Rapid7
  • **S

Content truncated.

More by rohunj

View all skills by rohunj

pytm

rohunj

Python-based threat modeling using pytm library for programmatic STRIDE analysis, data flow diagram generation, and automated security threat identification. Use when: (1) Creating threat models programmatically using Python code, (2) Generating data flow diagrams (DFDs) with automatic STRIDE threat identification, (3) Integrating threat modeling into CI/CD pipelines and shift-left security practices, (4) Analyzing system architecture for security threats across trust boundaries, (5) Producing threat reports with STRIDE categories and mitigation recommendations, (6) Maintaining threat models as code for version control and automation.

00

test-and-break

rohunj

Autonomous testing skill that opens a deployed app, goes through user flows, tries to break things, and writes detailed bug reports. Use after deploying to staging. Triggers on: test the app, find bugs, QA the deployment, break the app, test staging.

10

You might also like

flutter-development

aj-geddes

Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.

641968

drawio-diagrams-enhanced

jgtolentino

Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.

590705

godot

bfollington

This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.

339397

ui-ux-pro-max

nextlevelbuilder

"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."

318395

nano-banana-pro

garg-aayush

Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.

450339

fastapi-templates

wshobson

Create production-ready FastAPI projects with async patterns, dependency injection, and comprehensive error handling. Use when building new FastAPI applications or setting up backend API projects.

304231

Related MCP Servers

Browse all servers
HexStrike AIHexStrike AI

Advanced MCP server enabling AI agents to autonomously run 150+ security and penetration testing tools. Covers reconnais

7,2980 tools
Ableton LiveAbleton Live

Control Ableton Live for advanced music production—track creation, MIDI editing, playback, and sound design. Perfect for

2,29316 tools
IDA ProIDA Pro

IDA Pro software enables programmatic access to IDA disassembler databases for automated reverse engineering and binary

52519 tools
Octagon Deep ResearchOctagon Deep Research

Octagon Deep Research offers competitive analysis software and competitor website analysis tools for advanced SEO and ma

840 tools
OptunaOptuna

Optimize hyper parameters effortlessly with Optuna, the best AutoML software for automated analysis, visualization, and

660 tools
Kollektiv Document ManagementKollektiv Document Management

Kollektiv Document Management offers secure document management system software with AI-powered search, analysis, and OA

610 tools

Stay ahead of the MCP ecosystem

Get weekly updates on new skills and servers.