trivy-offline-vulnerability-scanning
Use Trivy vulnerability scanner in offline mode to discover security vulnerabilities in dependency files. This skill covers setting up offline scanning, executing Trivy against package lock files, and generating JSON vulnerability reports without requiring internet access.
Install
mkdir -p .claude/skills/trivy-offline-vulnerability-scanning && curl -L -o skill.zip "https://mcp.directory/api/skills/download/3247" && unzip -o skill.zip -d .claude/skills/trivy-offline-vulnerability-scanning && rm skill.zipInstalls to .claude/skills/trivy-offline-vulnerability-scanning
About this skill
Trivy Offline Vulnerability Scanning
This skill provides guidance on using Trivy, an open-source security scanner, to discover vulnerabilities in software dependencies using offline mode.
Overview
Trivy is a comprehensive vulnerability scanner that can analyze various targets including container images, filesystems, and dependency lock files. Offline scanning is crucial for:
- Air-gapped environments without internet access
- Reproducible security audits with fixed vulnerability databases
- Faster CI/CD pipelines avoiding network latency
- Compliance requirements for controlled environments
Why Offline Mode?
Challenges with Online Scanning
- Network dependency introduces failure points
- Database updates can cause inconsistent results across runs
- Slower execution due to download times
- Security policies may restrict external connections
Benefits of Offline Scanning
- Reproducibility: Same database = same results
- Speed: No network overhead
- Reliability: No external dependencies
- Compliance: Works in restricted environments
Trivy Database Structure
Trivy's vulnerability database consists of:
- trivy.db: SQLite database containing CVE information
- metadata.json: Database version and update timestamp
Database location: <cache-dir>/db/trivy.db
Offline Scanning Workflow
Step 1: Verify Database Existence
Before scanning, ensure the offline database is available:
import os
import sys
TRIVY_CACHE_PATH = './trivy-cache'
# Check for database file
db_path = os.path.join(TRIVY_CACHE_PATH, "db", "trivy.db")
if not os.path.exists(db_path):
print(f"[!] Error: Trivy database not found at {db_path}")
print(" Download database first with:")
print(f" trivy image --download-db-only --cache-dir {TRIVY_CACHE_PATH}")
sys.exit(1)
Step 2: Construct Trivy Command
Key flags for offline scanning:
| Flag | Purpose |
|---|---|
fs <target> | Scan filesystem/file (e.g., package-lock.json) |
--format json | Output in JSON format for parsing |
--output <file> | Save results to file |
--scanners vuln | Scan only for vulnerabilities (not misconfigs) |
--skip-db-update | Critical: Do not update database |
--offline-scan | Enable offline mode |
--cache-dir <path> | Path to pre-downloaded database |
import subprocess
TARGET_FILE = 'package-lock.json'
OUTPUT_FILE = 'trivy_report.json'
TRIVY_CACHE_PATH = './trivy-cache'
command = [
"trivy", "fs", TARGET_FILE,
"--format", "json",
"--output", OUTPUT_FILE,
"--scanners", "vuln",
"--skip-db-update", # Prevent online updates
"--offline-scan", # Enable offline mode
"--cache-dir", TRIVY_CACHE_PATH
]
Step 3: Execute Scan
try:
result = subprocess.run(
command,
capture_output=True,
text=True,
check=False # Don't raise exception on non-zero exit
)
if result.returncode != 0:
print("[!] Trivy scan failed:")
print(result.stderr)
sys.exit(1)
print("[*] Scan completed successfully")
print(f"[*] Results saved to: {OUTPUT_FILE}")
except FileNotFoundError:
print("[!] Error: 'trivy' command not found")
print(" Install Trivy: https://aquasecurity.github.io/trivy/latest/getting-started/installation/")
sys.exit(1)
Complete Example
import os
import sys
import subprocess
def run_trivy_offline_scan(target_file, output_file, cache_dir='./trivy-cache'):
"""
Execute Trivy vulnerability scan in offline mode.
Args:
target_file: Path to file to scan (e.g., package-lock.json)
output_file: Path to save JSON results
cache_dir: Path to Trivy offline database
"""
print(f"[*] Starting Trivy offline scan...")
print(f" Target: {target_file}")
print(f" Database: {cache_dir}")
# Verify database exists
db_path = os.path.join(cache_dir, "db", "trivy.db")
if not os.path.exists(db_path):
print(f"[!] Error: Database not found at {db_path}")
sys.exit(1)
# Build command
command = [
"trivy", "fs", target_file,
"--format", "json",
"--output", output_file,
"--scanners", "vuln",
"--skip-db-update",
"--offline-scan",
"--cache-dir", cache_dir
]
# Execute
try:
result = subprocess.run(command, capture_output=True, text=True)
if result.returncode != 0:
print("[!] Scan failed:")
print(result.stderr)
sys.exit(1)
print("[*] Scan completed successfully")
return output_file
except FileNotFoundError:
print("[!] Trivy not found. Install from:")
print(" https://aquasecurity.github.io/trivy/")
sys.exit(1)
# Usage
if __name__ == "__main__":
run_trivy_offline_scan(
target_file='package-lock.json',
output_file='trivy_report.json'
)
JSON Output Structure
Trivy outputs vulnerability data in this format:
{
"Results": [
{
"Target": "package-lock.json",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2021-44906",
"PkgName": "minimist",
"InstalledVersion": "1.2.5",
"FixedVersion": "1.2.6",
"Severity": "CRITICAL",
"Title": "Prototype Pollution in minimist",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-44906",
"CVSS": {
"nvd": { "V3Score": 9.8 }
}
}
]
}
]
}
Common Issues
Issue: "failed to initialize DB"
Cause: Database not found or corrupted
Solution: Re-download database or check --cache-dir path
Issue: Scan finds no vulnerabilities when they exist
Cause: Database is outdated
Solution: Download newer database (before going offline)
Issue: "command not found: trivy"
Cause: Trivy not installed or not in PATH
Solution: Install Trivy following official documentation
Dependencies
Required Tools
- Trivy: Version 0.40.0 or later recommended
# Installation (example for Debian/Ubuntu) wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | apt-key add - echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | tee -a /etc/apt/sources.list.d/trivy.list apt-get update apt-get install trivy
Python Modules
subprocess(standard library)os(standard library)sys(standard library)
References
More by benchflow-ai
View all skills by benchflow-ai →You might also like
flutter-development
aj-geddes
Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.
drawio-diagrams-enhanced
jgtolentino
Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.
ui-ux-pro-max
nextlevelbuilder
"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."
godot
bfollington
This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.
nano-banana-pro
garg-aayush
Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.
fastapi-templates
wshobson
Create production-ready FastAPI projects with async patterns, dependency injection, and comprehensive error handling. Use when building new FastAPI applications or setting up backend API projects.
Related MCP Servers
Browse all servers
Cycode Security ScannerUse Cycode Security Scanner for automated SAST and site scanner virus checks on local files and repos, with detailed vul
Security ScannerUse our Security Scanner as a website virus scanner to detect site scanner virus threats, vulnerabilities, and exposed s
Security ScannerSecurity Scanner analyzes code repositories to find exposed secrets, vulnerabilities, dependency flaws and misconfigurat
Code Audit (Ollama)Scan your website for viruses and vulnerabilities with Code Audit (Ollama). Get a comprehensive site scanner virus check
Context7Boost your AI code assistant with Context7: inject real-time API documentation from OpenAPI specification sources into y
Playwright Browser AutomationEnhance software testing with Playwright MCP: Fast, reliable browser automation, an innovative alternative to Selenium s
Stay ahead of the MCP ecosystem
Get weekly updates on new skills and servers.