sca-trivy

Solid

Software Composition Analysis (SCA) and container vulnerability scanning using Aqua Trivy for identifying CVE vulnerabilities in dependencies, container images, IaC misconfigurations, and license compliance risks. Use when: (1) Scanning container images and filesystems for vulnerabilities and misconfigurations, (2) Analyzing dependencies for known CVEs across multiple languages (Go, Python, Node.js, Java, etc.), (3) Detecting IaC security issues in Terraform, Kubernetes, Dockerfile, (4) Integrating vulnerability scanning into CI/CD pipelines with SARIF output, (5) Generating Software Bill of Materials (SBOM) in CycloneDX or SPDX format, (6) Prioritizing remediation by CVSS score and exploitability.

DevOps & Infrastructure 335 stars 29 forks Updated today

Install

View on GitHub

Quality Score: 85/100

Stars 20%
84
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
80
License 10%
0
Description 5%
100

Skill Content

# Software Composition Analysis with Trivy ## Overview Trivy is a comprehensive security scanner for containers, filesystems, and git repositories. It detects vulnerabilities (CVEs) in OS packages and application dependencies, IaC misconfigurations, exposed secrets, and software licenses. This skill provides workflows for vulnerability scanning, SBOM generation, CI/CD integration, and remediation prioritization aligned with CVSS and OWASP standards. ## Quick Start Scan a container image for vulnerabilities: ```bash # Install Trivy brew install trivy # macOS # or: apt-get install trivy # Debian/Ubuntu # or: docker pull aquasec/trivy:latest # Scan container image trivy image nginx:latest # Scan local filesystem for dependencies trivy fs . # Scan IaC files for misconfigurations trivy config . # Generate SBOM trivy image --format cyclonedx --output sbom.json nginx:latest ``` ## Core Workflows ### Workflow 1: Container Image Security Assessment Progress: [ ] 1. Identify target container image (repository:tag) [ ] 2. Run comprehensive Trivy scan with `trivy image <image-name>` [ ] 3. Analyze vulnerability findings by severity (CRITICAL, HIGH, MEDIUM, LOW) [ ] 4. Map CVE findings to CWE categories and OWASP references [ ] 5. Check for available patches and updated base images [ ] 6. Generate prioritized remediation report with upgrade recommendations Work through each step systematically. Check off completed items. ### Workflow 2: Dependency Vulnerability Scanning S...

Details

Author
aiskillstore
Repository
aiskillstore/marketplace
Created
5 months ago
Last Updated
today
Language
Python
License
None

Integrates with

Docker · Infrastructure Kubernetes · Infrastructure Terraform · Infrastructure

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

performing-container-security-scanning-with-trivy

Scan container images, filesystems, and Kubernetes manifests for vulnerabilities, misconfigurations, exposed secrets, and license compliance issues using Aqua Security Trivy with SBOM generation and CI/CD integration.

13,115 Updated today
mukul975
DevOps & Infrastructure Featured

scanning-containers-with-trivy-in-cicd

This skill covers integrating Aqua Security's Trivy scanner into CI/CD pipelines for comprehensive container image vulnerability detection. It addresses scanning Docker images for OS package and application dependency CVEs, detecting misconfigurations in Dockerfiles, scanning filesystem and git repositories, and establishing severity-based quality gates that block deployment of vulnerable images.

13,115 Updated today
mukul975
AI & Automation Featured

scanning-docker-images-with-trivy

Trivy is a comprehensive open-source vulnerability scanner by Aqua Security that detects vulnerabilities in OS packages, language-specific dependencies, misconfigurations, secrets, and license violati

13,115 Updated today
mukul975
AI & Automation Featured

implementing-aqua-security-for-container-scanning

Deploy Aqua Security's Trivy scanner to detect vulnerabilities, misconfigurations, secrets, and license issues in container images across CI/CD pipelines and registries.

13,115 Updated today
mukul975
DevOps & Infrastructure Listed

vulnerability-scanning

Automated security scanning for dependencies, code, containers with Trivy, Snyk, npm audit. Use for CI/CD security gates, pre-deployment audits, compliance requirements, or encountering CVE detection, outdated packages, license compliance, SBOM generation errors.

43 Updated 3 months ago
diegosouzapw