vulnerability-scanning

# Vulnerability Scanning Automate security vulnerability detection across code, dependencies, and containers. ## Dependency Scanning ```bash # npm audit npm audit --audit-level=high # Snyk snyk test --severity-threshold=high # Safety (Python) safety check --full-report ``` ## Container Scanning (Trivy) ```bash # Scan container image trivy image myapp:latest --severity HIGH,CRITICAL # Scan filesystem trivy fs --scanners vuln,secret . ``` ## GitHub Actions Integration ```yaml name: Security Scan on: [push, pull_request] jobs: security: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: scan-type: 'fs' severity: 'CRITICAL,HIGH' exit-code: '1' - name: Run Snyk uses: snyk/actions/node@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: args: --severity-threshold=high - name: npm audit run: npm audit --audit-level=high ``` ## Code Analysis (Bandit for Python) ```bash bandit -r src/ -ll -ii ``` ## Node.js Scanner ```javascript const { execSync } = require('child_process'); function runSecurityScan() { const results = { npm: JSON.parse(execSync('npm audit --json').toString()), trivy: JSON.parse(execSync('trivy fs --format json .').toString()) }; const critical = results.npm.metadata?.vulnerabilities?.critical || 0; if (crit...