sca-trivy

What this skill does

# Software Composition Analysis with Trivy

## Overview

Trivy is a comprehensive security scanner for containers, filesystems, and git repositories. It detects
vulnerabilities (CVEs) in OS packages and application dependencies, IaC misconfigurations, exposed secrets,
and software licenses. This skill provides workflows for vulnerability scanning, SBOM generation, CI/CD
integration, and remediation prioritization aligned with CVSS and OWASP standards.

## Quick Start

Scan a container image for vulnerabilities:

```bash
# Install Trivy
brew install trivy  # macOS
# or: apt-get install trivy  # Debian/Ubuntu
# or: docker pull aquasec/trivy:latest

# Scan container image
trivy image nginx:latest

# Scan local filesystem for dependencies
trivy fs .

# Scan IaC files for misconfigurations
trivy config .

# Generate SBOM
trivy image --format cyclonedx --output sbom.json nginx:latest
```

## Core Workflows

### Workflow 1: Container Image Security Assessment

Progress:
[ ] 1. Identify target container image (repository:tag)
[ ] 2. Run comprehensive Trivy scan with `trivy image <image-name>`
[ ] 3. Analyze vulnerability findings by severity (CRITICAL, HIGH, MEDIUM, LOW)
[ ] 4. Map CVE findings to CWE categories and OWASP references
[ ] 5. Check for available patches and updated base images
[ ] 6. Generate prioritized remediation report with upgrade recommendations

Work through each step systematically. Check off completed items.

### Workflow 2: Dependency Vulnerability Scanning

Scan project dependencies for known vulnerabilities:

```bash
# Scan filesystem for all dependencies
trivy fs --severity CRITICAL,HIGH .

# Scan specific package manifest
trivy fs --scanners vuln package-lock.json

# Generate JSON report for analysis
trivy fs --format json --output trivy-report.json .

# Generate SARIF for GitHub/GitLab integration
trivy fs --format sarif --output trivy.sarif .
```

For each vulnerability:
1. Review CVE details and CVSS score
2. Check if fixed version is available
3. Consult `references/remediation_guide.md` for language-specific guidance
4. Update dependency to patched version
5. Re-scan to validate fix

### Workflow 3: Infrastructure as Code Security

Detect misconfigurations in IaC files:

```bash
# Scan Terraform configurations
trivy config ./terraform --severity CRITICAL,HIGH

# Scan Kubernetes manifests
trivy config ./k8s --severity CRITICAL,HIGH

# Scan Dockerfile best practices
trivy config --file-patterns dockerfile:Dockerfile .

# Generate report with remediation guidance
trivy config --format json --output iac-findings.json .
```

Review findings by category:
- **Security**: Authentication, authorization, encryption
- **Compliance**: CIS benchmarks, security standards
- **Best Practices**: Resource limits, immutability, least privilege

### Workflow 4: CI/CD Pipeline Integration

#### GitHub Actions

```yaml
name: Trivy Security Scan
on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: '.'
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'

      - name: Upload results to GitHub Security
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'
```

#### GitLab CI

```yaml
trivy-scan:
  stage: test
  image: aquasec/trivy:latest
  script:
    - trivy fs --exit-code 1 --severity CRITICAL,HIGH --format json --output trivy-report.json .
  artifacts:
    reports:
      dependency_scanning: trivy-report.json
    when: always
  allow_failure: false
```

Use bundled templates from `assets/ci_integration/` for additional platforms.

### Workflow 5: SBOM Generation

Generate Software Bill of Materials for supply chain transparency:

```bash
# Generate CycloneDX SBOM
trivy image --format cyclonedx --output sbom-cyclonedx.json nginx:latest

# Generate SPDX SBOM
trivy image --format spdx-json --output sbom-spdx.json nginx:latest

# SBOM for filesystem/project
trivy fs --format cyclonedx --output project-sbom.json .
```

SBOM use cases:
- **Vulnerability tracking**: Monitor dependencies for new CVEs
- **License compliance**: Identify license obligations and risks
- **Supply chain security**: Verify component provenance
- **Regulatory compliance**: Meet CISA SBOM requirements

## Security Considerations

### Sensitive Data Handling

- **Registry credentials**: Use environment variables or credential helpers, never hardcode
- **Scan reports**: Contain vulnerability details and package versions - treat as sensitive
- **SBOM files**: May reveal internal architecture - control access appropriately
- **Secret scanning**: Enable with `--scanners secret` to detect exposed credentials in images

### Access Control

- **Container registry access**: Requires pull permissions for image scanning
- **Filesystem access**: Read permissions for dependency manifests and IaC files
- **CI/CD integration**: Secure API tokens and registry credentials in secrets management
- **Report storage**: Restrict access to vulnerability reports and SBOM artifacts

### Audit Logging

Log the following for compliance and incident response:
- Scan execution timestamps and scope (image, filesystem, repository)
- Vulnerability counts by severity level
- Policy violations and blocking decisions
- SBOM generation and distribution events
- Remediation actions and version updates

### Compliance Requirements

- **PCI-DSS 6.2**: Ensure system components protected from known vulnerabilities
- **SOC2 CC7.1**: Detect and act upon changes that could affect security
- **NIST 800-53 SI-2**: Flaw remediation and vulnerability scanning
- **CIS Benchmarks**: Container and Kubernetes security hardening
- **OWASP Top 10 A06**: Vulnerable and Outdated Components
- **CWE-1104**: Use of Unmaintained Third-Party Components

## Bundled Resources

### Scripts (`scripts/`)

- `trivy_scan.py` - Comprehensive scanning with JSON/SARIF output and severity filtering
- `sbom_generator.py` - SBOM generation with CycloneDX and SPDX format support
- `vulnerability_report.py` - Parse Trivy output and generate remediation reports with CVSS scores
- `baseline_manager.py` - Baseline creation for tracking new vulnerabilities only

### References (`references/`)

- `scanner_types.md` - Detailed guide for vulnerability, misconfiguration, secret, and license scanning
- `remediation_guide.md` - Language and ecosystem-specific remediation strategies
- `cvss_prioritization.md` - CVSS score interpretation and vulnerability prioritization framework
- `iac_checks.md` - Complete list of IaC security checks with CIS benchmark mappings

### Assets (`assets/`)

- `trivy.yaml` - Custom Trivy configuration with security policies and ignore rules
- `ci_integration/github-actions.yml` - Complete GitHub Actions workflow with security gates
- `ci_integration/gitlab-ci.yml` - Complete GitLab CI pipeline with dependency scanning
- `ci_integration/jenkins.groovy` - Jenkins pipeline with Trivy integration
- `policy_template.rego` - OPA policy template for custom vulnerability policies

## Common Patterns

### Pattern 1: Multi-Stage Security Scanning

Comprehensive security assessment combining multiple scan types:

```bash
# 1. Scan container image for vulnerabilities
trivy image --severity CRITICAL,HIGH myapp:latest

# 2. Scan IaC for misconfigurations
trivy config ./infrastructure --severity CRITICAL,HIGH

# 3. Scan filesystem for dependency vulnerabilities
trivy fs --severity CRITICAL,HIGH ./app

# 4. Scan for exposed secrets
trivy fs --scanners secret ./app

# 5. Generate comprehensive SBOM
trivy image --format cyclonedx --output sbom.json myapp:latest
```

### Pattern 2: Baseline Vulnerability Tracking

Implement baseline scanning to track only new vulnerabilities:

```bash
# Initial scan - create baseline
trivy image --format js