trivy
This skill should be used when scanning container images, filesystems, or repositories for vulnerabilities using Trivy. Use for CVE detection, security analysis, vulnerability comparison across image versions, understanding scan output (severity levels, status fields), and batch scanning multiple images.
What this skill does
# Trivy Vulnerability Scanner ## Core Commands ### Node.js / Filesystem Scanning ```bash # Scan current directory for vulnerabilities (package.json/package-lock.json) trivy fs --scanners vuln . # Include dev dependencies (devDependencies in package.json) trivy fs --scanners vuln --include-dev-deps . # Scan specific package-lock.json file trivy fs --scanners vuln package-lock.json # JSON output for CI/CD pipelines trivy fs --scanners vuln --format json -o results.json . # Fail on HIGH/CRITICAL only trivy fs --scanners vuln --severity HIGH,CRITICAL . # Scan a repository (GitHub URL) trivy repo --scanners vuln https://github.com/org/repo ``` **Supported Node.js files:** - `package.json` + `package-lock.json` (npm) - `yarn.lock` (Yarn) - `pnpm-lock.yaml` (pnpm) ### Basic Image Scanning ```bash # Scan with severity filter (recommended) trivy image --severity HIGH,CRITICAL <image:tag> # All severities trivy image <image:tag> # JSON output for automation trivy image --format json --output results.json <image:tag> ``` ### Common Patterns ```bash # Compare two versions trivy image --severity HIGH,CRITICAL image:18.3.2 > v1.txt trivy image --severity HIGH,CRITICAL image:18.4.0 > v2.txt diff v1.txt v2.txt # Batch scan multiple images (use provided script) scripts/batch_scan.sh alpine:latest nginx:latest postgres:16 # Compare versions (use provided script) scripts/compare_versions.sh public.ecr.aws/org/image 18.3.2 18.4.0 18.5.0 ``` ## Output Formats ```bash # Table (default, human-readable) trivy image --format table <image:tag> # JSON (machine-readable) trivy image --format json <image:tag> # SARIF (GitHub/GitLab integration) trivy image --format sarif <image:tag> ``` ## Scanner Types Use `--scanners` to control what Trivy scans: ```bash # Vulnerability only (faster, recommended) trivy image --scanners vuln <image:tag> # Vulnerabilities + secrets trivy image --scanners vuln,secret <image:tag> # All scanners (vuln, secret, misconfig, license) trivy image <image:tag> ``` **Default:** All scanners enabled. Use `--scanners vuln` to disable secret scanning for faster scans. ## Performance Options ```bash # Skip database update (use cached DB) trivy image --skip-db-update <image:tag> # Skip version check notification trivy image --skip-version-check <image:tag> # Disable secret scanning (faster) trivy image --scanners vuln <image:tag> ``` ## Understanding Output For detailed interpretation of Trivy output including status fields, severity levels, and false positives, see [output_interpretation.md](references/output_interpretation.md). **Quick reference:** - **Status `fixed`**: Patch available (check Fixed Version column) - **Status `affected`**: No fix available yet - **Status `will_not_fix`**: Vendor won't patch - **False positives**: Status shows `fixed` but CVE still appears (common with Go binaries) ## Common Use Cases ### Compare Vulnerabilities Across Versions Use the provided script: ```bash scripts/compare_versions.sh public.ecr.aws/org/image 14.4.1 15.5.4 16.5.9 17.7.10 18.0.0 ``` Or manually: ```bash for version in 14.4.1 15.5.4 16.5.9; do trivy image --severity HIGH,CRITICAL image:$version > scan-$version.txt done ``` ### Track Specific CVEs ```bash # Scan and grep for specific CVE trivy image <image:tag> | grep CVE-2025-6020 # JSON query for specific CVE trivy image --format json <image:tag> | \ jq '.Results[].Vulnerabilities[] | select(.VulnerabilityID == "CVE-2025-6020")' ``` ### CI/CD Integration ```bash # Fail build on HIGH/CRITICAL findings trivy image --exit-code 1 --severity HIGH,CRITICAL <image:tag> # Generate SARIF for GitHub trivy image --format sarif --output trivy-results.sarif <image:tag> ``` ## Batch Scanning For scanning multiple images efficiently: ```bash # Use provided script (scans in parallel) scripts/batch_scan.sh image1:tag1 image2:tag2 image3:tag3 # Configure parallelism TRIVY_MAX_PARALLEL=10 scripts/batch_scan.sh image1 image2 image3 # Custom output directory TRIVY_OUTPUT_DIR=./scans scripts/batch_scan.sh image1 image2 ``` ## Filtering and Ignoring ```bash # Only show vulnerabilities with fixes trivy image --ignore-unfixed <image:tag> # Ignore specific CVEs (.trivyignore file) cat > .trivyignore <<EOF CVE-2022-36633 CVE-2023-12345 EOF trivy image <image:tag> ``` ## Best Practices 1. **Always filter by severity** for focused analysis: `--severity HIGH,CRITICAL` 2. **Use JSON for automation** to enable scripting and parsing 3. **Disable secret scanning** when not needed: `--scanners vuln` 4. **Skip DB updates** in CI/CD after initial download: `--skip-db-update` 5. **Verify "fixed" status** - Check if installed version >= fixed version (false positives common) 6. **Use provided scripts** for comparing versions or batch scanning 7. **Document ignored CVEs** in .trivyignore with comments explaining why ## Troubleshooting **Slow scans:** ```bash trivy image --scanners vuln --skip-db-update <image:tag> ``` **Too many false positives:** ```bash trivy image --ignore-unfixed <image:tag> ``` **Database update failures:** ```bash trivy image --download-db-only ``` ## References - [Output Interpretation Guide](references/output_interpretation.md) - Detailed guide for understanding scan results - [Official Documentation](https://aquasecurity.github.io/trivy/) - [GitHub Repository](https://github.com/aquasecurity/trivy)
Related in Image & Video
watch
IncludedWatch a video (URL or local path). Downloads with yt-dlp, extracts auto-scaled frames with ffmpeg, pulls the transcript from captions (or Whisper API fallback), and hands the result to Claude so it can answer questions about what's in the video.
physical-ai-defect-image-generation
IncludedUse when the user wants to orchestrate defect image generation, run associated setup, or handle outputs on OSMO. The Day 0 path handles cold-start with USD-to-ROI, image-edit augmentation, and AnomalyGen to create initial PCBA datasets. The Day 1 path performs inference and labeling on real images. This skill helps with first-time asset setup, creation of finetuning checkpoints, and configuring deployment. Trigger keywords: defect image generation, dig workflow, dig pipeline, defect image detection workflow, aoi pipeline, aoi anomalygen, usd2roi anomalygen, day 0 pcba, day 1 pcba, day 1 real-photo alignment, day 1 manual roi, metal surface anomaly, glass defect, anomalygen finetune, setup_pcb, setup_metal, setup_glass, setup_pretrained, dig setup, dig datasets, dig pretrained checkpoint, dig image-edit endpoint.
accelint-react-best-practices
IncludedReact performance optimization and best practices. ALWAYS use this skill when working with any React code - writing components, hooks, JSX; refactoring; optimizing re-renders, memoization, state management; reviewing for performance; fixing hydration mismatches; debugging infinite re-renders, stale closures, input focus loss, animations restarting; preventing remounting; implementing transitions, lazy initialization, effect dependencies. Even simple React tasks benefit from these patterns. Covers React 19+ (useEffectEvent, Activity, ref props). Triggers - useEffect, useState, useMemo, useCallback, memo, inline components, nested components, components inside components, re-render, performance, hydration, SSR, Next.js, useDeferredValue, combined hooks.
elevenlabs-agents
IncludedBuild conversational AI voice agents with ElevenLabs Platform using React, JavaScript, React Native, or Swift SDKs. Configure agents, tools (client/server/MCP), RAG knowledge bases, multi-voice, and Scribe real-time STT. Use when: building voice chat interfaces, implementing AI phone agents with Twilio, configuring agent workflows or tools, adding RAG knowledge bases, testing with CLI "agents as code", or troubleshooting deprecated @11labs packages, Android audio cutoff, CSP violations, dynamic variables, or WebRTC config. Keywords: ElevenLabs Agents, ElevenLabs voice agents, AI voice agents, conversational AI, @elevenlabs/react, @elevenlabs/client, @elevenlabs/react-native, @elevenlabs/elevenlabs-js, @elevenlabs/agents-cli, elevenlabs SDK, voice AI, TTS, text-to-speech, ASR, speech recognition, turn-taking model, WebRTC voice, WebSocket voice, ElevenLabs conversation, agent system prompt, agent tools, agent knowledge base, RAG voice agents, multi-voice agents, pronunciation dictionary, voice speed control, elevenlabs scribe, @11labs deprecated, Android audio cutoff, CSP violation elevenlabs, dynamic variables elevenlabs, case-sensitive tool names, webhook authentication
humanizer
IncludedHumanize AI-generated text by detecting and removing patterns typical of LLM output. Rewrites text to sound natural, specific, and human. Uses 28 pattern detectors, 560+ AI vocabulary terms across 3 tiers, and statistical analysis (burstiness, type-token ratio, readability) for comprehensive detection. Use when asked to humanize text, de-AI writing, make content sound more natural/human, review writing for AI patterns, score text for AI detection, or improve AI-generated drafts. Covers content, language, style, communication, and filler categories.
generating-mermaid-diagrams
IncludedSalesforce architecture diagrams using Mermaid with ASCII fallback. Use this skill when generating text-based diagrams for Salesforce architecture, OAuth flows, ERDs, integration sequences, or Agentforce structure. TRIGGER when: user says "diagram", "visualize", "ERD", or asks for sequence diagrams, flowcharts, class diagrams, or architecture visualizations in Mermaid. DO NOT TRIGGER when: user wants PNG/SVG image output (use generating-visual-diagrams), or asks about non-Salesforce systems.