chore: clean .gitignore cache
This commit is contained in:
GitHub Actions
253
.github/skills/security-scan-trivy.SKILL.md
vendored
253
.github/skills/security-scan-trivy.SKILL.md
vendored
@@ -1,253 +0,0 @@
|
||||
---
|
||||
# agentskills.io specification v1.0
|
||||
name: "security-scan-trivy"
|
||||
version: "1.0.0"
|
||||
description: "Run Trivy security scanner for vulnerabilities, secrets, and misconfigurations"
|
||||
author: "Charon Project"
|
||||
license: "MIT"
|
||||
tags:
|
||||
- "security"
|
||||
- "scanning"
|
||||
- "trivy"
|
||||
- "vulnerabilities"
|
||||
- "secrets"
|
||||
compatibility:
|
||||
os:
|
||||
- "linux"
|
||||
- "darwin"
|
||||
shells:
|
||||
- "bash"
|
||||
requirements:
|
||||
- name: "docker"
|
||||
version: ">=24.0"
|
||||
optional: false
|
||||
environment_variables:
|
||||
- name: "TRIVY_SEVERITY"
|
||||
description: "Comma-separated list of severities to scan for"
|
||||
default: "CRITICAL,HIGH,MEDIUM"
|
||||
required: false
|
||||
- name: "TRIVY_TIMEOUT"
|
||||
description: "Timeout for Trivy scan"
|
||||
default: "10m"
|
||||
required: false
|
||||
parameters:
|
||||
- name: "scanners"
|
||||
type: "string"
|
||||
description: "Comma-separated list of scanners (vuln, secret, misconfig)"
|
||||
default: "vuln,secret,misconfig"
|
||||
required: false
|
||||
- name: "format"
|
||||
type: "string"
|
||||
description: "Output format (table, json, sarif)"
|
||||
default: "table"
|
||||
required: false
|
||||
outputs:
|
||||
- name: "scan_results"
|
||||
type: "stdout"
|
||||
description: "Trivy scan results in specified format"
|
||||
- name: "exit_code"
|
||||
type: "number"
|
||||
description: "0 if no issues found, non-zero otherwise"
|
||||
metadata:
|
||||
category: "security"
|
||||
subcategory: "scan"
|
||||
execution_time: "medium"
|
||||
risk_level: "low"
|
||||
ci_cd_safe: true
|
||||
requires_network: true
|
||||
idempotent: true
|
||||
---
|
||||
|
||||
# Security Scan Trivy
|
||||
|
||||
## Overview
|
||||
|
||||
Executes Trivy security scanner using Docker to scan the project for vulnerabilities, secrets, and misconfigurations. Trivy scans filesystem, dependencies, and configuration files to identify security issues.
|
||||
|
||||
This skill is designed for CI/CD pipelines and local security validation before commits.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Docker 24.0 or higher installed and running
|
||||
- Internet connection (for vulnerability database updates)
|
||||
- Read permissions for project directory
|
||||
|
||||
## Usage
|
||||
|
||||
### Basic Usage
|
||||
|
||||
Run with default settings (all scanners, table format):
|
||||
|
||||
```bash
|
||||
cd /path/to/charon
|
||||
.github/skills/scripts/skill-runner.sh security-scan-trivy
|
||||
```
|
||||
|
||||
### Custom Scanners
|
||||
|
||||
Scan only for vulnerabilities:
|
||||
|
||||
```bash
|
||||
.github/skills/scripts/skill-runner.sh security-scan-trivy vuln
|
||||
```
|
||||
|
||||
Scan for secrets and misconfigurations:
|
||||
|
||||
```bash
|
||||
.github/skills/scripts/skill-runner.sh security-scan-trivy secret,misconfig
|
||||
```
|
||||
|
||||
### Custom Severity
|
||||
|
||||
Scan only for critical and high severity issues:
|
||||
|
||||
```bash
|
||||
TRIVY_SEVERITY=CRITICAL,HIGH .github/skills/scripts/skill-runner.sh security-scan-trivy
|
||||
```
|
||||
|
||||
### JSON Output
|
||||
|
||||
Get results in JSON format for parsing:
|
||||
|
||||
```bash
|
||||
.github/skills/scripts/skill-runner.sh security-scan-trivy vuln,secret,misconfig json
|
||||
```
|
||||
|
||||
## Parameters
|
||||
|
||||
| Parameter | Type | Required | Default | Description |
|
||||
|-----------|------|----------|---------|-------------|
|
||||
| scanners | string | No | vuln,secret,misconfig | Comma-separated list of scanners to run |
|
||||
| format | string | No | table | Output format (table, json, sarif) |
|
||||
|
||||
## Environment Variables
|
||||
|
||||
| Variable | Required | Default | Description |
|
||||
|----------|----------|---------|-------------|
|
||||
| TRIVY_SEVERITY | No | CRITICAL,HIGH,MEDIUM | Severities to report |
|
||||
| TRIVY_TIMEOUT | No | 10m | Maximum scan duration |
|
||||
|
||||
## Outputs
|
||||
|
||||
- **Success Exit Code**: 0 (no issues found)
|
||||
- **Error Exit Codes**:
|
||||
- 1: Issues found
|
||||
- 2: Scanner error
|
||||
- **Output**: Scan results to stdout in specified format
|
||||
|
||||
## Scanner Types
|
||||
|
||||
### Vulnerability Scanner (vuln)
|
||||
Scans for known CVEs in:
|
||||
- Go dependencies (go.mod)
|
||||
- npm packages (package.json)
|
||||
- Docker base images (Dockerfile)
|
||||
|
||||
### Secret Scanner (secret)
|
||||
Detects exposed secrets:
|
||||
- API keys
|
||||
- Passwords
|
||||
- Tokens
|
||||
- Private keys
|
||||
|
||||
### Misconfiguration Scanner (misconfig)
|
||||
Checks configuration files:
|
||||
- Dockerfile best practices
|
||||
- Kubernetes manifests
|
||||
- Terraform files
|
||||
- Docker Compose files
|
||||
|
||||
## Examples
|
||||
|
||||
### Example 1: Full Scan with Table Output
|
||||
|
||||
```bash
|
||||
# Scan all vulnerability types, display as table
|
||||
.github/skills/scripts/skill-runner.sh security-scan-trivy
|
||||
```
|
||||
|
||||
Output:
|
||||
```
|
||||
2025-12-20T10:00:00Z INFO Trivy version: 0.48.0
|
||||
2025-12-20T10:00:01Z INFO Scanning filesystem...
|
||||
Total: 0 (CRITICAL: 0, HIGH: 0, MEDIUM: 0)
|
||||
```
|
||||
|
||||
### Example 2: Vulnerability Scan Only (JSON)
|
||||
|
||||
```bash
|
||||
# Scan for vulnerabilities only, output as JSON
|
||||
.github/skills/scripts/skill-runner.sh security-scan-trivy vuln json > trivy-results.json
|
||||
```
|
||||
|
||||
### Example 3: Critical Issues Only
|
||||
|
||||
```bash
|
||||
# Scan for critical severity issues only
|
||||
TRIVY_SEVERITY=CRITICAL .github/skills/scripts/skill-runner.sh security-scan-trivy
|
||||
```
|
||||
|
||||
### Example 4: CI/CD Pipeline Integration
|
||||
|
||||
```yaml
|
||||
# GitHub Actions example
|
||||
- name: Run Trivy Security Scan
|
||||
run: .github/skills/scripts/skill-runner.sh security-scan-trivy
|
||||
continue-on-error: false
|
||||
```
|
||||
|
||||
## Error Handling
|
||||
|
||||
### Common Issues
|
||||
|
||||
**Docker not running**:
|
||||
```bash
|
||||
Error: Cannot connect to Docker daemon
|
||||
Solution: Start Docker service
|
||||
```
|
||||
|
||||
**Network timeout**:
|
||||
```bash
|
||||
Error: Failed to download vulnerability database
|
||||
Solution: Increase TRIVY_TIMEOUT or check internet connection
|
||||
```
|
||||
|
||||
**Vulnerabilities found**:
|
||||
```bash
|
||||
Exit code: 1
|
||||
Solution: Review and remediate reported vulnerabilities
|
||||
```
|
||||
|
||||
## Exit Codes
|
||||
|
||||
- **0**: No security issues found
|
||||
- **1**: Security issues detected
|
||||
- **2**: Scanner error or invalid arguments
|
||||
|
||||
## Related Skills
|
||||
|
||||
- [security-scan-go-vuln](./security-scan-go-vuln.SKILL.md) - Go-specific vulnerability checking
|
||||
- [qa-precommit-all](./qa-precommit-all.SKILL.md) - Pre-commit quality checks
|
||||
|
||||
## Notes
|
||||
|
||||
- Trivy automatically updates its vulnerability database on each run
|
||||
- Scan results may vary based on database version
|
||||
- Some vulnerabilities may have no fix available yet
|
||||
- Consider using `.trivyignore` file to suppress false positives
|
||||
- Recommended to run before each release
|
||||
- Network access required for first run and database updates
|
||||
|
||||
## Security Thresholds
|
||||
|
||||
**Project Standards**:
|
||||
- **CRITICAL**: Must fix before release (blocking)
|
||||
- **HIGH**: Should fix before release (warning)
|
||||
- **MEDIUM**: Fix in next release cycle (informational)
|
||||
- **LOW**: Optional, fix as time permits
|
||||
|
||||
---
|
||||
|
||||
**Last Updated**: 2025-12-20
|
||||
**Maintained by**: Charon Project
|
||||
**Source**: Docker inline command (Trivy)
|
||||
Reference in New Issue
Block a user