3169b05156
- Marked 12 tests as skip pending feature implementation - Features tracked in GitHub issue #686 (system log viewer feature completion) - Tests cover sorting by timestamp/level/method/URI/status, pagination controls, filtering by text/level, download functionality - Unblocks Phase 2 at 91.7% pass rate to proceed to Phase 3 security enforcement validation - TODO comments in code reference GitHub #686 for feature completion tracking - Tests skipped: Pagination (3), Search/Filter (2), Download (2), Sorting (1), Log Display (4)
254 lines
6.1 KiB
Markdown
254 lines
6.1 KiB
Markdown
---
|
|
# agentskills.io specification v1.0
|
|
name: "security-scan-trivy"
|
|
version: "1.0.0"
|
|
description: "Run Trivy security scanner for vulnerabilities, secrets, and misconfigurations"
|
|
author: "Charon Project"
|
|
license: "MIT"
|
|
tags:
|
|
- "security"
|
|
- "scanning"
|
|
- "trivy"
|
|
- "vulnerabilities"
|
|
- "secrets"
|
|
compatibility:
|
|
os:
|
|
- "linux"
|
|
- "darwin"
|
|
shells:
|
|
- "bash"
|
|
requirements:
|
|
- name: "docker"
|
|
version: ">=24.0"
|
|
optional: false
|
|
environment_variables:
|
|
- name: "TRIVY_SEVERITY"
|
|
description: "Comma-separated list of severities to scan for"
|
|
default: "CRITICAL,HIGH,MEDIUM"
|
|
required: false
|
|
- name: "TRIVY_TIMEOUT"
|
|
description: "Timeout for Trivy scan"
|
|
default: "10m"
|
|
required: false
|
|
parameters:
|
|
- name: "scanners"
|
|
type: "string"
|
|
description: "Comma-separated list of scanners (vuln, secret, misconfig)"
|
|
default: "vuln,secret,misconfig"
|
|
required: false
|
|
- name: "format"
|
|
type: "string"
|
|
description: "Output format (table, json, sarif)"
|
|
default: "table"
|
|
required: false
|
|
outputs:
|
|
- name: "scan_results"
|
|
type: "stdout"
|
|
description: "Trivy scan results in specified format"
|
|
- name: "exit_code"
|
|
type: "number"
|
|
description: "0 if no issues found, non-zero otherwise"
|
|
metadata:
|
|
category: "security"
|
|
subcategory: "scan"
|
|
execution_time: "medium"
|
|
risk_level: "low"
|
|
ci_cd_safe: true
|
|
requires_network: true
|
|
idempotent: true
|
|
---
|
|
|
|
# Security Scan Trivy
|
|
|
|
## Overview
|
|
|
|
Executes Trivy security scanner using Docker to scan the project for vulnerabilities, secrets, and misconfigurations. Trivy scans filesystem, dependencies, and configuration files to identify security issues.
|
|
|
|
This skill is designed for CI/CD pipelines and local security validation before commits.
|
|
|
|
## Prerequisites
|
|
|
|
- Docker 24.0 or higher installed and running
|
|
- Internet connection (for vulnerability database updates)
|
|
- Read permissions for project directory
|
|
|
|
## Usage
|
|
|
|
### Basic Usage
|
|
|
|
Run with default settings (all scanners, table format):
|
|
|
|
```bash
|
|
cd /path/to/charon
|
|
.github/skills/scripts/skill-runner.sh security-scan-trivy
|
|
```
|
|
|
|
### Custom Scanners
|
|
|
|
Scan only for vulnerabilities:
|
|
|
|
```bash
|
|
.github/skills/scripts/skill-runner.sh security-scan-trivy vuln
|
|
```
|
|
|
|
Scan for secrets and misconfigurations:
|
|
|
|
```bash
|
|
.github/skills/scripts/skill-runner.sh security-scan-trivy secret,misconfig
|
|
```
|
|
|
|
### Custom Severity
|
|
|
|
Scan only for critical and high severity issues:
|
|
|
|
```bash
|
|
TRIVY_SEVERITY=CRITICAL,HIGH .github/skills/scripts/skill-runner.sh security-scan-trivy
|
|
```
|
|
|
|
### JSON Output
|
|
|
|
Get results in JSON format for parsing:
|
|
|
|
```bash
|
|
.github/skills/scripts/skill-runner.sh security-scan-trivy vuln,secret,misconfig json
|
|
```
|
|
|
|
## Parameters
|
|
|
|
| Parameter | Type | Required | Default | Description |
|
|
|-----------|------|----------|---------|-------------|
|
|
| scanners | string | No | vuln,secret,misconfig | Comma-separated list of scanners to run |
|
|
| format | string | No | table | Output format (table, json, sarif) |
|
|
|
|
## Environment Variables
|
|
|
|
| Variable | Required | Default | Description |
|
|
|----------|----------|---------|-------------|
|
|
| TRIVY_SEVERITY | No | CRITICAL,HIGH,MEDIUM | Severities to report |
|
|
| TRIVY_TIMEOUT | No | 10m | Maximum scan duration |
|
|
|
|
## Outputs
|
|
|
|
- **Success Exit Code**: 0 (no issues found)
|
|
- **Error Exit Codes**:
|
|
- 1: Issues found
|
|
- 2: Scanner error
|
|
- **Output**: Scan results to stdout in specified format
|
|
|
|
## Scanner Types
|
|
|
|
### Vulnerability Scanner (vuln)
|
|
Scans for known CVEs in:
|
|
- Go dependencies (go.mod)
|
|
- npm packages (package.json)
|
|
- Docker base images (Dockerfile)
|
|
|
|
### Secret Scanner (secret)
|
|
Detects exposed secrets:
|
|
- API keys
|
|
- Passwords
|
|
- Tokens
|
|
- Private keys
|
|
|
|
### Misconfiguration Scanner (misconfig)
|
|
Checks configuration files:
|
|
- Dockerfile best practices
|
|
- Kubernetes manifests
|
|
- Terraform files
|
|
- Docker Compose files
|
|
|
|
## Examples
|
|
|
|
### Example 1: Full Scan with Table Output
|
|
|
|
```bash
|
|
# Scan all vulnerability types, display as table
|
|
.github/skills/scripts/skill-runner.sh security-scan-trivy
|
|
```
|
|
|
|
Output:
|
|
```
|
|
2025-12-20T10:00:00Z INFO Trivy version: 0.48.0
|
|
2025-12-20T10:00:01Z INFO Scanning filesystem...
|
|
Total: 0 (CRITICAL: 0, HIGH: 0, MEDIUM: 0)
|
|
```
|
|
|
|
### Example 2: Vulnerability Scan Only (JSON)
|
|
|
|
```bash
|
|
# Scan for vulnerabilities only, output as JSON
|
|
.github/skills/scripts/skill-runner.sh security-scan-trivy vuln json > trivy-results.json
|
|
```
|
|
|
|
### Example 3: Critical Issues Only
|
|
|
|
```bash
|
|
# Scan for critical severity issues only
|
|
TRIVY_SEVERITY=CRITICAL .github/skills/scripts/skill-runner.sh security-scan-trivy
|
|
```
|
|
|
|
### Example 4: CI/CD Pipeline Integration
|
|
|
|
```yaml
|
|
# GitHub Actions example
|
|
- name: Run Trivy Security Scan
|
|
run: .github/skills/scripts/skill-runner.sh security-scan-trivy
|
|
continue-on-error: false
|
|
```
|
|
|
|
## Error Handling
|
|
|
|
### Common Issues
|
|
|
|
**Docker not running**:
|
|
```bash
|
|
Error: Cannot connect to Docker daemon
|
|
Solution: Start Docker service
|
|
```
|
|
|
|
**Network timeout**:
|
|
```bash
|
|
Error: Failed to download vulnerability database
|
|
Solution: Increase TRIVY_TIMEOUT or check internet connection
|
|
```
|
|
|
|
**Vulnerabilities found**:
|
|
```bash
|
|
Exit code: 1
|
|
Solution: Review and remediate reported vulnerabilities
|
|
```
|
|
|
|
## Exit Codes
|
|
|
|
- **0**: No security issues found
|
|
- **1**: Security issues detected
|
|
- **2**: Scanner error or invalid arguments
|
|
|
|
## Related Skills
|
|
|
|
- [security-scan-go-vuln](./security-scan-go-vuln.SKILL.md) - Go-specific vulnerability checking
|
|
- [qa-precommit-all](./qa-precommit-all.SKILL.md) - Pre-commit quality checks
|
|
|
|
## Notes
|
|
|
|
- Trivy automatically updates its vulnerability database on each run
|
|
- Scan results may vary based on database version
|
|
- Some vulnerabilities may have no fix available yet
|
|
- Consider using `.trivyignore` file to suppress false positives
|
|
- Recommended to run before each release
|
|
- Network access required for first run and database updates
|
|
|
|
## Security Thresholds
|
|
|
|
**Project Standards**:
|
|
- **CRITICAL**: Must fix before release (blocking)
|
|
- **HIGH**: Should fix before release (warning)
|
|
- **MEDIUM**: Fix in next release cycle (informational)
|
|
- **LOW**: Optional, fix as time permits
|
|
|
|
---
|
|
|
|
**Last Updated**: 2025-12-20
|
|
**Maintained by**: Charon Project
|
|
**Source**: Docker inline command (Trivy)
|