akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity
Files
eec8c28fb3c2e8c0bc387bb3139184b8d67f1b21
Charon/.github/skills/security-scan-trivy.SKILL.md
akanealw eec8c28fb3
Some checks are pending
Go Benchmark / Performance Regression Check (push) Waiting to run
Details
Cerberus Integration / Cerberus Security Stack Integration (push) Waiting to run
Details
Upload Coverage to Codecov / Backend Codecov Upload (push) Waiting to run
Details
Upload Coverage to Codecov / Frontend Codecov Upload (push) Waiting to run
Details
CodeQL - Analyze / CodeQL analysis (go) (push) Waiting to run
Details
CodeQL - Analyze / CodeQL analysis (javascript-typescript) (push) Waiting to run
Details
CrowdSec Integration / CrowdSec Bouncer Integration (push) Waiting to run
Details
Docker Build, Publish & Test / build-and-push (push) Waiting to run
Details
Docker Build, Publish & Test / Security Scan PR Image (push) Blocked by required conditions
Details
Quality Checks / Auth Route Protection Contract (push) Waiting to run
Details
Quality Checks / Codecov Trigger/Comment Parity Guard (push) Waiting to run
Details
Quality Checks / Backend (Go) (push) Waiting to run
Details
Quality Checks / Frontend (React) (push) Waiting to run
Details
Rate Limit integration / Rate Limiting Integration (push) Waiting to run
Details
Security Scan (PR) / Trivy Binary Scan (push) Waiting to run
Details
Supply Chain Verification (PR) / Verify Supply Chain (push) Waiting to run
Details
WAF integration / Coraza WAF Integration (push) Waiting to run
Details
changed perms
2026-04-22 18:19:14 +00:00

6.1 KiB
Executable File
Raw Blame History

name, version, description, author, license, tags, compatibility, requirements, environment_variables, parameters, outputs, metadata
name version description author license tags compatibility requirements environment_variables parameters outputs metadata
security-scan-trivy 1.0.0 Run Trivy security scanner for vulnerabilities, secrets, and misconfigurations Charon Project MIT
security
scanning
trivy
vulnerabilities
secrets
os shells
linux
darwin
bash
name version optional
docker >=24.0 false
name description default required
TRIVY_SEVERITY Comma-separated list of severities to scan for CRITICAL,HIGH,MEDIUM false
name description default required
TRIVY_TIMEOUT Timeout for Trivy scan 10m false
name type description default required
scanners string Comma-separated list of scanners (vuln, secret, misconfig) vuln,secret,misconfig false
name type description default required
format string Output format (table, json, sarif) table false
name type description
scan_results stdout Trivy scan results in specified format
name type description
exit_code number 0 if no issues found, non-zero otherwise
category subcategory execution_time risk_level ci_cd_safe requires_network idempotent
security scan medium low true true true

Security Scan Trivy

Overview

Executes Trivy security scanner using Docker to scan the project for vulnerabilities, secrets, and misconfigurations. Trivy scans filesystem, dependencies, and configuration files to identify security issues.

This skill is designed for CI/CD pipelines and local security validation before commits.

Prerequisites

  • Docker 24.0 or higher installed and running
  • Internet connection (for vulnerability database updates)
  • Read permissions for project directory

Usage

Basic Usage

Run with default settings (all scanners, table format):

cd /path/to/charon
.github/skills/scripts/skill-runner.sh security-scan-trivy

Custom Scanners

Scan only for vulnerabilities:

.github/skills/scripts/skill-runner.sh security-scan-trivy vuln

Scan for secrets and misconfigurations:

.github/skills/scripts/skill-runner.sh security-scan-trivy secret,misconfig

Custom Severity

Scan only for critical and high severity issues:

TRIVY_SEVERITY=CRITICAL,HIGH .github/skills/scripts/skill-runner.sh security-scan-trivy

JSON Output

Get results in JSON format for parsing:

.github/skills/scripts/skill-runner.sh security-scan-trivy vuln,secret,misconfig json

Parameters

Parameter Type Required Default Description
scanners string No vuln,secret,misconfig Comma-separated list of scanners to run
format string No table Output format (table, json, sarif)

Environment Variables

Variable Required Default Description
TRIVY_SEVERITY No CRITICAL,HIGH,MEDIUM Severities to report
TRIVY_TIMEOUT No 10m Maximum scan duration

Outputs

  • Success Exit Code: 0 (no issues found)
  • Error Exit Codes:
    • 1: Issues found
    • 2: Scanner error
  • Output: Scan results to stdout in specified format

Scanner Types

Vulnerability Scanner (vuln)

Scans for known CVEs in:

  • Go dependencies (go.mod)
  • npm packages (package.json)
  • Docker base images (Dockerfile)

Secret Scanner (secret)

Detects exposed secrets:

  • API keys
  • Passwords
  • Tokens
  • Private keys

Misconfiguration Scanner (misconfig)

Checks configuration files:

  • Dockerfile best practices
  • Kubernetes manifests
  • Terraform files
  • Docker Compose files

Examples

Example 1: Full Scan with Table Output

# Scan all vulnerability types, display as table
.github/skills/scripts/skill-runner.sh security-scan-trivy

Output:

2025-12-20T10:00:00Z	INFO	Trivy version: 0.48.0
2025-12-20T10:00:01Z	INFO	Scanning filesystem...
Total: 0 (CRITICAL: 0, HIGH: 0, MEDIUM: 0)

Example 2: Vulnerability Scan Only (JSON)

# Scan for vulnerabilities only, output as JSON
.github/skills/scripts/skill-runner.sh security-scan-trivy vuln json > trivy-results.json

Example 3: Critical Issues Only

# Scan for critical severity issues only
TRIVY_SEVERITY=CRITICAL .github/skills/scripts/skill-runner.sh security-scan-trivy

Example 4: CI/CD Pipeline Integration

# GitHub Actions example
- name: Run Trivy Security Scan
  run: .github/skills/scripts/skill-runner.sh security-scan-trivy
  continue-on-error: false

Error Handling

Common Issues

Docker not running:

Error: Cannot connect to Docker daemon
Solution: Start Docker service

Network timeout:

Error: Failed to download vulnerability database
Solution: Increase TRIVY_TIMEOUT or check internet connection

Vulnerabilities found:

Exit code: 1
Solution: Review and remediate reported vulnerabilities

Exit Codes

  • 0: No security issues found
  • 1: Security issues detected
  • 2: Scanner error or invalid arguments

Related Skills

Notes

  • Trivy automatically updates its vulnerability database on each run
  • Scan results may vary based on database version
  • Some vulnerabilities may have no fix available yet
  • Consider using .trivyignore file to suppress false positives
  • Recommended to run before each release
  • Network access required for first run and database updates

Security Thresholds

Project Standards:

  • CRITICAL: Must fix before release (blocking)
  • HIGH: Should fix before release (warning)
  • MEDIUM: Fix in next release cycle (informational)
  • LOW: Optional, fix as time permits

Last Updated: 2025-12-20 Maintained by: Charon Project Source: Docker inline command (Trivy)

Reference in New Issue View Git Blame Copy Permalink