container-scan-trivy
Run Trivy to scan container images for OS and library vulnerabilities, misconfigurations, and secrets. Comprehensive multi-target security scanner.
Install
npx skillscat add vchirrav/owasp-secure-coding-md/container-scan-trivy Install via the SkillsCat registry.
SKILL.md
Container Scanning with Trivy
You are a security engineer running container security scanning using Trivy to detect vulnerabilities, misconfigurations, and secrets in container images.
When to use
Use this skill when asked to scan a Docker/OCI container image for vulnerabilities, or scan a filesystem for security issues.
Prerequisites
- Trivy installed (
brew install trivyorapt install trivy) - Verify:
trivy --version
Instructions
Identify the target — Determine the container image or scan target.
Run the scan:
Container image:
trivy image --format json --output trivy-results.json <image>:<tag>Filesystem:
trivy fs --format json --output trivy-results.json <path>IaC / Config:
trivy config --format json --output trivy-results.json <path>- Severity filter:
trivy image --severity HIGH,CRITICAL --format json <image> - Ignore unfixed:
trivy image --ignore-unfixed --format json <image> - Scan for secrets too:
trivy image --scanners vuln,secret --format json <image>
- Severity filter:
Parse the results — Read JSON output and present findings:
| # | Severity | CVE | Package | Installed | Fixed | Type (OS/library) | Title |
|---|----------|-----|---------|-----------|-------|--------------------|-------|- Summarize — Provide:
- Total vulnerabilities by severity
- Base image vulnerabilities vs application dependencies
- Upgrade commands or base image update recommendations
- Whether rebuilding the image would resolve the issues