implementing-aqua-security-for-container-scanning
Deploy Aqua Security's Trivy scanner to detect vulnerabilities, misconfigurations, secrets, and license issues in container images across CI/CD pipelines and registries.
Best use case
implementing-aqua-security-for-container-scanning is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Deploy Aqua Security's Trivy scanner to detect vulnerabilities, misconfigurations, secrets, and license issues in container images across CI/CD pipelines and registries.
Teams using implementing-aqua-security-for-container-scanning should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/implementing-aqua-security-for-container-scanning/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How implementing-aqua-security-for-container-scanning Compares
| Feature / Agent | implementing-aqua-security-for-container-scanning | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Deploy Aqua Security's Trivy scanner to detect vulnerabilities, misconfigurations, secrets, and license issues in container images across CI/CD pipelines and registries.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Implementing Aqua Security for Container Scanning
## Overview
Aqua Security provides Trivy, the world's most popular open-source universal security scanner, designed to find vulnerabilities, misconfigurations, secrets, SBOM data, and license issues in containers, Kubernetes, code repositories, and cloud environments. Trivy covers OS packages (Alpine, Debian, Ubuntu, RHEL, etc.) and language-specific dependencies (npm, pip, Maven, Go modules, Cargo, etc.) with vulnerability databases sourced from NVD, vendor advisories, and GitHub Security Advisories. The enterprise Aqua Platform extends Trivy with centralized policy management, runtime protection, and compliance reporting.
## Prerequisites
- Docker installed for local image scanning
- CI/CD platform (GitHub Actions, GitLab CI, Jenkins, etc.)
- Container registry access (Docker Hub, ECR, GCR, ACR, Harbor)
- Trivy CLI (`trivy`) or Trivy Operator for Kubernetes
- Aqua Platform license for enterprise features (optional)
## Core Scanning Capabilities
### Image Vulnerability Scanning
Trivy scans container images layer by layer, identifying CVEs in OS packages and application dependencies. It supports scanning local images, remote registry images, and tar archives.
```bash
# Scan a remote image
trivy image python:3.11-slim
# Scan with severity filter
trivy image --severity HIGH,CRITICAL nginx:latest
# Scan and fail CI if critical CVEs found
trivy image --exit-code 1 --severity CRITICAL myapp:latest
# Generate SBOM in CycloneDX format
trivy image --format cyclonedx --output sbom.json myapp:latest
```
### Filesystem and Repository Scanning
```bash
# Scan project directory for vulnerabilities in dependencies
trivy fs --scanners vuln,secret,misconfig .
# Scan a specific lockfile
trivy fs --scanners vuln package-lock.json
# Scan git repository
trivy repo https://github.com/org/project
```
### Kubernetes Scanning with Trivy Operator
The Trivy Operator runs inside a Kubernetes cluster and continuously scans workloads:
```bash
# Install Trivy Operator via Helm
helm repo add aqua https://aquasecurity.github.io/helm-charts/
helm repo update
helm install trivy-operator aqua/trivy-operator \
--namespace trivy-system \
--create-namespace \
--set trivy.severity="HIGH,CRITICAL" \
--set operator.scanJobTimeout="5m"
```
The operator creates VulnerabilityReport and ConfigAuditReport custom resources for each workload.
### IaC Misconfiguration Scanning
```bash
# Scan Terraform files
trivy config --severity HIGH,CRITICAL ./terraform/
# Scan Dockerfile for misconfigurations
trivy config Dockerfile
# Scan Kubernetes manifests
trivy config ./k8s-manifests/
```
## CI/CD Integration
### GitHub Actions
```yaml
name: Container Security Scan
on:
push:
branches: [main]
pull_request:
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Build Docker image
run: docker build -t myapp:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'myapp:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
exit-code: '1'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'
```
### GitLab CI
```yaml
container_scanning:
stage: security
image:
name: aquasec/trivy:latest
entrypoint: [""]
variables:
FULL_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA
script:
- trivy image --exit-code 0 --format template --template "@/contrib/gitlab.tpl"
--output gl-container-scanning-report.json $FULL_IMAGE_NAME
- trivy image --exit-code 1 --severity CRITICAL $FULL_IMAGE_NAME
artifacts:
reports:
container_scanning: gl-container-scanning-report.json
```
### Jenkins Pipeline
```groovy
pipeline {
agent any
stages {
stage('Build') {
steps {
sh 'docker build -t myapp:${BUILD_NUMBER} .'
}
}
stage('Security Scan') {
steps {
sh '''
trivy image --exit-code 1 \
--severity HIGH,CRITICAL \
--format json \
--output trivy-report.json \
myapp:${BUILD_NUMBER}
'''
}
post {
always {
archiveArtifacts artifacts: 'trivy-report.json'
}
}
}
}
}
```
## Policy Configuration
### Trivy Policy with OPA/Rego
Create `.trivy/policy.rego` for custom policy enforcement:
```rego
package trivy
deny[msg] {
input.Results[_].Vulnerabilities[_].Severity == "CRITICAL"
msg := "Critical vulnerabilities found in image"
}
deny[msg] {
input.Results[_].Vulnerabilities[vuln]
vuln.FixedVersion != ""
vuln.Severity == "HIGH"
msg := sprintf("Fixable HIGH vulnerability: %s", [vuln.VulnerabilityID])
}
```
### Ignore File Configuration
Create `.trivyignore` for accepted risks:
```
# Accepted risk: vulnerability in test dependency only
CVE-2023-12345
# Accepted until expiry date
CVE-2024-67890 exp:2025-06-01
```
## SBOM Generation and Management
```bash
# Generate CycloneDX SBOM
trivy image --format cyclonedx --output sbom-cyclonedx.json myapp:latest
# Generate SPDX SBOM
trivy image --format spdx-json --output sbom-spdx.json myapp:latest
# Scan an existing SBOM for new vulnerabilities
trivy sbom sbom-cyclonedx.json
```
## Monitoring and Reporting
| Metric | Description | Target |
|--------|-------------|--------|
| Images scanned per day | Total images passing through scanning pipeline | All production images |
| Critical CVE count | Open critical vulnerabilities across all images | 0 in production |
| Mean time to patch | Average days from CVE publication to patched image | < 7 days |
| SBOM coverage | Percentage of production images with generated SBOMs | 100% |
| Scan duration | Average time per image scan | < 2 minutes |
## References
- [Trivy Documentation](https://aquasecurity.github.io/trivy/)
- [Trivy GitHub Repository](https://github.com/aquasecurity/trivy)
- [Trivy Operator for Kubernetes](https://aquasecurity.github.io/trivy-operator/)
- [Aqua Security Platform](https://www.aquasec.com/products/)
- [CycloneDX SBOM Specification](https://cyclonedx.org/specification/overview/)Related Skills
sast-scanning
Perform static application security testing with tools like Semgrep, CodeQL, and SonarQube. Identify security vulnerabilities in source code before deployment. Use when implementing secure SDLC, code review automation, or security gates in CI/CD pipelines.
k8s-security-policies
Implement Kubernetes security policies including NetworkPolicy, PodSecurityPolicy, and RBAC for production-grade security. Use when securing Kubernetes clusters, implementing network isolation, or ...
dotnet-containers
Containerizes .NET apps. Multi-stage Dockerfiles, SDK container publish (.NET 8+), rootless.
dotnet-container-deployment
Deploys .NET containers. Kubernetes probes, Docker Compose for local dev, CI/CD integration.
devcontainers
Expert in creating devcontainer configurations using DuploCloud features. Use when setting up development environments, configuring devcontainer.json, or adding DuploCloud tooling to a workspace. Knows feature detection, cloud CLI setup, Kubernetes access, AI tools, and 1Password SSH integration.
containers-skill
Docker and Kubernetes - containerization, orchestration, and production deployment.
container-registry
Container registry management patterns covering tagging strategy, immutability, retention policies, vulnerability scanning, multi-arch builds, and CI/CD integration. Internal reference for agents managing infrastructure.
checkov-security-scan
Scan Infrastructure as Code (IaC) for security misconfigurations and compliance violations using Checkov. (1) Primary use for Terraform, CloudFormation, Kubernetes manifests, Dockerfiles, Helm charts, ARM/Bicep templates, GitHub Actions, GitLab CI, and CI/CD pipelines. (2) Detects cloud misconfigurations, exposed secrets, overly permissive IAM policies, unencrypted storage, public access risks, container security issues. (3) Use for IaC security audits, compliance scanning (CIS, SOC2, HIPAA, PCI-DSS), pre-deployment validation, CI/CD security gates. Do NOT use for application source code vulnerabilities (use bandit, graudit) or dependency/package audits (use guarddog, dependency-check).
azure-containerregistry-py
Azure Container Registry SDK for Python. Use for managing container images, artifacts, and repositories.
aws-cloudformation-security
Provides AWS CloudFormation patterns for infrastructure security, secrets management, encryption, and secure data handling. Use when creating secure CloudFormation templates with AWS Secrets Manager, KMS encryption, secure parameters, IAM policies, VPC security groups, TLS/SSL certificates, and encrypted traffic configurations. Covers template structure, parameter best practices, cross-stack references, and defense-in-depth strategies.
vibe-security
Write secure web applications following security best practices. Use when working on any web application to ensure OWASP compliance, input validation, authentication, and protection against XSS, CSRF, SSRF, and injection attacks.
Vibe Security Skill
This skill helps Claude write secure web applications. Use when working on any web application to ensure security best practices are followed.