scanning-container-security
Execute use when you need to work with security and compliance. This skill provides security scanning and vulnerability detection with comprehensive guidance and automation. Trigger with phrases like "scan for vulnerabilities", "implement security controls", or "audit security".
Best use case
scanning-container-security is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Execute use when you need to work with security and compliance. This skill provides security scanning and vulnerability detection with comprehensive guidance and automation. Trigger with phrases like "scan for vulnerabilities", "implement security controls", or "audit security".
Teams using scanning-container-security should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/scanning-container-security/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How scanning-container-security Compares
| Feature / Agent | scanning-container-security | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Execute use when you need to work with security and compliance. This skill provides security scanning and vulnerability detection with comprehensive guidance and automation. Trigger with phrases like "scan for vulnerabilities", "implement security controls", or "audit security".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
# Scanning Container Security ## Overview Scan container images and Dockerfiles for vulnerabilities, misconfigurations, and compliance violations using Trivy, Grype, Snyk Container, and Hadolint. Analyze base images, OS packages, application dependencies, and runtime configurations to produce actionable security reports with remediation guidance. ## Prerequisites - Container scanning tool installed: `trivy`, `grype`, `snyk`, or `docker scout` - Dockerfile linter: `hadolint` for Dockerfile best practice validation - Docker daemon running for local image scanning - Access to the container images to scan (local, registry, or tar archive) - `jq` for parsing JSON scan results ## Instructions 1. Identify target images for scanning: production images, base images, and CI-built images 2. Lint Dockerfiles with `hadolint Dockerfile` to catch misconfigurations before build (privileged instructions, pinned versions, shell best practices) 3. Scan built images for OS-level vulnerabilities: `trivy image <image:tag>` or `grype <image:tag>` 4. Scan for application dependency vulnerabilities: check language-specific packages (npm, pip, Maven, Go modules) embedded in the image 5. Check for secrets accidentally baked into image layers: `trivy image --scanners secret <image:tag>` 6. Evaluate image against CIS Docker Benchmark: verify non-root user, read-only filesystem capability, health checks defined 7. Generate a security report with severity classification (Critical, High, Medium, Low) and CVE identifiers 8. Produce remediation steps: upgrade base image, pin package versions, replace vulnerable dependencies 9. Integrate scanning into CI/CD pipeline: fail builds on Critical/High vulnerabilities, generate SARIF output for GitHub Security tab ## Output - Vulnerability scan report in JSON, table, or SARIF format - Hadolint report with Dockerfile improvement recommendations - Remediation Dockerfile patches (updated base image, pinned package versions) - CI/CD pipeline step configuration for automated image scanning - Security policy document defining acceptable risk thresholds ## Error Handling | Error | Cause | Solution | |-------|-------|---------| | `trivy: unable to pull image` | Image not found locally or registry auth failure | Pull image first with `docker pull` or configure registry credentials | | `CRITICAL vulnerability found but no fix available` | Upstream package has no patch yet | Document as accepted risk, use `--ignore-unfixed` flag, or switch to an alternative base image | | `hadolint: DL3008 pin versions in apt-get install` | Packages installed without version pinning | Add version pins (e.g., `apt-get install nginx=1.24.0-1`) or use `--no-install-recommends` | | `Scan timeout on large image` | Image has many layers or large filesystem | Use `--timeout 15m` flag; scan a specific layer or use `--skip-dirs` to exclude test data | | `False positive CVE` | Scanner database maps CVE to a package not actually exploitable | Add to `.trivyignore` or Grype ignore file with justification comment | ## Examples - "Scan all production Docker images for Critical and High CVEs, generate a report, and create Jira tickets for each finding." - "Lint the Dockerfile for best practices: ensure multi-stage build, non-root USER, no ADD for remote URLs, and pinned base image digest." - "Set up a GitHub Actions step that runs Trivy on every PR, fails on Critical vulnerabilities, and uploads results to the Security tab via SARIF." ## Resources - Trivy: https://aquasecurity.github.io/trivy/ - Grype: https://github.com/anchore/grype - Hadolint: https://github.com/hadolint/hadolint - Docker Scout: https://docs.docker.com/scout/ - CIS Docker Benchmark: https://www.cisecurity.org/benchmark/docker
Related Skills
performing-security-testing
Test automate security vulnerability testing covering OWASP Top 10, SQL injection, XSS, CSRF, and authentication issues. Use when performing security assessments, penetration tests, or vulnerability scans. Trigger with phrases like "scan for vulnerabilities", "test security", or "run penetration test".
scanning-accessibility
Validate WCAG compliance and accessibility standards (ARIA, keyboard navigation). Use when auditing WCAG compliance or screen reader compatibility. Trigger with phrases like "scan accessibility", "check WCAG compliance", or "validate screen readers".
scanning-for-xss-vulnerabilities
Execute this skill enables AI assistant to automatically scan for xss (cross-site scripting) vulnerabilities in code. it is triggered when the user requests to "scan for xss vulnerabilities", "check for xss", or uses the command "/xss". the skill identifies ref... Use when appropriate context detected. Trigger with relevant phrases based on skill purpose.
scanning-for-vulnerabilities
Execute this skill enables comprehensive vulnerability scanning using the vulnerability-scanner plugin. it identifies security vulnerabilities in code, dependencies, and configurations, including cve detection. use this skill when the user asks to scan fo... Use when appropriate context detected. Trigger with relevant phrases based on skill purpose.
checking-session-security
Analyze session management implementations to identify security vulnerabilities in web applications. Use when you need to audit session handling, check for session fixation risks, review session timeout configurations, or validate session ID generation security. Trigger with phrases like "check session security", "audit session management", "review session handling", or "session fixation vulnerability".
finding-security-misconfigurations
Configure identify security misconfigurations in infrastructure-as-code, application settings, and system configurations. Use when you need to audit Terraform/CloudFormation templates, check application config files, validate system security settings, or ensure compliance with security best practices. Trigger with phrases like "find security misconfigurations", "audit infrastructure security", "check config security", or "scan for misconfigured settings".
responding-to-security-incidents
Analyze and guide security incident response, investigation, and remediation processes. Use when you need to handle security breaches, classify incidents, develop response playbooks, gather forensic evidence, or coordinate remediation efforts. Trigger with phrases like "security incident response", "ransomware attack response", "data breach investigation", "incident playbook", or "security forensics".
analyzing-security-headers
Analyze HTTP security headers of web domains to identify vulnerabilities and misconfigurations. Use when you need to audit website security headers, assess header compliance, or get security recommendations for web applications. Trigger with phrases like "analyze security headers", "check HTTP headers", "audit website security headers", or "evaluate CSP and HSTS configuration".
generating-security-audit-reports
Generate comprehensive security audit reports for applications and systems. Use when you need to assess security posture, identify vulnerabilities, evaluate compliance status, or create formal security documentation. Trigger with phrases like "create security audit report", "generate security assessment", "audit security posture", or "PCI-DSS compliance report".
scanning-for-secrets
Detect exposed secrets, API keys, and credentials in code. Use when auditing for secret leaks. Trigger with 'scan for secrets', 'find exposed keys', or 'check credentials'.
scanning-input-validation-practices
Scan for input validation vulnerabilities and injection risks. Use when reviewing user input handling. Trigger with 'scan input validation', 'check injection vulnerabilities', or 'validate sanitization'.
scanning-for-gdpr-compliance
Scan for GDPR compliance issues in data handling and privacy practices. Use when ensuring EU data protection compliance. Trigger with 'scan GDPR compliance', 'check data privacy', or 'validate GDPR'.