ABOUTME: Security vulnerability scanning skill using Trivy
ABOUTME: Enforces CRITICAL/HIGH blocking before commits
Trivy Security Scanning Skill
Quick Reference
Scan Type Command When
Dependencies trivy fs .
package.json changes
Container trivy image <name>
Dockerfile changes
IaC trivy config .
Terraform changes
When to Scan
Trigger Action
package.json changed Scan filesystem
package-lock.json changed Scan filesystem
Dockerfile modified Scan config + image
*.tf files changed Scan IaC config
Before commit with deps MANDATORY scan
Scan Commands
Filesystem Scan (Dependencies)
Most common - scan Node.js dependencies
trivy fs
--severity CRITICAL,HIGH
--exit-code 1
--ignore-unfixed
--format table
.
Container Image Scan
Build image first
docker build -t local-scan:latest .
Scan the image
trivy image
--severity CRITICAL,HIGH
--exit-code 1
--ignore-unfixed
local-scan:latest
IaC Configuration Scan
Scan Terraform files
trivy config
--severity CRITICAL,HIGH
--exit-code 1
infra/terraform/
Severity Policy
Severity Action Commit Allowed
CRITICAL BLOCK - Fix immediately NO
HIGH BLOCK - Fix or upgrade NO
MEDIUM WARN - Plan remediation YES
LOW INFO - Document YES
Remediation Strategies
Strategy 1: Upgrade Package
Check which version fixes the CVE
npm audit
Upgrade specific package
npm install package@latest
Or use npm audit fix
npm audit fix
Strategy 2: Find Fixed Version
Show fixed versions in JSON
trivy fs --severity CRITICAL,HIGH --format json . |
jq '.Results[].Vulnerabilities[] | {pkg: .PkgName, installed: .InstalledVersion, fixed: .FixedVersion}'
Strategy 3: Override Transitive Dependency
// package.json { "overrides": { "vulnerable-package": "^X.Y.Z" } }
Strategy 4: Exclude False Positive
Create .trivyignore :
CVE-2023-XXXXX: Not exploitable - we don't use affected feature
CVE-2023-XXXXX
WARNING: Every exclusion MUST have documented justification.
Ecommerce-Specific Patterns
Backend Scan
cd apps/backend trivy fs --severity CRITICAL,HIGH --exit-code 1 .
Frontend Scan
cd apps/frontend trivy fs --severity CRITICAL,HIGH --exit-code 1 .
Docker Compose Scan
Build all images
docker-compose -f docker-compose.full.yml build
Scan each
trivy image ecommerce-demo-backend:latest trivy image ecommerce-demo-frontend:latest
Terraform Scan
trivy config --severity CRITICAL,HIGH infra/terraform/
CI Integration
The project has Trivy in CI (.github/workflows/backend-ci.yml ):
- name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: scan-type: 'fs' scan-ref: 'apps/backend' format: 'json' output: 'security/reports/trivy-backend-${{ github.sha }}.json'
Reports saved to security/reports/ for Claude CVE analysis.
CVE Analysis Workflow
When Trivy finds vulnerabilities:
Get the report
trivy fs --format json --output report.json .
Ask Claude to analyze
Analyze report.json for contextual CVE prioritization. For each CVE:
-
Search codebase for usage of affected library
-
Evaluate if attack vector is exposed
-
Provide remediation priority
Follow remediation plan
Checklist
Before committing with dependency changes:
-
Trivy installed (brew install trivy )
-
Ran trivy fs --severity CRITICAL,HIGH --exit-code 1 .
-
No CRITICAL vulnerabilities
-
No HIGH vulnerabilities (or documented exception)
-
Any .trivyignore entries justified
-
Container images scanned (if Dockerfile changed)
-
IaC scanned (if Terraform changed)
Troubleshooting
Issue Solution
trivy: command not found
brew install trivy
Slow scan Use --skip-update after first run
False positive Add to .trivyignore with justification
Transitive dependency Use overrides in package.json
Old DB Run trivy --download-db-only