> vulnerability-scanning
Automated security scanning for dependencies, code, containers with Trivy, Snyk, npm audit. Use for CI/CD security gates, pre-deployment audits, compliance requirements, or encountering CVE detection, outdated packages, license compliance, SBOM generation errors.
curl "https://skillshub.wtf/secondsky/claude-skills/vulnerability-scanning?format=md"Vulnerability Scanning
Automate security vulnerability detection across code, dependencies, and containers.
Dependency Scanning
# npm audit
npm audit --audit-level=high
# Snyk
snyk test --severity-threshold=high
# Safety (Python)
safety check --full-report
Container Scanning (Trivy)
# Scan container image
trivy image myapp:latest --severity HIGH,CRITICAL
# Scan filesystem
trivy fs --scanners vuln,secret .
GitHub Actions Integration
name: Security Scan
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
severity: 'CRITICAL,HIGH'
exit-code: '1'
- name: Run Snyk
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high
- name: npm audit
run: npm audit --audit-level=high
Code Analysis (Bandit for Python)
bandit -r src/ -ll -ii
Node.js Scanner
const { execSync } = require('child_process');
function runSecurityScan() {
const results = {
npm: JSON.parse(execSync('npm audit --json').toString()),
trivy: JSON.parse(execSync('trivy fs --format json .').toString())
};
const critical = results.npm.metadata?.vulnerabilities?.critical || 0;
if (critical > 0) {
console.error(`Found ${critical} critical vulnerabilities`);
process.exit(1);
}
}
Best Practices
- Integrate scanning in CI/CD pipeline
- Fail builds on high/critical findings
- Scan dependencies and containers
- Track vulnerabilities over time
- Document accepted false positives
Tools
- Trivy (containers, filesystem)
- Snyk (dependencies, code)
- npm audit / yarn audit
- Bandit (Python)
- OWASP Dependency-Check
> related_skills --same-repo
> zustand-state-management
--- name: zustand-state-management description: Zustand state management for React with TypeScript. Use for global state, Redux/Context API migration, localStorage persistence, slices pattern, devtools, Next.js SSR, or encountering hydration errors, TypeScript inference issues, persist middleware problems, infinite render loops. Keywords: zustand, state management, React state, TypeScript state, persist middleware, devtools, slices pattern, global state, React hooks, create store, useBoundS
> zod
TypeScript-first schema validation and type inference. Use for validating API requests/responses, form data, env vars, configs, defining type-safe schemas with runtime validation, transforming data, generating JSON Schema for OpenAPI/AI, or encountering missing validation errors, type inference issues, validation error handling problems. Zero dependencies (2kb gzipped).
> xss-prevention
--- name: xss-prevention description: XSS attack prevention with input sanitization, output encoding, Content Security Policy. Use for user-generated content, rich text editors, web application security, or encountering stored XSS, reflected XSS, DOM manipulation, script injection errors. Keywords: sanitization, HTML-encoding, DOMPurify, CSP, Content-Security-Policy, rich-text-editor, user-input, escaping, innerHTML, DOM-manipulation, stored-XSS, reflected-XSS, input-validation, output-encodi
> wordpress-plugin-core
--- name: wordpress-plugin-core description: WordPress plugin development with hooks, security, REST API, custom post types. Use for plugin creation, $wpdb queries, Settings API, or encountering SQL injection, XSS, CSRF, nonce errors. Keywords: wordpress plugin development, wordpress security, wordpress hooks, wordpress filters, wordpress database, wpdb prepare, sanitize_text_field, esc_html, wp_nonce, custom post type, register_post_type, settings api, rest api, admin-ajax, wordpress sql inj