Container Security Scanner Skill
Purpose
Automated container image and Kubernetes security scanning to identify vulnerabilities, misconfigurations, secrets, and compliance issues in containerized environments.
Capabilities
Image Vulnerability Scanning
- •Scan container images for known CVEs using Trivy, Grype, or Anchore
- •Detect vulnerabilities in OS packages and application dependencies
- •Generate SBOM (Software Bill of Materials) in CycloneDX or SPDX format
- •Track vulnerability severity (Critical, High, Medium, Low)
Dockerfile Security Analysis
- •Check Dockerfile best practices and security issues
- •Identify privileged container configurations
- •Detect hardcoded secrets in Dockerfiles
- •Verify base image security and freshness
Kubernetes Security Scanning
- •Run Kubernetes CIS benchmark checks using kube-bench
- •Analyze pod security policies and standards
- •Check RBAC configurations for over-permissive access
- •Detect insecure network policies
Secrets Detection
- •Scan images for embedded secrets and credentials
- •Identify API keys, tokens, and passwords in layers
- •Check environment variable configurations
Image Signature Verification
- •Verify container image signatures using cosign
- •Validate image provenance and attestations
- •Check image registry security configurations
Compliance Reporting
- •Generate compliance reports (CIS, NIST, PCI-DSS)
- •Map findings to compliance controls
- •Track remediation status and timelines
Integrations
- •Trivy: Comprehensive vulnerability scanner for containers
- •Grype: Container image vulnerability scanner
- •Syft: SBOM generation tool
- •kube-bench: Kubernetes CIS benchmark checker
- •Falco: Runtime security monitoring
- •Anchore: Enterprise container security platform
- •cosign: Container image signing and verification
Target Processes
- •Container Security Scanning Process
- •DevSecOps Pipeline Integration
- •IaC Security Scanning
- •Kubernetes Security Hardening
- •Container Image Build Pipeline
Input Schema
json
{
"type": "object",
"properties": {
"imageName": {
"type": "string",
"description": "Container image name with tag"
},
"registry": {
"type": "string",
"description": "Container registry URL"
},
"dockerfilePath": {
"type": "string",
"description": "Path to Dockerfile for static analysis"
},
"kubeManifestPath": {
"type": "string",
"description": "Path to Kubernetes manifests"
},
"scanType": {
"type": "array",
"items": {
"type": "string",
"enum": ["vulnerability", "config", "secrets", "compliance", "sbom"]
}
},
"severityThreshold": {
"type": "string",
"enum": ["CRITICAL", "HIGH", "MEDIUM", "LOW"]
}
},
"required": ["imageName"]
}
Output Schema
json
{
"type": "object",
"properties": {
"scanId": {
"type": "string"
},
"imageName": {
"type": "string"
},
"scanTimestamp": {
"type": "string",
"format": "date-time"
},
"vulnerabilities": {
"type": "object",
"properties": {
"critical": { "type": "integer" },
"high": { "type": "integer" },
"medium": { "type": "integer" },
"low": { "type": "integer" },
"findings": {
"type": "array",
"items": {
"type": "object",
"properties": {
"cveId": { "type": "string" },
"severity": { "type": "string" },
"package": { "type": "string" },
"fixedVersion": { "type": "string" },
"description": { "type": "string" }
}
}
}
}
},
"misconfigurations": {
"type": "array"
},
"secrets": {
"type": "array"
},
"complianceStatus": {
"type": "object"
},
"recommendations": {
"type": "array",
"items": { "type": "string" }
}
}
}
Usage Example
javascript
skill: {
name: 'container-security-scanner',
context: {
imageName: 'myapp:v1.2.3',
registry: 'registry.example.com',
scanType: ['vulnerability', 'config', 'secrets'],
severityThreshold: 'HIGH'
}
}