AgentSkillsCN

security-vulnerability-audit

采用Trivy、osv-scanner与Trunk,构建安全漏洞审计的工作流程。

SKILL.md
--- frontmatter
name: security-vulnerability-audit
description: Workflow for auditing security vulnerabilities using trivy, osv-scanner, and trunk.

Security Vulnerability Audit

This skill provides a comprehensive workflow for identifying security vulnerabilities in the codebase using industry-standard tools.

Prerequisites

Before starting the audit, ensure the following tools are installed:

  • trivy (Container and filesystem vulnerability scanner)
  • osv-scanner (Google's vulnerability scanner for open-source dependencies)
  • trunk (Integrated security and linting platform)

Tool Installation

If any tools are missing, install them using the following commands. If Homebrew (brew) is available, it is the recommended method.

Using Homebrew (macOS/Linux):

bash
brew install trivy osv-scanner trunk

Manual Installation:

Workflow Steps

1. Broad Filesystem Scan (trivy)

Run a filesystem scan to catch vulnerabilities and hard-coded secrets in configuration files, source code, and project structure. By default, trivy fs scans for both vulnerabilities and secrets.

bash
# Scan for vulnerabilities and secrets
trivy fs .

# (Optional) Scan for misconfigurations in IaC and config files
trivy config .

2. Dependency Vulnerability Scan (osv-scanner)

Perform a deep scan of your project's dependencies against the OSV database using the scan source command.

bash
osv-scanner scan source -r .

3. Integrated Security Check (trunk)

Run integrated security checks. trunk check executes all enabled linters.

Discover and Enable Security Linters

If you are already using Trunk, check for and enable security-focused linters appropriate for your project's languages:

  • Python: bandit (scans for common security issues)
  • Go: govulncheck (vulnerability database for Go)
  • Secrets: gitleaks (detects secrets, API keys, and tokens)
  • General: semgrep (static analysis for many languages)
bash
# List all available linters to see security options
trunk check list

# Enable recommended security linters
trunk check enable trivy
trunk check enable gitleaks
trunk check enable semgrep

# Enable language-specific linters (e.g., for Python)
trunk check enable bandit

Running Checks

bash
# Run security checks on modified files
trunk check

# Run all security checks on all files
trunk check --all --scope security

Note: If Trunk is not installed or initialized, use the standalone tools (trivy, osv-scanner) as described in the previous steps.

Report Format

After running the tools, compile a report in the following structure:

Executive Summary

[Brief overview of the security posture]

Findings Table

ToolSeverityComponentDescriptionRecommendation
[Tool Name][Critical/High/Med/Low][File/Dependency][Issue Description][Fix/Mitigation]

Remediation Plan

  1. Immediate Actions: Fixes for Critical and High vulnerabilities.
  2. Follow-up: Mitigation strategies for lower-severity issues.
  3. Prevention: Configuration changes to prevent reintroduction.