Security Vulnerability Audit
This skill provides a comprehensive workflow for identifying security vulnerabilities in the codebase using industry-standard tools.
Prerequisites
Before starting the audit, ensure the following tools are installed:
- •
trivy(Container and filesystem vulnerability scanner) - •
osv-scanner(Google's vulnerability scanner for open-source dependencies) - •
trunk(Integrated security and linting platform)
Tool Installation
If any tools are missing, install them using the following commands. If Homebrew (brew) is available, it is the recommended method.
Using Homebrew (macOS/Linux):
brew install trivy osv-scanner trunk
Manual Installation:
- •trivy: Installation Guide
- •osv-scanner: Installation Guide
- •trunk: Installation Guide
Workflow Steps
1. Broad Filesystem Scan (trivy)
Run a filesystem scan to catch vulnerabilities and hard-coded secrets in configuration files, source code, and project structure. By default, trivy fs scans for both vulnerabilities and secrets.
# Scan for vulnerabilities and secrets trivy fs . # (Optional) Scan for misconfigurations in IaC and config files trivy config .
2. Dependency Vulnerability Scan (osv-scanner)
Perform a deep scan of your project's dependencies against the OSV database using the scan source command.
osv-scanner scan source -r .
3. Integrated Security Check (trunk)
Run integrated security checks. trunk check executes all enabled linters.
Discover and Enable Security Linters
If you are already using Trunk, check for and enable security-focused linters appropriate for your project's languages:
- •Python:
bandit(scans for common security issues) - •Go:
govulncheck(vulnerability database for Go) - •Secrets:
gitleaks(detects secrets, API keys, and tokens) - •General:
semgrep(static analysis for many languages)
# List all available linters to see security options trunk check list # Enable recommended security linters trunk check enable trivy trunk check enable gitleaks trunk check enable semgrep # Enable language-specific linters (e.g., for Python) trunk check enable bandit
Running Checks
# Run security checks on modified files trunk check # Run all security checks on all files trunk check --all --scope security
Note: If Trunk is not installed or initialized, use the standalone tools (
trivy,osv-scanner) as described in the previous steps.
Report Format
After running the tools, compile a report in the following structure:
Executive Summary
[Brief overview of the security posture]
Findings Table
| Tool | Severity | Component | Description | Recommendation |
|---|---|---|---|---|
| [Tool Name] | [Critical/High/Med/Low] | [File/Dependency] | [Issue Description] | [Fix/Mitigation] |
Remediation Plan
- •Immediate Actions: Fixes for Critical and High vulnerabilities.
- •Follow-up: Mitigation strategies for lower-severity issues.
- •Prevention: Configuration changes to prevent reintroduction.