Security Vulnerability Audit
This skill provides a structured process for identifying and reporting security vulnerabilities in the codebase using Trunk's integrated security tools.
Audit Workflow
- •
Run Security Scan: Execute the project's security linting script.
bashpnpm run lint:security
Note: This command runs
trunk check --all --scope security, which triggers both Trivy and OSV-scanner. - •
Analyze Findings: Review the output from Trunk. Pay close attention to:
- •Critical/High vulnerabilities in dependencies (reported by
osv-scanner). - •Hard-coded secrets or configuration issues (reported by
trivy).
- •Critical/High vulnerabilities in dependencies (reported by
- •
Compile Report: Use the findings to create a summary of the security posture.
Reporting Format
For each significant finding, provide:
- •Severity: [Critical/High/Medium/Low]
- •Tool: [Trivy/OSV-Scanner]
- •Description: [Brief description of the vulnerability]
- •Impact: [What happens if exploited?]
- •Recommendation: [How to fix it, e.g., "Update package X to version Y"]
Resources
- •Security Tools Reference: Detailed information on the tools and how to interpret their results.
- •Trunk Documentation: Official documentation for the Trunk CLI.