| name | security-scan |
| description | Scan a repo with Trivy (deps, IaC, secrets, licenses, images) and gitleaks (git history), then triage findings. Use for a full-repo security audit beyond the stack's native checks. |
| metadata | {"author":"Médéric HURIER (Fmind)","source":"github.com/fmind/dotfiles/tree/main/skills/security-scan","created":"2026-07-04T00:00:00.000Z","updated":"2026-07-06T00:00:00.000Z"} |
Security Scanning
Scan a repository (and its images) for vulnerabilities, misconfigurations, secrets, and license issues. Layers Trivy (config: dot_config/trivy/trivy.yaml — HIGH/CRITICAL, ignore-unfixed, scanners: vuln/misconfig/secret/license) over gitleaks for deep git-history secret detection, complementing the language-native scanners (govulncheck, pip-audit).
Workflow
- Repository scan (dependencies, misconfig, secrets, licenses in one pass):
trivy fs .
- Targeted config scan (Dockerfiles, Kubernetes manifests, Terraform — optional if already done via
trivy fs):
trivy config .
- Secrets in git history (deeper than a working-tree scan — catches committed-then-deleted secrets):
mise run check:leaks
mise run check:leaks --staged
- Container image scan (after a build — see containerize):
trivy image <registry>/<image>:<tag>
- Language-native depth (already wired into
mise run check as check:vuln):
- Go:
go tool govulncheck ./...
- Python:
uv run pip-audit
- Triage: summarize findings by severity, separate fixable from
unfixed, and propose the minimal upgrade/patch or a justified ignore.
Mise Task Integration
Expose security scans in the project's canonical task vocabulary (mise.toml) per the mise skill. check:leaks and check:scan are the same in every repo; check:vuln is the language-native scanner where one exists (govulncheck/pip-audit — see go-stack/python-stack) and only falls back to trivy fs in polyglot or config-only repos with no native scanner:
[tasks."check:leaks"]
alias = "s"
description = "Audit codebase for leaked secrets (gitleaks)"
run = "gitleaks git --verbose"
[tasks."check:scan"]
description = "Scan configuration files (IaC, manifests, Dockerfiles) for misconfigurations"
run = "trivy config ."
[tasks."check:vuln"]
description = "Scan project files and dependencies for vulnerabilities"
run = "trivy fs ."
Gotchas
Documentation