// Scan for vulnerable dependencies and CVEs via pnpm lint:security (Trunk Trivy/OSV-scanner), optional pnpm security:grype or pnpm lint:all (Trunk-all plus Grype). Use for dependency CVE checks, security-scoped lint, or post-bump verification.
Build the project and automatically fix any build errors, compilation failures, or type mismatches. Use when the project fails to build, shows "broken" states, or after making significant changes.
Run CodeQL security/quality analysis and fix findings. Use when the user asks to run CodeQL, security scan, static analysis, or fix CodeQL findings.
Self-improvement skill for evolving Claude Code configuration. Use when you notice repeated mistakes, want to add new workflows, or optimize the development experience.
Run linters and fix violations, formatting errors, or style mismatches using Trunk. Use when code quality checks fail, before submitting PRs, or to repair "broken" linting states.
Safely upgrade Node.js dependencies in pnpm workspaces. Use when asked to "upgrade dependencies", "update packages", "check for updates", or fix version mismatches.
End-of-session capture of failures, surprises, and lessons so agent behavior and repo config improve. Use after non-trivial work; skip trivial sessions unless something went wrong.
| name | security-scan |
| description | Scan for vulnerable dependencies and CVEs via pnpm lint:security (Trunk Trivy/OSV-scanner), optional pnpm security:grype or pnpm lint:all (Trunk-all plus Grype). Use for dependency CVE checks, security-scoped lint, or post-bump verification. |
| compatibility | Node and pnpm versions per `.node-version` and root `package.json` `engines`; run `pnpm install` from repo root. Run `pnpm exec trunk install` if Trunk-managed linters are missing (see AGENTS.md). `grype` must be on PATH for `pnpm security:grype` and the Grype step in `pnpm lint:all`. |
Filesystem and dependency vulnerability checks for this TypeScript monorepo:
pnpm lint:security — trunk check --all --scope security (Trivy, OSV-scanner, and other security-scoped linters in .trunk/trunk.yaml).pnpm security:grype — Anchore Grype on the repo root (grype on PATH; not installed via pnpm — see knip.json ignoreBinaries).pnpm lint:all (optional, slower) — full Trunk check across all files, then Grype — CI-style thoroughness.Default incremental Trunk: pnpm lint (trunk check -y). Prefer pnpm lint:security when the goal is vulnerability scanning.
See AGENTS.md for the layered harness (for example ESLint with eslint-plugin-security alongside Trivy/OSV).
package.json files, pnpm-lock.yaml, and root package.json pnpm.overrides when triaging transitive issuesFrom the repository root:
pnpm lint:security
pnpm security:grype
Thorough pass (Trunk-all plus Grype):
pnpm lint:all
If Trunk tools are missing: pnpm exec trunk install per AGENTS.md.
Debugging parity: pnpm security:grype matches grype .. For Trivy/OSV, prefer pnpm lint:security so versions match Trunk; use standalone CLIs only when reproducing or debugging outside Trunk.
pnpm-lock.yaml, root or packages/*/package.json) and CVE IDs.pnpm up, targeted pnpm add, or root pnpm.overrides when appropriate; run pnpm install after lockfile changes so scans match what you ship.pnpm lint:security and pnpm security:grype (or pnpm lint:all) until clean or remaining issues are accepted with rationale.pnpm lint — default Trunk checkpnpm lint:security — security-scoped Trunk (Trivy/OSV and related linters)AGENTS.md (pnpm workspace) and CLAUDE.md for agent-specific workflows