Run any Skill in Manus with one click

$pwd:

fix-image-cves

Name: Fix Image Cves
Author: kubernetes-sigs

// Scan a built container image with Trivy, classify fixable Go-module and base-image CVEs, apply dependency and Dockerfile fixes, and verify the result with file checks and an optional image rescan. Use when the user wants to fix CVEs in a container image, scan for vulnerabilities, or mentions Trivy, CVE remediation, image security, or dependency vulnerabilities.

Run Skill in Manus

$ git log --oneline --stat

stars:292

forks:319

updated:April 10, 2026 at 12:11

File Explorer

2 files

SKILL.md

readonly

name	fix-image-cves
description	Scan a built container image with Trivy, classify fixable Go-module and base-image CVEs, apply dependency and Dockerfile fixes, and verify the result with file checks and an optional image rescan. Use when the user wants to fix CVEs in a container image, scan for vulnerabilities, or mentions Trivy, CVE remediation, image security, or dependency vulnerabilities.

Fix Image CVEs

When To Use

Use this skill when you need to scan a built container image with Trivy, identify fixable CVEs from embedded Go modules or the runtime base image, apply the source changes in this repo, and verify that the planned fixes landed.

Workflow

Replace <SKILL_DIR> with the path to this skill directory.

Scan the built image first. Pass the module root that owns the binary and the Dockerfile that owns the runtime FROM line:

python3 <SKILL_DIR>/scripts/fix_image_cves.py scan \
  <image> \
  --module-root <module-dir> \
  --dockerfile <Dockerfile>

Build the actionable plan from the saved scan state:

python3 <SKILL_DIR>/scripts/fix_image_cves.py plan

Review the plan before changing files. When base-image CVEs are in scope, decide the deterministic replacement image and digest yourself. Then apply the plan:

python3 <SKILL_DIR>/scripts/fix_image_cves.py apply \
  --base-image-target <image>@sha256:<digest>

Preview the apply step without changing files:

python3 <SKILL_DIR>/scripts/fix_image_cves.py apply --dry-run

For multiple Dockerfiles or stages, key each target explicitly:

python3 <SKILL_DIR>/scripts/fix_image_cves.py apply \
  --base-image-target Dockerfile:runtime=<image>@sha256:<digest>

Verify the file-level changes. The script checks the resolved Go module versions, vendor/modules.txt, Dockerfile FROM lines, multi-module go mod verify, and a diff scoped to the files recorded during apply:

python3 <SKILL_DIR>/scripts/fix_image_cves.py verify

After rebuilding the image outside the skill, verify the image-level result with a Trivy rescan:

python3 <SKILL_DIR>/scripts/fix_image_cves.py verify \
  --rescan \
  --image <rebuilt-image>

Remove the state file and any temporary artifacts once the task is done or if you want to reset the workflow:

python3 <SKILL_DIR>/scripts/fix_image_cves.py clean

Notes

The workflow is intentionally split into scan, plan, apply, verify, and clean so the agent can inspect the planned dependency and base-image changes before mutating files.
scan runs trivy image --detection-priority comprehensive --format json and only records findings that include a non-empty FixedVersion.
Findings are classified as: GO_MODULE for Class="lang-pkgs" and Type="gobinary", BASE_IMAGE for Class="os-pkgs", OTHER for everything else.
plan groups multiple GO_MODULE CVEs by module path and chooses the highest FixedVersion across them. BASE_IMAGE findings are grouped into a recommendation that requires an explicit --base-image-target.
apply updates Go modules in the selected module root, then mirrors the repo CI behavior by discovering all tracked go.mod files and running go mod tidy plus go mod verify in every module before go mod vendor.
When vendoring is enabled at the repo root, apply also runs hack/update-azure-vendor-licenses.sh so LICENSES/ stays in sync with vendor/ and the resulting PR is self-contained.
verify does not assume a clean worktree. It compares the current repo diff against the pre-existing changed files plus the files recorded during apply so unrelated user edits do not trigger false failures.
The state file lives under .git/fix-image-cves.json intentionally so it stays untracked.
verify --rescan expects the agent to rebuild the image first. The skill does not build or push images.
clean removes the state file and cleans up any temporary helper artifacts left behind by vendor-license regeneration.
apply and verify set GOTOOLCHAIN=local for all Go subprocess calls to match CI behavior (actions/setup-go uses GOTOOLCHAIN=local). This prevents toolchain auto-download from producing extra go.sum entries that fail the Go Module Consistency check. The skill requires a locally installed Go version that satisfies the repo's go directive; apply performs a preflight check and fails early with a clear message if the local Go is too old.

related-skills.json

same repository

unblock-dependabot-pr.md

from "kubernetes-sigs/cloud-provider-azure"

Diagnose and unblock failed Dependabot pull requests in cloud-provider-azure by classifying CI failures, syncing Go modules, retesting quota-flaked e2e jobs, and updating PR status. Use when a Dependabot PR fails go-mod-consistency, pull-cloud-provider-azure-e2e jobs, or dependency/toolchain CI.

2026-05-16292

sync-go-modules.md

from "kubernetes-sigs/cloud-provider-azure"

Synchronize all tracked Go modules with the go-mod-consistency CI and refresh the root vendor tree. Use when go-mod-consistency fails, dependency bumps leave go.mod or go.sum stale, or the user asks to unblock module consistency, tidy all modules, or update vendor for the main module.

2026-05-16292

create-release-note-doc-pr.md

from "kubernetes-sigs/cloud-provider-azure"

Generate or update the documentation-site release note for a given tag, commit it on a branch, push it to a writable remote, and open a GitHub PR to the docs branch. Use when the user wants to create or update release notes, generate a changelog for a tag, or mentions release notes, docs PR, or documentation for a release.

2026-05-15292

release.md

from "kubernetes-sigs/cloud-provider-azure"

Prepare and publish a stable release in two phases by reusing the shared release-tag and release-note-doc-pr skills, building artifacts in GitHub, generating release notes and draft releases locally, validating release assets, and controlling latest-release status explicitly. Use when the user wants to perform a full release, publish a new version, or mentions releasing, shipping a version, or the end-to-end release process.

2026-05-15292

cherry-pick-pr.md

from "kubernetes-sigs/cloud-provider-azure"

Cherry-pick a merged pull request onto a release branch with Prow-style branch naming, manual conflict resolution, targeted validation, and GitHub PR creation. Use when the user wants to backport a PR, cherry-pick a commit to a release branch, or mentions cherry-pick, backport, or porting a fix to an older release.

2026-04-10292

create-release-tags.md

from "kubernetes-sigs/cloud-provider-azure"

Create and optionally push the next Kubernetes-style release tag (vX.Y.Z) from a release-X.Y branch by resolving the remote branch tip, computing the next patch tag, and tagging the commit directly without checking out the branch. Use when the user wants to tag a release, create a version tag, or mentions release tagging, cutting a release, or bumping a patch version.

2026-04-10292

package.json

"author": "kubernetes-sigs"

"repository": "kubernetes-sigs/cloud-provider-azure"

View GitHub Repository View Creator Repositories

$ install --global

$ download --local

Run Skill in Manus

$ useful --forSOC

Information Security AnalystsComputer and Mathematical Occupations15-1212L4

name	fix-image-cves
description	Scan a built container image with Trivy, classify fixable Go-module and base-image CVEs, apply dependency and Dockerfile fixes, and verify the result with file checks and an optional image rescan. Use when the user wants to fix CVEs in a container image, scan for vulnerabilities, or mentions Trivy, CVE remediation, image security, or dependency vulnerabilities.

Fix Image CVEs

When To Use

Workflow

Replace <SKILL_DIR> with the path to this skill directory.

Scan the built image first. Pass the module root that owns the binary and the Dockerfile that owns the runtime FROM line:

python3 <SKILL_DIR>/scripts/fix_image_cves.py scan \
  <image> \
  --module-root <module-dir> \
  --dockerfile <Dockerfile>

Build the actionable plan from the saved scan state:

python3 <SKILL_DIR>/scripts/fix_image_cves.py plan

Review the plan before changing files. When base-image CVEs are in scope, decide the deterministic replacement image and digest yourself. Then apply the plan:

python3 <SKILL_DIR>/scripts/fix_image_cves.py apply \
  --base-image-target <image>@sha256:<digest>

Preview the apply step without changing files:

python3 <SKILL_DIR>/scripts/fix_image_cves.py apply --dry-run

For multiple Dockerfiles or stages, key each target explicitly:

python3 <SKILL_DIR>/scripts/fix_image_cves.py apply \
  --base-image-target Dockerfile:runtime=<image>@sha256:<digest>

Verify the file-level changes. The script checks the resolved Go module versions, vendor/modules.txt, Dockerfile FROM lines, multi-module go mod verify, and a diff scoped to the files recorded during apply:

python3 <SKILL_DIR>/scripts/fix_image_cves.py verify

After rebuilding the image outside the skill, verify the image-level result with a Trivy rescan:

python3 <SKILL_DIR>/scripts/fix_image_cves.py verify \
  --rescan \
  --image <rebuilt-image>

Remove the state file and any temporary artifacts once the task is done or if you want to reset the workflow:

python3 <SKILL_DIR>/scripts/fix_image_cves.py clean

Notes

The workflow is intentionally split into scan, plan, apply, verify, and clean so the agent can inspect the planned dependency and base-image changes before mutating files.
scan runs trivy image --detection-priority comprehensive --format json and only records findings that include a non-empty FixedVersion.
Findings are classified as: GO_MODULE for Class="lang-pkgs" and Type="gobinary", BASE_IMAGE for Class="os-pkgs", OTHER for everything else.
plan groups multiple GO_MODULE CVEs by module path and chooses the highest FixedVersion across them. BASE_IMAGE findings are grouped into a recommendation that requires an explicit --base-image-target.
apply updates Go modules in the selected module root, then mirrors the repo CI behavior by discovering all tracked go.mod files and running go mod tidy plus go mod verify in every module before go mod vendor.
When vendoring is enabled at the repo root, apply also runs hack/update-azure-vendor-licenses.sh so LICENSES/ stays in sync with vendor/ and the resulting PR is self-contained.
verify does not assume a clean worktree. It compares the current repo diff against the pre-existing changed files plus the files recorded during apply so unrelated user edits do not trigger false failures.
The state file lives under .git/fix-image-cves.json intentionally so it stays untracked.
verify --rescan expects the agent to rebuild the image first. The skill does not build or push images.
clean removes the state file and cleans up any temporary helper artifacts left behind by vendor-license regeneration.
apply and verify set GOTOOLCHAIN=local for all Go subprocess calls to match CI behavior (actions/setup-go uses GOTOOLCHAIN=local). This prevents toolchain auto-download from producing extra go.sum entries that fail the Go Module Consistency check. The skill requires a locally installed Go version that satisfies the repo's go directive; apply performs a preflight check and fails early with a clear message if the local Go is too old.

fix-image-cves

Fix Image CVEs

When To Use

Workflow

Notes

More from this repository

More from this repository

Fix Image CVEs

When To Use

Workflow

Notes