// Workflow for auditing security vulnerabilities using trivy, osv-scanner, and trunk.
Broadly and deeply analyze user intent (avoiding XY problems) and evaluate multiple solution approaches (default 5) with scores from 0 to 100.
Workflow for auditing security vulnerabilities using trivy, osv-scanner, and trunk.
Comprehensive workflow for creating, implementing, and validating Agent Skills. Use when asked to "create a new skill", "author a skill", "add a capability", or when standardizing project-specific workflows. Support for platform detection (Cursor, Claude Code, Gemini CLI, Codex) and template selection.
Manage Architecture Decision Records (ADRs) using adr-tools. Use this to initialize, create, list, and link ADRs to document architectural evolution.
Manage changelogs using Changie. Provides tools to initialize, add change fragments, batch releases, and merge version notes.
Update README.md to reflect changes in project structure, skills, and agents. Use when new components are added or architecture changes.
| name | security-vulnerability-audit |
| description | Workflow for auditing security vulnerabilities using trivy, osv-scanner, and trunk. |
This skill provides a comprehensive workflow for identifying security vulnerabilities in the codebase using industry-standard tools.
Before starting the audit, ensure the following tools are installed:
trivy (Container and filesystem vulnerability scanner)osv-scanner (Google's vulnerability scanner for open-source dependencies)trunk (Integrated security and linting platform)If any tools are missing, install them using the following commands. If Homebrew (brew) is available, it is the recommended method.
Using Homebrew (macOS/Linux):
brew install trivy osv-scanner trunk
Manual Installation:
trivy)Run a filesystem scan to catch vulnerabilities and hard-coded secrets in configuration files, source code, and project structure. By default, trivy fs scans for both vulnerabilities and secrets.
# Scan for vulnerabilities and secrets
trivy fs .
# (Optional) Scan for misconfigurations in IaC and config files
trivy config .
osv-scanner)Perform a deep scan of your project's dependencies against the OSV database using the scan source command.
osv-scanner scan source -r .
trunk)Run integrated security checks. trunk check executes all enabled linters.
If you are already using Trunk, check for and enable security-focused linters appropriate for your project's languages:
bandit (scans for common security issues)govulncheck (vulnerability database for Go)gitleaks (detects secrets, API keys, and tokens)semgrep (static analysis for many languages)# List all available linters to see security options
trunk check list
# Enable recommended security linters
trunk check enable trivy
trunk check enable gitleaks
trunk check enable semgrep
# Enable language-specific linters (e.g., for Python)
trunk check enable bandit
# Run security checks on modified files
trunk check
# Run all security checks on all files
trunk check --all --scope security
Note: If Trunk is not installed or initialized, use the standalone tools (
trivy,osv-scanner) as described in the previous steps.
After running the tools, compile a report in the following structure:
[Brief overview of the security posture]
| Tool | Severity | Component | Description | Recommendation |
|---|---|---|---|---|
| [Tool Name] | [Critical/High/Med/Low] | [File/Dependency] | [Issue Description] | [Fix/Mitigation] |