| name | security-vulnerability-audit |
| description | Workflow for auditing security vulnerabilities using Trunk (Trivy and OSV-scanner). Use when checking for project vulnerabilities, hard-coded secrets, or repairing security flaws. |
Security Vulnerability Audit
This skill provides a structured process for identifying and reporting security vulnerabilities in the codebase using Trunk's integrated security tools.
Audit Workflow
-
Run Security Scan: Execute Trunk with the security scope.
trunk check --all --scope security
Note: This command runs trunk check --all --scope security, which triggers both Trivy and OSV-scanner.
-
Analyze Findings: Review the output from Trunk. Pay close attention to:
- Critical/High vulnerabilities in dependencies (reported by
osv-scanner).
- Hard-coded secrets or configuration issues (reported by
trivy).
-
Compile Report: Use the findings to create a summary of the security posture.
Reporting Format
For each significant finding, provide:
- Severity: [Critical/High/Medium/Low]
- Tool: [Trivy/OSV-Scanner]
- Description: [Brief description of the vulnerability]
- Impact: [What happens if exploited?]
- Recommendation: [How to fix it, e.g., "Update package X to version Y"]
Resources