OpenSkillIndex← back to search
claude-codesecurity

Babysitter container-security-scanner

Container image and Kubernetes security scanning for CVEs, misconfigurations, and compliance

install
source · Clone the upstream repo
git clone https://github.com/a5c-ai/babysitter
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/a5c-ai/babysitter "$T" && mkdir -p ~/.claude/skills && cp -r "$T/library/specializations/security-compliance/skills/container-security-scanner" ~/.claude/skills/a5c-ai-babysitter-container-security-scanner && rm -rf "$T"
manifest: library/specializations/security-compliance/skills/container-security-scanner/SKILL.md
tags
#container-scanning#kubernetes-security#vulnerability-scanning#compliance-checking#image-analysis
source content

Container Security Scanner Skill

Purpose

Automated container image and Kubernetes security scanning to identify vulnerabilities, misconfigurations, secrets, and compliance issues in containerized environments.

Capabilities

Image Vulnerability Scanning

  • Scan container images for known CVEs using Trivy, Grype, or Anchore
  • Detect vulnerabilities in OS packages and application dependencies
  • Generate SBOM (Software Bill of Materials) in CycloneDX or SPDX format
  • Track vulnerability severity (Critical, High, Medium, Low)

Dockerfile Security Analysis

  • Check Dockerfile best practices and security issues
  • Identify privileged container configurations
  • Detect hardcoded secrets in Dockerfiles
  • Verify base image security and freshness

Kubernetes Security Scanning

  • Run Kubernetes CIS benchmark checks using kube-bench
  • Analyze pod security policies and standards
  • Check RBAC configurations for over-permissive access
  • Detect insecure network policies

Secrets Detection

  • Scan images for embedded secrets and credentials
  • Identify API keys, tokens, and passwords in layers
  • Check environment variable configurations

Image Signature Verification

  • Verify container image signatures using cosign
  • Validate image provenance and attestations
  • Check image registry security configurations

Compliance Reporting

  • Generate compliance reports (CIS, NIST, PCI-DSS)
  • Map findings to compliance controls
  • Track remediation status and timelines

Integrations

  • Trivy: Comprehensive vulnerability scanner for containers
  • Grype: Container image vulnerability scanner
  • Syft: SBOM generation tool
  • kube-bench: Kubernetes CIS benchmark checker
  • Falco: Runtime security monitoring
  • Anchore: Enterprise container security platform
  • cosign: Container image signing and verification

Target Processes

  • Container Security Scanning Process
  • DevSecOps Pipeline Integration
  • IaC Security Scanning
  • Kubernetes Security Hardening
  • Container Image Build Pipeline

Input Schema

{
  "type": "object",
  "properties": {
    "imageName": {
      "type": "string",
      "description": "Container image name with tag"
    },
    "registry": {
      "type": "string",
      "description": "Container registry URL"
    },
    "dockerfilePath": {
      "type": "string",
      "description": "Path to Dockerfile for static analysis"
    },
    "kubeManifestPath": {
      "type": "string",
      "description": "Path to Kubernetes manifests"
    },
    "scanType": {
      "type": "array",
      "items": {
        "type": "string",
        "enum": ["vulnerability", "config", "secrets", "compliance", "sbom"]
      }
    },
    "severityThreshold": {
      "type": "string",
      "enum": ["CRITICAL", "HIGH", "MEDIUM", "LOW"]
    }
  },
  "required": ["imageName"]
}

Output Schema

{
  "type": "object",
  "properties": {
    "scanId": {
      "type": "string"
    },
    "imageName": {
      "type": "string"
    },
    "scanTimestamp": {
      "type": "string",
      "format": "date-time"
    },
    "vulnerabilities": {
      "type": "object",
      "properties": {
        "critical": { "type": "integer" },
        "high": { "type": "integer" },
        "medium": { "type": "integer" },
        "low": { "type": "integer" },
        "findings": {
          "type": "array",
          "items": {
            "type": "object",
            "properties": {
              "cveId": { "type": "string" },
              "severity": { "type": "string" },
              "package": { "type": "string" },
              "fixedVersion": { "type": "string" },
              "description": { "type": "string" }
            }
          }
        }
      }
    },
    "misconfigurations": {
      "type": "array"
    },
    "secrets": {
      "type": "array"
    },
    "complianceStatus": {
      "type": "object"
    },
    "recommendations": {
      "type": "array",
      "items": { "type": "string" }
    }
  }
}

Usage Example

skill: {
  name: 'container-security-scanner',
  context: {
    imageName: 'myapp:v1.2.3',
    registry: 'registry.example.com',
    scanType: ['vulnerability', 'config', 'secrets'],
    severityThreshold: 'HIGH'
  }
}