Claude-code-plugins-plus scanning-container-security
install
source · Clone the upstream repo
git clone https://github.com/jeremylongshore/claude-code-plugins-plus-skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/jeremylongshore/claude-code-plugins-plus-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/devops/container-security-scanner/skills/scanning-container-security" ~/.claude/skills/jeremylongshore-claude-code-plugins-plus-scanning-container-security-2fcc44 && rm -rf "$T"
manifest:
plugins/devops/container-security-scanner/skills/scanning-container-security/SKILL.mdsource content
Scanning Container Security
Overview
Scan container images and Dockerfiles for vulnerabilities, misconfigurations, and compliance violations using Trivy, Grype, Snyk Container, and Hadolint. Analyze base images, OS packages, application dependencies, and runtime configurations to produce actionable security reports with remediation guidance.
Prerequisites
- Container scanning tool installed:
,trivy
,grype
, orsnykdocker scout - Dockerfile linter:
for Dockerfile best practice validationhadolint - Docker daemon running for local image scanning
- Access to the container images to scan (local, registry, or tar archive)
for parsing JSON scan resultsjq
Instructions
- Identify target images for scanning: production images, base images, and CI-built images
- Lint Dockerfiles with
to catch misconfigurations before build (privileged instructions, pinned versions, shell best practices)hadolint Dockerfile - Scan built images for OS-level vulnerabilities:
ortrivy image <image:tag>grype <image:tag> - Scan for application dependency vulnerabilities: check language-specific packages (npm, pip, Maven, Go modules) embedded in the image
- Check for secrets accidentally baked into image layers:
trivy image --scanners secret <image:tag> - Evaluate image against CIS Docker Benchmark: verify non-root user, read-only filesystem capability, health checks defined
- Generate a security report with severity classification (Critical, High, Medium, Low) and CVE identifiers
- Produce remediation steps: upgrade base image, pin package versions, replace vulnerable dependencies
- Integrate scanning into CI/CD pipeline: fail builds on Critical/High vulnerabilities, generate SARIF output for GitHub Security tab
Output
- Vulnerability scan report in JSON, table, or SARIF format
- Hadolint report with Dockerfile improvement recommendations
- Remediation Dockerfile patches (updated base image, pinned package versions)
- CI/CD pipeline step configuration for automated image scanning
- Security policy document defining acceptable risk thresholds
Error Handling
| Error | Cause | Solution |
|---|---|---|
| Image not found locally or registry auth failure | Pull image first with |
| Upstream package has no patch yet | Document as accepted risk, use |
| Packages installed without version pinning | Add version pins (e.g., |
| Image has many layers or large filesystem | Use |
| Scanner database maps CVE to a package not actually exploitable | Add to |
Examples
- "Scan all production Docker images for Critical and High CVEs, generate a report, and create Jira tickets for each finding."
- "Lint the Dockerfile for best practices: ensure multi-stage build, non-root USER, no ADD for remote URLs, and pinned base image digest."
- "Set up a GitHub Actions step that runs Trivy on every PR, fails on Critical vulnerabilities, and uploads results to the Security tab via SARIF."
Resources
- Trivy: https://aquasecurity.github.io/trivy/
- Grype: https://github.com/anchore/grype
- Hadolint: https://github.com/hadolint/hadolint
- Docker Scout: https://docs.docker.com/scout/
- CIS Docker Benchmark: https://www.cisecurity.org/benchmark/docker