Cli-power-skills security-scanning

Use when checking code for vulnerabilities, linting shell scripts, scanning containers or IaC for security issues, or managing encrypted secrets

install

source · Clone the upstream repo

git clone https://github.com/ykotik/cli-power-skills

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/ykotik/cli-power-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/security-scanning" ~/.claude/skills/ykotik-cli-power-skills-security-scanning && rm -rf "$T"

manifest: skills/security-scanning/SKILL.md

source content

Security Scanning

When to Use

Scanning a project directory for known vulnerabilities (CVEs)
Scanning a container image before deployment
Scanning Infrastructure-as-Code (Terraform, CloudFormation) for misconfigurations
Linting shell scripts for bugs, pitfalls, and unsafe patterns
Encrypting or decrypting secrets stored in YAML/JSON config files
Checking dependencies for known security issues

Tools

Tool Purpose Structured output

Trivy

Vulnerability scanner for filesystems, containers, IaC

--format json

--format sarif

ShellCheck

Static analysis and linting for shell scripts

-f json

for JSON output

sops Encrypt/decrypt secrets in YAML, JSON, ENV files Outputs decrypted file to stdout

Patterns

Scan project directory for vulnerabilities

trivy fs --format json --output results.json .

Scan project and show results in terminal

trivy fs --severity HIGH,CRITICAL .

Scan a container image

trivy image --format json --output scan.json nginx:latest

Scan Terraform files for misconfigurations

trivy config --format json .

Scan a lockfile (package-lock.json, requirements.txt, etc.)

trivy fs --scanners vuln --format json package-lock.json

Generate SARIF report for CI integration

trivy fs --format sarif --output report.sarif .

Lint a shell script with JSON output

shellcheck -f json script.sh

Lint all shell scripts in a directory

shellcheck -f json *.sh scripts/*.sh

Lint with specific severity threshold

shellcheck -S warning -f json script.sh

Encrypt a secrets file with sops (using age key)

sops --encrypt --age $(cat ~/.config/sops/age/keys.txt | grep "public key:" | awk '{print $NF}') secrets.yaml > secrets.enc.yaml

Decrypt a secrets file to stdout

sops --decrypt secrets.enc.yaml

Edit encrypted file in-place

sops secrets.enc.yaml

Decrypt a single value

sops --decrypt --extract '["database"]["password"]' secrets.enc.yaml

Pipelines

Scan and summarize critical findings

trivy fs --format json . | jq '[.Results[] | .Vulnerabilities[]? | select(.Severity == "CRITICAL") | {id: .VulnerabilityID, pkg: .PkgName, title: .Title}]'

Each stage: Trivy scans and outputs JSON, jq filters to critical vulnerabilities and extracts key fields.

Lint all shell scripts and count issues by severity

shellcheck -f json scripts/*.sh | jq 'group_by(.level) | map({level: .[0].level, count: length})'

Each stage: ShellCheck lints all scripts to JSON, jq groups and counts by severity level.

Scan image and fail if critical vulns found

trivy image --format json myapp:latest | jq -e '[.Results[] | .Vulnerabilities[]? | select(.Severity == "CRITICAL")] | length == 0'

Each stage: Trivy scans image, jq checks for critical vulns and exits non-zero if any found.

Prefer Over

Prefer Trivy over manual
```
npm audit
```
/
```
pip audit
```
— scans all ecosystems in one pass
Prefer ShellCheck over manual review for shell scripts — catches subtle quoting, globbing, and portability bugs
Prefer sops over storing plaintext secrets — encryption at rest with version control compatibility

Do NOT Use When

Reviewing business logic or application design flaws — these tools find known CVEs and script bugs, not logic errors
Linting Python code — use Ruff (python-tooling skill) instead
Linting JavaScript/TypeScript — use ESLint or Biome directly
Managing runtime secrets (use Vault or environment variables for that)