container-security-scanner
// Container image and Kubernetes security scanning for CVEs, misconfigurations, and compliance
$ git log --oneline --stat
stars:384
forks:73
updated:March 4, 2026
SKILL.mdreadonly
SKILL.md Frontmatter
namecontainer-security-scanner
descriptionContainer image and Kubernetes security scanning for CVEs, misconfigurations, and compliance
allowed-toolsBash,Read,Write,Glob,Grep,WebFetch
Container Security Scanner Skill
Purpose
Automated container image and Kubernetes security scanning to identify vulnerabilities, misconfigurations, secrets, and compliance issues in containerized environments.
Capabilities
Image Vulnerability Scanning
- Scan container images for known CVEs using Trivy, Grype, or Anchore
- Detect vulnerabilities in OS packages and application dependencies
- Generate SBOM (Software Bill of Materials) in CycloneDX or SPDX format
- Track vulnerability severity (Critical, High, Medium, Low)
Dockerfile Security Analysis
- Check Dockerfile best practices and security issues
- Identify privileged container configurations
- Detect hardcoded secrets in Dockerfiles
- Verify base image security and freshness
Kubernetes Security Scanning
- Run Kubernetes CIS benchmark checks using kube-bench
- Analyze pod security policies and standards
- Check RBAC configurations for over-permissive access
- Detect insecure network policies
Secrets Detection
- Scan images for embedded secrets and credentials
- Identify API keys, tokens, and passwords in layers
- Check environment variable configurations
Image Signature Verification
- Verify container image signatures using cosign
- Validate image provenance and attestations
- Check image registry security configurations
Compliance Reporting
- Generate compliance reports (CIS, NIST, PCI-DSS)
- Map findings to compliance controls
- Track remediation status and timelines
Integrations
- Trivy: Comprehensive vulnerability scanner for containers
- Grype: Container image vulnerability scanner
- Syft: SBOM generation tool
- kube-bench: Kubernetes CIS benchmark checker
- Falco: Runtime security monitoring
- Anchore: Enterprise container security platform
- cosign: Container image signing and verification
Target Processes
- Container Security Scanning Process
- DevSecOps Pipeline Integration
- IaC Security Scanning
- Kubernetes Security Hardening
- Container Image Build Pipeline
Input Schema
{
"type": "object",
"properties": {
"imageName": {
"type": "string",
"description": "Container image name with tag"
},
"registry": {
"type": "string",
"description": "Container registry URL"
},
"dockerfilePath": {
"type": "string",
"description": "Path to Dockerfile for static analysis"
},
"kubeManifestPath": {
"type": "string",
"description": "Path to Kubernetes manifests"
},
"scanType": {
"type": "array",
"items": {
"type": "string",
"enum": ["vulnerability", "config", "secrets", "compliance", "sbom"]
}
},
"severityThreshold": {
"type": "string",
"enum": ["CRITICAL", "HIGH", "MEDIUM", "LOW"]
}
},
"required": ["imageName"]
}
Output Schema
{
"type": "object",
"properties": {
"scanId": {
"type": "string"
},
"imageName": {
"type": "string"
},
"scanTimestamp": {
"type": "string",
"format": "date-time"
},
"vulnerabilities": {
"type": "object",
"properties": {
"critical": { "type": "integer" },
"high": { "type": "integer" },
"medium": { "type": "integer" },
"low": { "type": "integer" },
"findings": {
"type": "array",
"items": {
"type": "object",
"properties": {
"cveId": { "type": "string" },
"severity": { "type": "string" },
"package": { "type": "string" },
"fixedVersion": { "type": "string" },
"description": { "type": "string" }
}
}
}
}
},
"misconfigurations": {
"type": "array"
},
"secrets": {
"type": "array"
},
"complianceStatus": {
"type": "object"
},
"recommendations": {
"type": "array",
"items": { "type": "string" }
}
}
}
Usage Example
skill: {
name: 'container-security-scanner',
context: {
imageName: 'myapp:v1.2.3',
registry: 'registry.example.com',
scanType: ['vulnerability', 'config', 'secrets'],
severityThreshold: 'HIGH'
}
}