‹ 首页

managing-vulnerabilities

@ancoleman · 收录于 1 周前

Implementing multi-layer security scanning (container, SAST, DAST, SCA, secrets), SBOM generation, and risk-based vulnerability prioritization in CI/CD pipelines. Use when building DevSecOps workflows, ensuring compliance, or establishing security gates for container deployments.

适合你,如果你需要在开发流程中嵌入安全扫描并管理漏洞风险

/ 下载安装
managing-vulnerabilities.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add ancoleman/ai-design-components/managing-vulnerabilities
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- ancoleman/ai-design-components/managing-vulnerabilities
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify ancoleman/ai-design-components/managing-vulnerabilities
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
384GitHub stars
~2.9K最小装载
~18.2K含声明引用
~24.9K文本包总量
镜像托管

怎么用

技能原文 SKILL.md作者撰写 · MIT · 76551b7

Vulnerability Management

Implement comprehensive vulnerability detection and remediation workflows across containers, source code, dependencies, and running applications. This skill covers multi-layer scanning strategies, SBOM generation (CycloneDX and SPDX), risk-based prioritization using CVSS/EPSS/KEV, and CI/CD security gate patterns.

When to Use This Skill

Invoke this skill when:

  • Building security scanning into CI/CD pipelines
  • Generating Software Bills of Materials (SBOMs) for compliance
  • Prioritizing vulnerability remediation using risk-based approaches
  • Implementing security gates (fail builds on critical vulnerabilities)
  • Scanning container images before deployment
  • Detecting secrets, misconfigurations, or code vulnerabilities
  • Establishing DevSecOps practices and automation
  • Meeting regulatory requirements (SBOM mandates, Executive Order 14028)
Multi-Layer Scanning Strategy

Vulnerability management requires scanning at multiple layers. Each layer detects different types of security issues.

Layer Overview

Container Image Scanning

  • Detects vulnerabilities in OS packages, language dependencies, and binaries
  • Tools: Trivy (comprehensive), Grype (accuracy-focused), Snyk Container (commercial)
  • When: Every container build, base image selection, registry admission control

SAST (Static Application Security Testing)

  • Analyzes source code for security flaws before runtime
  • Tools: Semgrep (fast, semantic), Snyk Code (developer-first), SonarQube (enterprise)
  • When: Every commit, PR checks, main branch protection

DAST (Dynamic Application Security Testing)

  • Tests running applications for vulnerabilities (black-box testing)
  • Tools: OWASP ZAP (open-source), StackHawk (CI/CD native), Burp Suite (manual + automated)
  • When: Staging environment testing, API validation, authentication testing

SCA (Software Composition Analysis)

  • Analyzes third-party dependencies for known vulnerabilities
  • Tools: Dependabot (GitHub native), Renovate (advanced), Snyk Open Source (commercial)
  • When: Every build, dependency updates, license audits

Secret Scanning

  • Prevents secrets from being committed to source code
  • Tools: Gitleaks (fast, configurable), TruffleHog (entropy detection), GitGuardian (commercial)
  • When: Pre-commit hooks, repository scanning, CI/CD artifact checks
Quick Tool Selection
Container Image → Trivy (default choice) OR Grype (accuracy focus)
Source Code → Semgrep (open-source) OR Snyk Code (commercial)
Running Application → OWASP ZAP (open-source) OR StackHawk (CI/CD native)
Dependencies → Dependabot (GitHub) OR Renovate (advanced automation)
Secrets → Gitleaks (open-source) OR GitGuardian (commercial)

For detailed tool selection guidance, see references/tool-selection.md.

SBOM Generation

Software Bills of Materials (SBOMs) provide a complete inventory of software components and dependencies. Required for compliance and security transparency.

CycloneDX vs. SPDX

CycloneDX (Recommended for DevSecOps)

  • Security-focused, OWASP-maintained
  • Native vulnerability references
  • Fast, lightweight (JSON/XML/ProtoBuf)
  • Best for: DevSecOps pipelines, vulnerability tracking

SPDX (Recommended for Legal/Compliance)

  • License compliance focus, ISO standard (ISO/IEC 5962:2021)
  • Comprehensive legal metadata
  • Government/defense preferred format
  • Best for: Legal teams, compliance audits, federal requirements
Generating SBOMs

With Trivy (CycloneDX or SPDX):

# CycloneDX format (recommended for security)
trivy image --format cyclonedx --output sbom.json myapp:latest

# SPDX format (for compliance)
trivy image --format spdx-json --output sbom-spdx.json myapp:latest

# Scan SBOM (faster than re-scanning image)
trivy sbom sbom.json --severity HIGH,CRITICAL

With Syft (high accuracy):

# Generate CycloneDX
syft myapp:latest -o cyclonedx-json=sbom.json

# Generate SPDX
syft myapp:latest -o spdx-json=sbom-spdx.json

# Pipe to Grype for scanning
syft myapp:latest -o json | grype

For comprehensive SBOM patterns and storage strategies, see references/sbom-guide.md.

Vulnerability Prioritization

Not all vulnerabilities require immediate action. Prioritize based on actual risk using CVSS, EPSS, and KEV.

Modern Risk-Based Prioritization

Step 1: Gather Metrics

| Metric | Source | Purpose | |--------|--------|---------| | CVSS Base Score | NVD, vendor advisories | Vulnerability severity (0-10) | | EPSS Score | FIRST.org API | Exploitation probability (0-1) | | KEV Status | CISA KEV Catalog | Actively exploited CVEs | | Asset Criticality | Internal CMDB | Business impact if compromised | | Exposure | Network topology | Internet-facing vs. internal |

Step 2: Calculate Priority

Priority Score = (CVSS × 0.3) + (EPSS × 100 × 0.3) + (KEV × 50) + (Asset × 0.2) + (Exposure × 0.2)

KEV: 1 if in KEV catalog, 0 otherwise
Asset: 1 (Critical), 0.7 (High), 0.4 (Medium), 0.1 (Low)
Exposure: 1 (Internet-facing), 0.5 (Internal), 0.1 (Isolated)

Step 3: Apply SLA Tiers

| Priority | Criteria | SLA | Action | |----------|----------|-----|--------| | P0 - Critical | KEV + Internet-facing + Critical asset | 24 hours | Emergency patch immediately | | P1 - High | CVSS ≥ 9.0 OR (CVSS ≥ 7.0 AND EPSS ≥ 0.1) | 7 days | Prioritize in sprint, patch ASAP | | P2 - Medium | CVSS 7.0-8.9 OR EPSS ≥ 0.05 | 30 days | Normal sprint planning | | P3 - Low | CVSS 4.0-6.9, EPSS < 0.05 | 90 days | Backlog, maintenance windows | | P4 - Info | CVSS < 4.0 | No SLA | Track, address opportunistically |

Example: Log4Shell (CVE-2021-44228)

CVSS: 10.0
EPSS: 0.975 (97.5% exploitation probability)
KEV: Yes (CISA catalog)
Asset: Critical (payment API)
Exposure: Internet-facing

Priority Score = (10 × 0.3) + (97.5 × 0.3) + 50 + (1 × 0.2) + (1 × 0.2) = 82.65
Result: P0 - Critical (24-hour SLA)

For complete prioritization framework and automation scripts, see references/prioritization-framework.md.

CI/CD Integration Patterns
Multi-Stage Security Pipeline

Implement progressive security gates across pipeline stages:

Stage 1: Pre-Commit (Developer Workstation)

Tools: Secret scanning (Gitleaks), SAST (Semgrep)
Threshold: Block high-confidence secrets, critical SAST findings
Speed: < 10 seconds

Stage 2: Pull Request (CI Pipeline)

Tools: SAST, SCA, Secret scanning
Threshold: No Critical/High vulnerabilities, no secrets
Speed: < 5 minutes
Action: Block PR merge until fixed

Stage 3: Build (CI Pipeline)

Tools: Container scanning (Trivy), SBOM generation
Threshold: No Critical vulnerabilities in production dependencies
Artifacts: SBOM stored, scan results uploaded
Speed: < 2 minutes
Action: Fail build on Critical findings

Stage 4: Pre-Deployment (Staging)

Tools: DAST, Integration tests
Threshold: No Critical/High DAST findings
Speed: 10-30 minutes
Action: Gate deployment to production

Stage 5: Production (Runtime)

Tools: Continuous scanning, runtime monitoring
Threshold: Alert on new CVEs in deployed images
Action: Alert security team, plan patching
Example: GitHub Actions Multi-Stage Scan
name: Security Scan Pipeline

on: [push, pull_request]

jobs:
  secrets:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: trufflesecurity/trufflehog@main
        with:
          path: ./
          extra_args: --only-verified

  sast:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: semgrep/semgrep-action@v1
        with:
          config: p/security-audit

  container:
    runs-on: ubuntu-latest
    needs: [secrets, sast]
    steps:
      - uses: actions/checkout@v4
      - run: docker build -t myapp:${{ github.sha }} .

      - uses: aquasecurity/trivy-action@master
        with:
          image-ref: myapp:${{ github.sha }}
          format: sarif
          output: trivy-results.sarif
          severity: HIGH,CRITICAL
          exit-code: 1

      - name: Generate SBOM
        run: |
          trivy image --format cyclonedx \
            --output sbom.json myapp:${{ github.sha }}

      - uses: actions/upload-artifact@v3
        with:
          name: sbom
          path: sbom.json

For complete CI/CD patterns (GitLab CI, Jenkins, Azure Pipelines), see references/ci-cd-patterns.md.

Container Scanning with Trivy

Trivy is the recommended default for container scanning: comprehensive, fast, and CI/CD native.

Basic Usage
# Scan container image
trivy image alpine:latest

# Scan with severity filter
trivy image --severity HIGH,CRITICAL alpine:latest

# Fail on findings (CI/CD)
trivy image --exit-code 1 --severity HIGH,CRITICAL myapp:latest

# Generate SBOM
trivy image --format cyclonedx --output sbom.json alpine:latest

# Scan filesystem
trivy fs /path/to/project

# Scan Kubernetes manifests
trivy config deployment.yaml
Configuration (.trivy.yaml)
severity: HIGH,CRITICAL
exit-code: 1
ignore-unfixed: true  # Only fail on fixable vulnerabilities
vuln-type: os,library
skip-dirs:
  - node_modules
  - vendor
ignorefile: .trivyignore
Ignoring False Positives (.trivyignore)
# False positive
CVE-2023-12345

# Accepted risk with justification
CVE-2023-67890  # Risk accepted: Not exploitable in our use case

# Development dependency (not in production)
CVE-2023-11111  # Dev dependency only
GitHub Actions Integration
- name: Trivy Scan
  uses: aquasecurity/trivy-action@master
  with:
    image-ref: myapp:${{ github.sha }}
    format: sarif
    output: trivy-results.sarif
    severity: HIGH,CRITICAL
    exit-code: 1

- name: Upload to GitHub Security
  uses: github/codeql-action/upload-sarif@v2
  if: always()
  with:
    sarif_file: trivy-results.sarif
Alternative: Grype for Accuracy

Grype focuses on minimal false positives and works with Syft for SBOM generation.

Important: Use Grype v0.104.1 or later (credential disclosure CVE-2025-65965 patched in earlier versions).

Basic Usage
# Scan container image
grype alpine:latest

# Scan with severity threshold
grype alpine:latest --fail-on high

# Scan SBOM (faster)
grype sbom:./sbom.json

# Syft + Grype workflow
syft alpine:latest -o json | grype --fail-on critical
When to Use Grype
  • Projects sensitive to false positives
  • SBOM-first workflows (generate with Syft, scan with Grype)
  • Need second opinion validation
  • Anchore ecosystem users

For complete tool comparisons and selection criteria, see references/tool-selection.md.

Security Gates and Thresholds
Progressive Threshold Strategy

Balance security and development velocity with progressive gates. Configure different thresholds for PR checks (fast, HIGH+CRITICAL), builds (comprehensive), and deployments (strict, CRITICAL only).

Policy-as-Code

Use OPA (Open Policy Agent) for automated policy enforcement. Create policies to deny Critical vulnerabilities, enforce KEV catalog checks, and implement environment-specific rules.

For complete policy patterns, baseline detection, and OPA examples, see references/policy-as-code.md.

Remediation Workflows
Automated Remediation

Set up automated workflows to scan daily, extract fixable vulnerabilities, update dependencies, and create remediation pull requests automatically.

SLA Tracking

Track vulnerability remediation against SLA targets (P0: 24 hours, P1: 7 days, P2: 30 days, P3: 90 days). Monitor overdue vulnerabilities and escalate as needed.

False Positive Management

Maintain suppression files (.trivyignore) with documented justifications, review dates, and approval tracking. Implement workflows for false positive triage and approval.

For complete remediation workflows, SLA trackers, and automation scripts, see references/remediation-workflows.md.

Integration with Related Skills

building-ci-pipelines

  • Add security stages to pipeline definitions
  • Configure artifacts for SBOM storage
  • Implement quality gates with vulnerability thresholds

secret-management

  • Integrate secret scanning (Gitleaks, TruffleHog)
  • Automate secret rotation on detection
  • Use pre-commit hooks for prevention

infrastructure-as-code

  • Scan Terraform and Kubernetes manifests with Trivy config
  • Detect misconfigurations before deployment
  • Enforce policy-as-code with OPA

security-hardening

  • Apply remediation guidance from scan results
  • Select secure base images
  • Implement security best practices

compliance-frameworks

  • Generate SBOMs for SOC2, ISO 27001 audits
  • Track vulnerability metrics for compliance reporting
  • Provide evidence for security controls
Quick Reference
Essential Commands
# Trivy: Scan image with severity filter
trivy image --severity HIGH,CRITICAL myapp:latest

# Trivy: Generate SBOM
trivy image --format cyclonedx --output sbom.json myapp:latest

# Trivy: Scan SBOM
trivy sbom sbom.json

# Grype: Scan image
grype myapp:latest --fail-on high

# Syft + Grype: SBOM workflow
syft myapp:latest -o json | grype

# Gitleaks: Scan for secrets
gitleaks detect --source . --verbose
Common Patterns
# CI/CD: Fail build on Critical
trivy image --exit-code 1 --severity CRITICAL myapp:latest

# Ignore unfixed vulnerabilities
trivy image --ignore-unfixed --severity HIGH,CRITICAL myapp:latest

# Scan only OS packages
trivy image --vuln-type os myapp:latest

# Skip specific directories
trivy fs --skip-dirs node_modules,vendor .
Progressive Disclosure

This skill provides foundational vulnerability management patterns. For deeper topics:

  • Tool Selection: references/tool-selection.md - Complete decision frameworks
  • SBOM Patterns: references/sbom-guide.md - Generation, storage, consumption
  • Prioritization: references/prioritization-framework.md - CVSS/EPSS/KEV automation
  • CI/CD Integration: references/ci-cd-patterns.md - GitLab CI, Jenkins, Azure Pipelines
  • Remediation: references/remediation-workflows.md - SLA tracking, false positives
  • Policy-as-Code: references/policy-as-code.md - OPA examples, security gates

Working Examples:

  • examples/trivy/ - Trivy scanning patterns
  • examples/grype/ - Grype + Syft workflows
  • examples/ci-cd/ - Complete pipeline configurations
  • examples/sbom/ - SBOM generation and management
  • examples/prioritization/ - EPSS and KEV integration scripts

Automation Scripts:

  • scripts/vulnerability-report.sh - Generate executive reports
  • scripts/sla-tracker.sh - Track remediation SLAs
  • scripts/false-positive-manager.sh - Manage suppression rules
按 MIT 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。