Trivy Cve Scan

Adapt the template to match the project's actual build output and start command.

Step 2 — Derive image name

Generate a lowercase image name from the project directory name or package.json name field:

• Strip special characters, replace / with -
• Example: cop-wfcap-web → image tag cop-wfcap-web:scan

Step 3 — Build Docker image

Run the build with the Bash tool:

docker build -t <image-name>:scan .

• If the build fails, read the error, diagnose the root cause, fix the Dockerfile or report the issue to the user. Do NOT retry blindly.

Step 4 — Check Trivy is installed

which trivy || brew install trivy

If brew is unavailable on Linux:

curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin

Step 5 — Run Trivy scan

trivy image --severity HIGH,CRITICAL <image-name>:scan

Capture the full output. Also run with --format json and save to a temp file for structured analysis:

trivy image --severity HIGH,CRITICAL --format json -o /tmp/trivy-report.json <image-name>:scan

Step 6 — Report findings

Parse and present a clear summary table:

Then provide:

1. Total counts — CRITICAL: N, HIGH: N
2. Top actionable fixes — packages with available fixes, prioritized by severity
3. Upgrade suggestions — if base image has vulnerabilities, suggest a newer or slimmer alternative (e.g., node:20-alpine → node:22-alpine)
4. Next steps — concrete commands or Dockerfile changes to remediate

Step 7 — Optional cleanup

Ask the user if they want to remove the scan image:

docker rmi <image-name>:scan

Rules

• Never skip Step 1 — always verify Dockerfile existence before building.
• Never silently ignore build failures — diagnose and report them.
• Always scan with at least HIGH,CRITICAL severity. Offer --severity LOW,MEDIUM,HIGH,CRITICAL if the user wants a full report.
• Do not push images to any registry — this is a local-only scan.
• If Trivy is not installable, suggest the user run trivy image manually and paste the output back.