Workflow for auditing security vulnerabilities using trivy, osv-scanner, and trunk.
This skill provides a comprehensive workflow for identifying security vulnerabilities in the codebase using industry-standard tools.
Before starting the audit, ensure the following tools are installed:
trivy (Container and filesystem vulnerability scanner)osv-scanner (Google's vulnerability scanner for open-source dependencies)trunk (Integrated security and linting platform)If any tools are missing, install them using the following commands. If Homebrew (brew) is available, it is the recommended method.
Using Homebrew (macOS/Linux):
brew install trivy osv-scanner trunk
Manual Installation:
trivy)Run a filesystem scan to catch vulnerabilities and hard-coded secrets in configuration files, source code, and project structure. By default, trivy fs scans for both vulnerabilities and secrets.
# Scan for vulnerabilities and secrets
trivy fs .
# (Optional) Scan for misconfigurations in IaC and config files
trivy config .
osv-scanner)Perform a deep scan of your project's dependencies against the OSV database using the scan source command.
osv-scanner scan source -r .
trunk)Run integrated security checks. trunk check executes all enabled linters. You may need to enable specific security scanners like trivy first.
# Enable trivy if not already enabled
trunk check enable trivy
# Run security checks on modified files
trunk check
# Run on all files
trunk check --all --scope security
After running the tools, compile a report in the following structure:
[Brief overview of the security posture]
| Tool | Severity | Component | Description | Recommendation |
|---|---|---|---|---|
| [Tool Name] | [Critical/High/Med/Low] | [File/Dependency] | [Issue Description] | [Fix/Mitigation] |