ReddRadar
Agent skill
container-security-scanner
Container image and Kubernetes security scanning for CVEs, misconfigurations, and compliance
Install this agent skill to your Project
npx add-skill https://github.com/a5c-ai/babysitter/tree/main/library/specializations/security-compliance/skills/container-security-scanner
SKILL.md
Container Security Scanner Skill
Purpose
Automated container image and Kubernetes security scanning to identify vulnerabilities, misconfigurations, secrets, and compliance issues in containerized environments.
Capabilities
Image Vulnerability Scanning
- Scan container images for known CVEs using Trivy, Grype, or Anchore
- Detect vulnerabilities in OS packages and application dependencies
- Generate SBOM (Software Bill of Materials) in CycloneDX or SPDX format
- Track vulnerability severity (Critical, High, Medium, Low)
Dockerfile Security Analysis
- Check Dockerfile best practices and security issues
- Identify privileged container configurations
- Detect hardcoded secrets in Dockerfiles
- Verify base image security and freshness
Kubernetes Security Scanning
- Run Kubernetes CIS benchmark checks using kube-bench
- Analyze pod security policies and standards
- Check RBAC configurations for over-permissive access
- Detect insecure network policies
Secrets Detection
- Scan images for embedded secrets and credentials
- Identify API keys, tokens, and passwords in layers
- Check environment variable configurations
Image Signature Verification
- Verify container image signatures using cosign
- Validate image provenance and attestations
- Check image registry security configurations
Compliance Reporting
- Generate compliance reports (CIS, NIST, PCI-DSS)
- Map findings to compliance controls
- Track remediation status and timelines
Integrations
- Trivy: Comprehensive vulnerability scanner for containers
- Grype: Container image vulnerability scanner
- Syft: SBOM generation tool
- kube-bench: Kubernetes CIS benchmark checker
- Falco: Runtime security monitoring
- Anchore: Enterprise container security platform
- cosign: Container image signing and verification
Target Processes
- Container Security Scanning Process
- DevSecOps Pipeline Integration
- IaC Security Scanning
- Kubernetes Security Hardening
- Container Image Build Pipeline
Input Schema
{
"type": "object",
"properties": {
"imageName": {
"type": "string",
"description": "Container image name with tag"
},
"registry": {
"type": "string",
"description": "Container registry URL"
},
"dockerfilePath": {
"type": "string",
"description": "Path to Dockerfile for static analysis"
},
"kubeManifestPath": {
"type": "string",
"description": "Path to Kubernetes manifests"
},
"scanType": {
"type": "array",
"items": {
"type": "string",
"enum": ["vulnerability", "config", "secrets", "compliance", "sbom"]
}
},
"severityThreshold": {
"type": "string",
"enum": ["CRITICAL", "HIGH", "MEDIUM", "LOW"]
}
},
"required": ["imageName"]
}
Output Schema
{
"type": "object",
"properties": {
"scanId": {
"type": "string"
},
"imageName": {
"type": "string"
},
"scanTimestamp": {
"type": "string",
"format": "date-time"
},
"vulnerabilities": {
"type": "object",
"properties": {
"critical": { "type": "integer" },
"high": { "type": "integer" },
"medium": { "type": "integer" },
"low": { "type": "integer" },
"findings": {
"type": "array",
"items": {
"type": "object",
"properties": {
"cveId": { "type": "string" },
"severity": { "type": "string" },
"package": { "type": "string" },
"fixedVersion": { "type": "string" },
"description": { "type": "string" }
}
}
}
}
},
"misconfigurations": {
"type": "array"
},
"secrets": {
"type": "array"
},
"complianceStatus": {
"type": "object"
},
"recommendations": {
"type": "array",
"items": { "type": "string" }
}
}
}
Usage Example
skill: {
name: 'container-security-scanner',
context: {
imageName: 'myapp:v1.2.3',
registry: 'registry.example.com',
scanType: ['vulnerability', 'config', 'secrets'],
severityThreshold: 'HIGH'
}
}
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
a5c-ai/babysitter
gsd-tools
Central utility skill for GSD operations. Provides config parsing, slug generation, timestamps, path operations, and orchestrates calls to other specialized skills. Acts as the unified entry point that the original gsd-tools.cjs provided via its lib/ modules (commands, config, core, init).
a5c-ai/babysitter
model-profile-resolution
Resolve model profile (quality/balanced/budget) at orchestration start and map agents to specific models. Enables cost/quality tradeoffs by selecting appropriate AI models for each agent role.
a5c-ai/babysitter
verification-suite
Plan structure validation, phase completeness checks, reference integrity verification, and artifact existence confirmation. Provides the structured verification layer ensuring GSD artifacts are well-formed and complete.
a5c-ai/babysitter
state-management
STATE.md reading, writing, and field-level updates. Provides cross-session state persistence via .planning/STATE.md with structured fields for current task, completed phases, blockers, decisions, and quick tasks.
a5c-ai/babysitter
git-integration
Git commit patterns, formats, and conventions for GSD methodology. Provides atomic commits per task, structured commit messages, planning file commits, branch management, and milestone tag operations.
a5c-ai/babysitter
frontmatter-parsing
YAML frontmatter parsing and manipulation for .planning/ documents. Provides read, write, update, query, and validation operations on frontmatter blocks in GSD markdown artifacts.
Didn't find tool you were looking for?