security-vulnerability-audit
npx machina-cli add skill yu-iskw/coding-agent-fabric/security-vulnerability-audit --openclawSecurity Vulnerability Audit
This skill provides a structured process for identifying and reporting security vulnerabilities in the codebase using Trunk's integrated security tools.
Audit Workflow
-
Run Security Scan: Execute the project's security linting script.
pnpm run lint:securityNote: This command runs
trunk check --all --scope security, which triggers both Trivy and OSV-scanner. -
Analyze Findings: Review the output from Trunk. Pay close attention to:
- Critical/High vulnerabilities in dependencies (reported by
osv-scanner). - Hard-coded secrets or configuration issues (reported by
trivy).
- Critical/High vulnerabilities in dependencies (reported by
-
Compile Report: Use the findings to create a summary of the security posture.
Reporting Format
For each significant finding, provide:
- Severity: [Critical/High/Medium/Low]
- Tool: [Trivy/OSV-Scanner]
- Description: [Brief description of the vulnerability]
- Impact: [What happens if exploited?]
- Recommendation: [How to fix it, e.g., "Update package X to version Y"]
Resources
- Security Tools Reference: Detailed information on the tools and how to interpret their results.
- Trunk Documentation: Official documentation for the Trunk CLI.
Source
git clone https://github.com/yu-iskw/coding-agent-fabric/blob/main/.claude/skills/security-vulnerability-audit/SKILL.mdView on GitHub Overview
This skill provides a structured workflow for identifying and reporting security vulnerabilities in the codebase using Trunk's integrated tools (Trivy and OSV-scanner). It helps detect critical/high issues in dependencies, hard-coded secrets, and misconfigurations, and guides turning findings into actionable reports.
How This Skill Works
Run a security lint via pnpm run lint:security, which triggers trunk check --all --scope security and runs Trivy and OSV-scanner. Analyze the output focusing on critical/high findings from osv-scanner and secrets/config issues from Trivy, then compile a report that documents severity, tool, description, impact, and recommendations.
When to Use It
- Pre-release security gate for a project before merging to main or releasing
- When adding or updating dependencies to catch known vulnerabilities
- Regular security posture reviews during development cycles
- Auditing code for hard-coded secrets or misconfigurations
- Verifying remediation and documenting fixes after applying security updates
Quick Start
- Step 1: Run pnpm run lint:security to trigger Trunk security checks (Trivy + OSV-Scanner)
- Step 2: Analyze the output for Critical/High findings and hard-coded secrets, then assess impact
- Step 3: Compile a structured report including Severity, Tool, Description, Impact, and Recommendation
Best Practices
- Run the lint:security step regularly as part of CI or pre-release checks
- Prioritize Critical and High findings from osv-scanner and secret flags from Trivy
- Cross-reference results between Trivy and osv-scanner to avoid false positives
- Document each finding with Severity, Tool, Description, Impact, and Recommendation
- Keep sensitive data out of code and rotate secrets if a secret is exposed
Example Use Cases
- Dependency X is flagged as vulnerable by osv-scanner; upgrade to version Y
- Trivy reports a hard-coded secret in config; rotate the secret and remove from code
- OSV-scanner highlights a high-severity issue in a transitive dependency; pin or replace the dependency
- Dev-dependency vulnerability discovered; implement a fix and verify in a follow-up scan
- Security report generated for release notes with actionable remediation steps
