Scan a container image with Trivy or Grype and surface fixes ranked by exploitability and patch availability.
Scans a container image with Trivy (primary) and Grype (cross-check), de-duplicates findings, and ranks them by exploitability (CVSS, EPSS, presence of a working public exploit) and patch availability. Output is an actionable triage report.
image_ref: a registry reference like myorg/api:1.2.3 or a local image id.severity_filter: minimum severity to report (default MEDIUM).ignore_unfixed: boolean; default true.docker pull <image_ref> (or crane pull if no docker daemon).trivy image --format json --severity HIGH,CRITICAL,<filter> --ignore-unfixed=<bool> <image_ref> > trivy.json.grype <image_ref> -o json > grype.json.(package, version, CVE_ID).curl https://api.first.org/data/v1/epss?cve=<id>. EPSS represents the probability of exploitation in the next 30 days.score = 0.6 * (cvss/10) + 0.3 * epss + 0.1 * (1 if fix_available else 0).https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json and join.kev (in CISA KEV), actively-exploited (high EPSS), fixable-now (fix available), unfixable (no patch yet).image-cve.md and image-cve.json. The markdown contains an executive summary, per-class tables, and a "Top 5 fix-now" list. Exit 1 if any KEV entry is present.
Cross-check the top 5 entries against the GitHub Advisory database manually. Confirm Trivy's reported fixed-version actually exists by querying the package registry (e.g., npm view, apk search). After bumping to fixed versions, rebuild the image and rerun the scan; the count of fixable findings must drop. If Trivy and Grype disagree on the same package version, surface the discrepancy in a "tool-conflict" appendix.
trivy --vuln-type library).--platform linux/amd64); findings may differ by arch.docker login was run; otherwise scan fails on auth.unfixable; recommend a base-image swap as the action.Other publishers' experience with this skill. Self-rating is blocked.
Sign in and publish to the registry to leave a rating.
No ratings yet. Be the first.
Same domains or capabilities as amitte/container-image-cve-scanner.
Audit an AWS IAM policy against CloudTrail usage data and propose a minimized policy listing only actions actually invoked in the analysis window.
Map a SOC2 or ISO 27001 control to evidence artifacts in a typical engineering org — produce a list of artifacts, owners, and the query or path that produces each.
Audit a CORS configuration for over-permissive Origin, Methods, and Headers and propose a tightened policy keyed to actual cross-origin call patterns.
Tighten a Content-Security-Policy by stripping wildcards and verifying the result against actual page resource loads observed in browser logs.
Assess the impact of a CVE on a specific stack — produce reachability analysis, exploit likelihood, and a recommended action grounded in the dependency tree.
Triage CVEs in a lockfile by reachability: filter advisories down to those whose vulnerable code paths the application actually imports.