managing-vulnerabilities

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Vulnerability Management

漏洞管理

Implement comprehensive vulnerability detection and remediation workflows across containers, source code, dependencies, and running applications. This skill covers multi-layer scanning strategies, SBOM generation (CycloneDX and SPDX), risk-based prioritization using CVSS/EPSS/KEV, and CI/CD security gate patterns.

在容器、源代码、依赖项和运行中应用程序范围内，实现全面的漏洞检测与修复工作流。该技能涵盖多层扫描策略、SBOM生成（CycloneDX和SPDX格式）、基于CVSS/EPSS/KEV的风险优先级排序，以及CI/CD安全门禁模式。

When to Use This Skill

何时使用该技能

Invoke this skill when:

Building security scanning into CI/CD pipelines
Generating Software Bills of Materials (SBOMs) for compliance
Prioritizing vulnerability remediation using risk-based approaches
Implementing security gates (fail builds on critical vulnerabilities)
Scanning container images before deployment
Detecting secrets, misconfigurations, or code vulnerabilities
Establishing DevSecOps practices and automation
Meeting regulatory requirements (SBOM mandates, Executive Order 14028)

在以下场景中调用此技能：

在CI/CD流水线中集成安全扫描
生成软件物料清单（SBOM）以满足合规要求
采用基于风险的方法优先处理漏洞修复
实现安全门禁（发现严重漏洞时终止构建）
部署前扫描容器镜像
检测密钥、配置错误或代码漏洞
建立DevSecOps实践与自动化流程
满足监管要求（SBOM强制要求、第14028号行政命令）

Multi-Layer Scanning Strategy

多层扫描策略

Vulnerability management requires scanning at multiple layers. Each layer detects different types of security issues.

漏洞管理需要在多个层面进行扫描，每个层面检测不同类型的安全问题。

Layer Overview

扫描层概述

Container Image Scanning

Detects vulnerabilities in OS packages, language dependencies, and binaries
Tools: Trivy (comprehensive), Grype (accuracy-focused), Snyk Container (commercial)
When: Every container build, base image selection, registry admission control

SAST (Static Application Security Testing)

Analyzes source code for security flaws before runtime
Tools: Semgrep (fast, semantic), Snyk Code (developer-first), SonarQube (enterprise)
When: Every commit, PR checks, main branch protection

DAST (Dynamic Application Security Testing)

Tests running applications for vulnerabilities (black-box testing)
Tools: OWASP ZAP (open-source), StackHawk (CI/CD native), Burp Suite (manual + automated)
When: Staging environment testing, API validation, authentication testing

SCA (Software Composition Analysis)

Analyzes third-party dependencies for known vulnerabilities
Tools: Dependabot (GitHub native), Renovate (advanced), Snyk Open Source (commercial)
When: Every build, dependency updates, license audits

Secret Scanning

Prevents secrets from being committed to source code
Tools: Gitleaks (fast, configurable), TruffleHog (entropy detection), GitGuardian (commercial)
When: Pre-commit hooks, repository scanning, CI/CD artifact checks

容器镜像扫描

检测操作系统包、语言依赖项和二进制文件中的漏洞
工具：Trivy（功能全面）、Grype（侧重准确性）、Snyk Container（商用）
适用时机：每次容器构建、基础镜像选择、镜像仓库准入控制

SAST（静态应用安全测试）

在运行前分析源代码中的安全缺陷
工具：Semgrep（快速、语义化）、Snyk Code（面向开发者）、SonarQube（企业级）
适用时机：每次提交、PR检查、主分支保护

DAST（动态应用安全测试）

测试运行中应用程序的漏洞（黑盒测试）
工具：OWASP ZAP（开源）、StackHawk（原生支持CI/CD）、Burp Suite（手动+自动化）
适用时机： staging环境测试、API验证、身份认证测试

SCA（软件成分分析）

分析第三方依赖项中的已知漏洞
工具：Dependabot（GitHub原生）、Renovate（高级自动化）、Snyk Open Source（商用）
适用时机：每次构建、依赖项更新、许可证审计

密钥扫描

防止密钥被提交到源代码仓库
工具：Gitleaks（快速、可配置）、TruffleHog（基于熵检测）、GitGuardian（商用）
适用时机：提交前钩子、仓库扫描、CI/CD制品检查

Quick Tool Selection

工具快速选择

Container Image → Trivy (default choice) OR Grype (accuracy focus)
Source Code → Semgrep (open-source) OR Snyk Code (commercial)
Running Application → OWASP ZAP (open-source) OR StackHawk (CI/CD native)
Dependencies → Dependabot (GitHub) OR Renovate (advanced automation)
Secrets → Gitleaks (open-source) OR GitGuardian (commercial)

For detailed tool selection guidance, see

references/tool-selection.md

容器镜像 → Trivy（默认选择）或 Grype（侧重准确性）
源代码 → Semgrep（开源）或 Snyk Code（商用）
运行中应用 → OWASP ZAP（开源）或 StackHawk（CI/CD原生）
依赖项 → Dependabot（GitHub）或 Renovate（高级自动化）
密钥 → Gitleaks（开源）或 GitGuardian（商用）

详细的工具选择指南，请参阅

references/tool-selection.md

。

SBOM Generation

SBOM生成

Software Bills of Materials (SBOMs) provide a complete inventory of software components and dependencies. Required for compliance and security transparency.

软件物料清单（SBOM）提供软件组件和依赖项的完整清单，是合规性与安全透明度的必备要求。

CycloneDX vs. SPDX

CycloneDX (Recommended for DevSecOps)

Security-focused, OWASP-maintained
Native vulnerability references
Fast, lightweight (JSON/XML/ProtoBuf)
Best for: DevSecOps pipelines, vulnerability tracking

SPDX (Recommended for Legal/Compliance)

License compliance focus, ISO standard (ISO/IEC 5962:2021)
Comprehensive legal metadata
Government/defense preferred format
Best for: Legal teams, compliance audits, federal requirements

CycloneDX（DevSecOps推荐）

以安全为核心，由OWASP维护
原生支持漏洞引用
快速、轻量（JSON/XML/ProtoBuf格式）
最佳适用场景：DevSecOps流水线、漏洞跟踪

SPDX（法律/合规推荐）

侧重许可证合规，为ISO标准（ISO/IEC 5962:2021）
包含全面的法律元数据
政府/国防领域首选格式
最佳适用场景：法律团队、合规审计、联邦要求

Generating SBOMs

生成SBOM

With Trivy (CycloneDX or SPDX):

bash

undefined

使用Trivy生成（CycloneDX或SPDX格式）：

bash

undefined

CycloneDX format (recommended for security)

CycloneDX格式（安全场景推荐）

trivy image --format cyclonedx --output sbom.json myapp:latest

SPDX format (for compliance)

SPDX格式（合规场景推荐）

trivy image --format spdx-json --output sbom-spdx.json myapp:latest

Scan SBOM (faster than re-scanning image)

扫描SBOM（比重新扫描镜像更快）

trivy sbom sbom.json --severity HIGH,CRITICAL


**With Syft (high accuracy):**
```bash

trivy sbom sbom.json --severity HIGH,CRITICAL


**使用Syft生成（高准确性）：**
```bash

Generate CycloneDX

生成CycloneDX格式

syft myapp:latest -o cyclonedx-json=sbom.json

Generate SPDX

生成SPDX格式

syft myapp:latest -o spdx-json=sbom-spdx.json

Pipe to Grype for scanning

管道输出到Grype进行扫描

syft myapp:latest -o json | grype


For comprehensive SBOM patterns and storage strategies, see `references/sbom-guide.md`.

syft myapp:latest -o json | grype


完整的SBOM模式与存储策略，请参阅 `references/sbom-guide.md`。

Vulnerability Prioritization

漏洞优先级排序

Not all vulnerabilities require immediate action. Prioritize based on actual risk using CVSS, EPSS, and KEV.

并非所有漏洞都需要立即处理，需基于CVSS、EPSS和KEV的实际风险进行优先级排序。

Modern Risk-Based Prioritization

现代基于风险的优先级排序

Step 1: Gather Metrics

Metric	Source	Purpose
CVSS Base Score	NVD, vendor advisories	Vulnerability severity (0-10)
EPSS Score	FIRST.org API	Exploitation probability (0-1)
KEV Status	CISA KEV Catalog	Actively exploited CVEs
Asset Criticality	Internal CMDB	Business impact if compromised
Exposure	Network topology	Internet-facing vs. internal

Step 2: Calculate Priority

Priority Score = (CVSS × 0.3) + (EPSS × 100 × 0.3) + (KEV × 50) + (Asset × 0.2) + (Exposure × 0.2)

KEV: 1 if in KEV catalog, 0 otherwise
Asset: 1 (Critical), 0.7 (High), 0.4 (Medium), 0.1 (Low)
Exposure: 1 (Internet-facing), 0.5 (Internal), 0.1 (Isolated)

Step 3: Apply SLA Tiers

Priority	Criteria	SLA	Action
P0 - Critical	KEV + Internet-facing + Critical asset	24 hours	Emergency patch immediately
P1 - High	CVSS ≥ 9.0 OR (CVSS ≥ 7.0 AND EPSS ≥ 0.1)	7 days	Prioritize in sprint, patch ASAP
P2 - Medium	CVSS 7.0-8.9 OR EPSS ≥ 0.05	30 days	Normal sprint planning
P3 - Low	CVSS 4.0-6.9, EPSS < 0.05	90 days	Backlog, maintenance windows
P4 - Info	CVSS < 4.0	No SLA	Track, address opportunistically

Example: Log4Shell (CVE-2021-44228)

CVSS: 10.0
EPSS: 0.975 (97.5% exploitation probability)
KEV: Yes (CISA catalog)
Asset: Critical (payment API)
Exposure: Internet-facing

Priority Score = (10 × 0.3) + (97.5 × 0.3) + 50 + (1 × 0.2) + (1 × 0.2) = 82.65
Result: P0 - Critical (24-hour SLA)

For complete prioritization framework and automation scripts, see

references/prioritization-framework.md

步骤1：收集指标

指标	来源	用途
CVSS基础评分	NVD、厂商公告	漏洞严重程度（0-10）
EPSS评分	FIRST.org API	被利用概率（0-1）
KEV状态	CISA KEV目录	是否为被主动利用的CVE
资产关键性	内部CMDB	被攻陷后的业务影响
暴露程度	网络拓扑	面向互联网 vs 内部部署

步骤2：计算优先级得分

优先级得分 = (CVSS × 0.3) + (EPSS × 100 × 0.3) + (KEV × 50) + (资产关键性 × 0.2) + (暴露程度 × 0.2)

KEV：若在KEV目录中则为1，否则为0
资产关键性：1（关键）、0.7（高）、0.4（中）、0.1（低）
暴露程度：1（面向互联网）、0.5（内部）、0.1（隔离环境）

步骤3：应用SLA层级

优先级	判定标准	SLA	行动
P0 - 紧急	属于KEV + 面向互联网 + 关键资产	24小时内	立即紧急补丁
P1 - 高	CVSS ≥9.0 或（CVSS ≥7.0 且 EPSS ≥0.1）	7天内	迭代中优先处理，尽快补丁
P2 - 中	CVSS 7.0-8.9 或 EPSS ≥0.05	30天内	常规迭代规划
P3 - 低	CVSS 4.0-6.9，EPSS <0.05	90天内	放入待办，维护窗口处理
P4 - 信息级	CVSS <4.0	无SLA	跟踪记录，伺机处理

示例：Log4Shell（CVE-2021-44228）

CVSS: 10.0
EPSS: 0.975（97.5%的被利用概率）
KEV: 是（在CISA目录中）
资产关键性：关键（支付API）
暴露程度：面向互联网

优先级得分 = (10 ×0.3) + (97.5 ×0.3) +50 + (1 ×0.2) + (1 ×0.2) = 82.65
结果：P0 - 紧急（24小时SLA）

完整的优先级框架与自动化脚本，请参阅

references/prioritization-framework.md

。

CI/CD Integration Patterns

CI/CD集成模式

Multi-Stage Security Pipeline

多阶段安全流水线

Implement progressive security gates across pipeline stages:

Stage 1: Pre-Commit (Developer Workstation)

yaml

Tools: Secret scanning (Gitleaks), SAST (Semgrep)
Threshold: Block high-confidence secrets, critical SAST findings
Speed: < 10 seconds

Stage 2: Pull Request (CI Pipeline)

yaml

Tools: SAST, SCA, Secret scanning
Threshold: No Critical/High vulnerabilities, no secrets
Speed: < 5 minutes
Action: Block PR merge until fixed

Stage 3: Build (CI Pipeline)

yaml

Tools: Container scanning (Trivy), SBOM generation
Threshold: No Critical vulnerabilities in production dependencies
Artifacts: SBOM stored, scan results uploaded
Speed: < 2 minutes
Action: Fail build on Critical findings

Stage 4: Pre-Deployment (Staging)

yaml

Tools: DAST, Integration tests
Threshold: No Critical/High DAST findings
Speed: 10-30 minutes
Action: Gate deployment to production

Stage 5: Production (Runtime)

yaml

Tools: Continuous scanning, runtime monitoring
Threshold: Alert on new CVEs in deployed images
Action: Alert security team, plan patching

在流水线各阶段逐步实现安全门禁：

阶段1：提交前（开发者工作站）

yaml

工具：密钥扫描（Gitleaks）、SAST（Semgrep）
阈值：阻止高可信度密钥、严重SAST发现
速度：<10秒

阶段2：拉取请求（CI流水线）

yaml

工具：SAST、SCA、密钥扫描
阈值：无严重/高危漏洞，无密钥
速度：<5分钟
行动：修复前阻止PR合并

阶段3：构建（CI流水线）

yaml

工具：容器扫描（Trivy）、SBOM生成
阈值：生产依赖项中无严重漏洞
制品：存储SBOM，上传扫描结果
速度：<2分钟
行动：发现严重漏洞时终止构建

阶段4：部署前（Staging环境）

yaml

工具：DAST、集成测试
阈值：无严重/高危DAST发现
速度：10-30分钟
行动：作为生产部署的门禁

阶段5：生产环境（运行时）

yaml

工具：持续扫描、运行时监控
阈值：已部署镜像中发现新CVE时触发告警
行动：通知安全团队，规划补丁

Example: GitHub Actions Multi-Stage Scan

示例：GitHub Actions多阶段扫描

yaml

name: Security Scan Pipeline

on: [push, pull_request]

jobs:
  secrets:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: trufflesecurity/trufflehog@main
        with:
          path: ./
          extra_args: --only-verified

  sast:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: semgrep/semgrep-action@v1
        with:
          config: p/security-audit

  container:
    runs-on: ubuntu-latest
    needs: [secrets, sast]
    steps:
      - uses: actions/checkout@v4
      - run: docker build -t myapp:${{ github.sha }} .

      - uses: aquasecurity/trivy-action@master
        with:
          image-ref: myapp:${{ github.sha }}
          format: sarif
          output: trivy-results.sarif
          severity: HIGH,CRITICAL
          exit-code: 1

      - name: Generate SBOM
        run: |
          trivy image --format cyclonedx \
            --output sbom.json myapp:${{ github.sha }}

      - uses: actions/upload-artifact@v3
        with:
          name: sbom
          path: sbom.json

For complete CI/CD patterns (GitLab CI, Jenkins, Azure Pipelines), see

references/ci-cd-patterns.md

yaml

name: Security Scan Pipeline

on: [push, pull_request]

jobs:
  secrets:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: trufflesecurity/trufflehog@main
        with:
          path: ./
          extra_args: --only-verified

  sast:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: semgrep/semgrep-action@v1
        with:
          config: p/security-audit

  container:
    runs-on: ubuntu-latest
    needs: [secrets, sast]
    steps:
      - uses: actions/checkout@v4
      - run: docker build -t myapp:${{ github.sha }} .

      - uses: aquasecurity/trivy-action@master
        with:
          image-ref: myapp:${{ github.sha }}
          format: sarif
          output: trivy-results.sarif
          severity: HIGH,CRITICAL
          exit-code: 1

      - name: Generate SBOM
        run: |
          trivy image --format cyclonedx \
            --output sbom.json myapp:${{ github.sha }}

      - uses: actions/upload-artifact@v3
        with:
          name: sbom
          path: sbom.json

完整的CI/CD模式（GitLab CI、Jenkins、Azure Pipelines），请参阅

references/ci-cd-patterns.md

。

Container Scanning with Trivy

使用Trivy进行容器扫描

Trivy is the recommended default for container scanning: comprehensive, fast, and CI/CD native.

Trivy是容器扫描的推荐默认工具：功能全面、速度快且原生支持CI/CD。

Basic Usage

基础用法

bash

undefined

bash

undefined

Scan container image

扫描容器镜像

trivy image alpine:latest

Scan with severity filter

按严重程度过滤扫描

trivy image --severity HIGH,CRITICAL alpine:latest

Fail on findings (CI/CD)

发现漏洞时终止流程（CI/CD场景）

trivy image --exit-code 1 --severity HIGH,CRITICAL myapp:latest

Generate SBOM

生成SBOM

trivy image --format cyclonedx --output sbom.json alpine:latest

Scan filesystem

扫描文件系统

trivy fs /path/to/project

Scan Kubernetes manifests

扫描Kubernetes清单

trivy config deployment.yaml

undefined

trivy config deployment.yaml

undefined

Configuration (.trivy.yaml)

配置文件（.trivy.yaml）

yaml

severity: HIGH,CRITICAL
exit-code: 1
ignore-unfixed: true  # Only fail on fixable vulnerabilities
vuln-type: os,library
skip-dirs:
  - node_modules
  - vendor
ignorefile: .trivyignore

yaml

severity: HIGH,CRITICAL
exit-code: 1
ignore-unfixed: true  # 仅在存在可修复漏洞时终止
vuln-type: os,library
skip-dirs:
  - node_modules
  - vendor
ignorefile: .trivyignore

Ignoring False Positives (.trivyignore)

忽略误报（.trivyignore）

undefined

undefined

False positive

误报

CVE-2023-12345

Accepted risk with justification

已接受风险并附说明

CVE-2023-67890 # Risk accepted: Not exploitable in our use case

CVE-2023-67890 # 风险接受：在我们的场景中无法被利用

Development dependency (not in production)

开发依赖（不进入生产环境）

CVE-2023-11111 # Dev dependency only

undefined

CVE-2023-11111 # 仅为开发依赖

undefined

GitHub Actions Integration

GitHub Actions集成

yaml

- name: Trivy Scan
  uses: aquasecurity/trivy-action@master
  with:
    image-ref: myapp:${{ github.sha }}
    format: sarif
    output: trivy-results.sarif
    severity: HIGH,CRITICAL
    exit-code: 1

- name: Upload to GitHub Security
  uses: github/codeql-action/upload-sarif@v2
  if: always()
  with:
    sarif_file: trivy-results.sarif

yaml

- name: Trivy Scan
  uses: aquasecurity/trivy-action@master
  with:
    image-ref: myapp:${{ github.sha }}
    format: sarif
    output: trivy-results.sarif
    severity: HIGH,CRITICAL
    exit-code: 1

- name: Upload to GitHub Security
  uses: github/codeql-action/upload-sarif@v2
  if: always()
  with:
    sarif_file: trivy-results.sarif

Alternative: Grype for Accuracy

替代方案：使用Grype提升准确性

Grype focuses on minimal false positives and works with Syft for SBOM generation.

Important: Use Grype v0.104.1 or later (credential disclosure CVE-2025-65965 patched in earlier versions).

Grype专注于减少误报，可与Syft配合实现SBOM生成与扫描工作流。

重要提示： 使用Grype v0.104.1或更高版本（凭证泄露漏洞CVE-2025-65965已在早期版本中修复）。

Basic Usage

基础用法

bash

undefined

bash

undefined

Scan container image

扫描容器镜像

grype alpine:latest

Scan with severity threshold

按严重程度阈值终止流程

grype alpine:latest --fail-on high

Scan SBOM (faster)

扫描SBOM（速度更快）

grype sbom:./sbom.json

Syft + Grype workflow

Syft + Grype工作流

syft alpine:latest -o json | grype --fail-on critical

undefined

syft alpine:latest -o json | grype --fail-on critical

undefined

When to Use Grype

何时使用Grype

Projects sensitive to false positives
SBOM-first workflows (generate with Syft, scan with Grype)
Need second opinion validation
Anchore ecosystem users

For complete tool comparisons and selection criteria, see

references/tool-selection.md

对误报敏感的项目
以SBOM为核心的工作流（Syft生成，Grype扫描）
需要二次验证
Anchore生态系统用户

完整的工具对比与选择标准，请参阅

references/tool-selection.md

。

Security Gates and Thresholds

安全门禁与阈值

Progressive Threshold Strategy

渐进式阈值策略

Balance security and development velocity with progressive gates. Configure different thresholds for PR checks (fast, HIGH+CRITICAL), builds (comprehensive), and deployments (strict, CRITICAL only).

通过渐进式门禁平衡安全与开发效率。为PR检查（快速，仅高危+严重）、构建（全面）和部署（严格，仅严重）配置不同阈值。

Policy-as-Code

策略即代码

Use OPA (Open Policy Agent) for automated policy enforcement. Create policies to deny Critical vulnerabilities, enforce KEV catalog checks, and implement environment-specific rules.

For complete policy patterns, baseline detection, and OPA examples, see

references/policy-as-code.md

使用OPA（Open Policy Agent）实现自动化策略执行。创建策略以阻止严重漏洞、强制检查KEV目录，并实现环境特定规则。

完整的策略模式、基线检测与OPA示例，请参阅

references/policy-as-code.md

。

Remediation Workflows

修复工作流

Automated Remediation

自动化修复

Set up automated workflows to scan daily, extract fixable vulnerabilities, update dependencies, and create remediation pull requests automatically.

设置每日扫描的自动化工作流，提取可修复漏洞、更新依赖项，并自动创建修复拉取请求。

SLA Tracking

SLA跟踪

Track vulnerability remediation against SLA targets (P0: 24 hours, P1: 7 days, P2: 30 days, P3: 90 days). Monitor overdue vulnerabilities and escalate as needed.

针对SLA目标跟踪漏洞修复进度（P0：24小时，P1：7天，P2：30天，P3：90天）。监控逾期漏洞并按需升级处理。

False Positive Management

误报管理

Maintain suppression files (.trivyignore) with documented justifications, review dates, and approval tracking. Implement workflows for false positive triage and approval.

For complete remediation workflows, SLA trackers, and automation scripts, see

references/remediation-workflows.md

维护带文档说明的抑制文件（.trivyignore），包含复查日期与审批跟踪。实现误报分类与审批工作流。

完整的修复工作流、SLA跟踪器与自动化脚本，请参阅

references/remediation-workflows.md

。

Integration with Related Skills

与相关技能的集成

building-ci-pipelines

Add security stages to pipeline definitions
Configure artifacts for SBOM storage
Implement quality gates with vulnerability thresholds

secret-management

Integrate secret scanning (Gitleaks, TruffleHog)
Automate secret rotation on detection
Use pre-commit hooks for prevention

infrastructure-as-code

Scan Terraform and Kubernetes manifests with Trivy config
Detect misconfigurations before deployment
Enforce policy-as-code with OPA

security-hardening

Apply remediation guidance from scan results
Select secure base images
Implement security best practices

compliance-frameworks

Generate SBOMs for SOC2, ISO 27001 audits
Track vulnerability metrics for compliance reporting
Provide evidence for security controls

building-ci-pipelines

为流水线定义添加安全阶段
配置SBOM存储的制品管理
基于漏洞阈值实现质量门禁

secret-management

集成密钥扫描（Gitleaks、TruffleHog）
检测到密钥时自动轮换
使用提交前钩子预防密钥泄露

infrastructure-as-code

使用Trivy config扫描Terraform与Kubernetes清单
部署前检测配置错误
使用OPA实现策略即代码

security-hardening

根据扫描结果应用修复指导
选择安全的基础镜像
实施安全最佳实践

compliance-frameworks

为SOC2、ISO 27001审计生成SBOM
跟踪漏洞指标用于合规报告
提供安全控制的证据

Quick Reference

快速参考

Essential Commands

核心命令

bash

undefined

bash

undefined

Trivy: Scan image with severity filter

Trivy：按严重程度过滤扫描镜像

trivy image --severity HIGH,CRITICAL myapp:latest

Trivy: Generate SBOM

Trivy：生成SBOM

trivy image --format cyclonedx --output sbom.json myapp:latest

Trivy: Scan SBOM

Trivy：扫描SBOM

trivy sbom sbom.json

Grype: Scan image

Grype：扫描镜像

grype myapp:latest --fail-on high

Syft + Grype: SBOM workflow

Syft + Grype：SBOM工作流

syft myapp:latest -o json | grype

Gitleaks: Scan for secrets

Gitleaks：扫描密钥

gitleaks detect --source . --verbose

undefined

gitleaks detect --source . --verbose

undefined

Common Patterns

常见模式

bash

undefined

bash

undefined

CI/CD: Fail build on Critical

CI/CD：发现严重漏洞时终止构建

trivy image --exit-code 1 --severity CRITICAL myapp:latest

Ignore unfixed vulnerabilities

忽略无法修复的漏洞

trivy image --ignore-unfixed --severity HIGH,CRITICAL myapp:latest

Scan only OS packages

仅扫描操作系统包

trivy image --vuln-type os myapp:latest

Skip specific directories

跳过指定目录

trivy fs --skip-dirs node_modules,vendor .

undefined

trivy fs --skip-dirs node_modules,vendor .

undefined

Progressive Disclosure

进阶内容

This skill provides foundational vulnerability management patterns. For deeper topics:

Tool Selection:
```
references/tool-selection.md
```
- Complete decision frameworks
SBOM Patterns:
```
references/sbom-guide.md
```
- Generation, storage, consumption
Prioritization:
```
references/prioritization-framework.md
```
- CVSS/EPSS/KEV automation
CI/CD Integration:
```
references/ci-cd-patterns.md
```
- GitLab CI, Jenkins, Azure Pipelines
Remediation:
```
references/remediation-workflows.md
```
- SLA tracking, false positives
Policy-as-Code:
```
references/policy-as-code.md
```
- OPA examples, security gates

Working Examples:

```
examples/trivy/
```
- Trivy scanning patterns
```
examples/grype/
```
- Grype + Syft workflows
```
examples/ci-cd/
```
- Complete pipeline configurations
```
examples/sbom/
```
- SBOM generation and management
```
examples/prioritization/
```
- EPSS and KEV integration scripts

Automation Scripts:

```
scripts/vulnerability-report.sh
```
- Generate executive reports
```
scripts/sla-tracker.sh
```
- Track remediation SLAs
```
scripts/false-positive-manager.sh
```
- Manage suppression rules

本技能提供漏洞管理的基础模式。如需深入了解以下主题：

工具选择：
```
references/tool-selection.md
```
- 完整决策框架
SBOM模式：
```
references/sbom-guide.md
```
- 生成、存储、使用
优先级排序：
```
references/prioritization-framework.md
```
- CVSS/EPSS/KEV自动化
CI/CD集成：
```
references/ci-cd-patterns.md
```
- GitLab CI、Jenkins、Azure Pipelines
修复流程：
```
references/remediation-workflows.md
```
- SLA跟踪、误报处理
策略即代码：
```
references/policy-as-code.md
```
- OPA示例、安全门禁

实战示例：

```
examples/trivy/
```
- Trivy扫描模式
```
examples/grype/
```
- Grype + Syft工作流
```
examples/ci-cd/
```
- 完整流水线配置
```
examples/sbom/
```
- SBOM生成与管理
```
examples/prioritization/
```
- EPSS与KEV集成脚本

自动化脚本：

```
scripts/vulnerability-report.sh
```
- 生成高管报告
```
scripts/sla-tracker.sh
```
- 跟踪修复SLA
```
scripts/false-positive-manager.sh
```
- 管理抑制规则