The Container Image Vulnerability Scanner skill performs deep security analysis of container images by combining multiple vulnerability scanning approaches and package databases. It processes Trivy scan results in JSON format (trivy image –format json) to identify OS package and application dependency vulnerabilities with CVSS scoring.

The skill queries the Docker Hub API v2 at https://hub.docker.com/v2/repositories/{namespace}/{repository}/tags for image metadata, tag history, and manifest digests. It generates Software Bill of Materials using Syft in CycloneDX format to enumerate all packages within image layers, including OS packages (apk, apt, yum) and application dependencies (npm, pip, gem, go modules).

Key scanning capabilities include base image analysis comparing against known-good digests from Docker Official Images, layer-by-layer vulnerability attribution to identify which Dockerfile instruction introduced vulnerable packages, fixed-version lookup via Alpine SecDB (https://secdb.alpinelinux.org), Debian Security Tracker API, and Red Hat Security Data API. The skill generates remediation Dockerfiles with pinned base image digests, multi-stage build optimizations to reduce attack surface, and non-root USER directives. It also produces compliance reports for CIS Docker Benchmark checks and supports policy-as-code evaluation using OPA Rego rules for admission controller integration.