diff --git a/plugins/vulnerability-remediation/.plugin/plugin.json b/plugins/vulnerability-remediation/.plugin/plugin.json new file mode 100644 index 00000000..7ca6fc48 --- /dev/null +++ b/plugins/vulnerability-remediation/.plugin/plugin.json @@ -0,0 +1,9 @@ +{ + "name": "vulnerability-remediation", + "version": "1.0.0", + "description": "Automated security vulnerability scanning and AI-powered remediation using OpenHands agents with Trivy", + "author": "OpenHands", + "license": "MIT", + "repository": "https://github.com/OpenHands/extensions", + "entry_command": "Activate the run-scan skill to begin vulnerability scanning" +} diff --git a/plugins/vulnerability-remediation/README.md b/plugins/vulnerability-remediation/README.md index f93efedd..aec03d0a 100644 --- a/plugins/vulnerability-remediation/README.md +++ b/plugins/vulnerability-remediation/README.md @@ -34,24 +34,75 @@ That's it! The workflow will: - **Trivy Integration** — Comprehensive vulnerability detection - **AI-Powered Fixes** — OpenHands agents analyze and fix vulnerabilities - **Automatic PRs** — Creates PRs with detailed CVE references +- **Agent Skills** — Two specialized skills that guide the remediation workflow +- **Automatic Chaining** — Skills automatically trigger each other based on scan results ## Plugin Contents ``` plugins/vulnerability-remediation/ +├── .plugin/ # Plugin metadata +│ └── plugin.json # Plugin manifest with entry_command ├── README.md # This file ├── action.yml # Composite GitHub Action ├── scripts/ # Python scripts for scan and remediation │ └── scan_and_remediate.py # Main remediation agent script -├── workflows/ # Example GitHub workflow files -│ └── vulnerability-scan.yml # Thin wrapper workflow (copy this) -└── skills/ # Symbolic links to related skills - ├── security -> ../../../skills/security - └── github -> ../../../skills/github +├── skills/ # Agent skills for vulnerability workflow +│ ├── run-scan/ # Trivy installation and scanning +│ │ ├── SKILL.md # Scanning instructions for agents +│ │ └── README.md # Human-readable documentation +│ └── fix-vulnerabilities/ # Vulnerability remediation +│ ├── SKILL.md # Remediation instructions for agents +│ └── README.md # Human-readable documentation +└── workflows/ # Example GitHub workflow files + └── vulnerability-scan.yml # Thin wrapper workflow (copy this) ``` ## How It Works +The plugin provides two agent skills that work together: + +### 1. **run-scan** Skill +- Installs Trivy vulnerability scanner +- Runs comprehensive security scans +- Filters vulnerabilities by severity (HIGH/CRITICAL recommended) +- Generates JSON results for analysis +- **Automatically triggers** fix-vulnerabilities skill when fixable vulnerabilities are found + +### 2. **fix-vulnerabilities** Skill +- Parses Trivy scan results +- Prioritizes vulnerabilities by severity and fixability +- Updates vulnerable dependencies across 8+ package ecosystems +- Verifies fixes with tests and re-scans +- Creates well-documented PRs with CVE references + +### Plugin Entry Point + +The plugin uses an `entry_command` in `.plugin/plugin.json` that automatically activates the `run-scan` skill when the plugin is loaded, starting the vulnerability remediation workflow. + +### Skill Workflow + +``` +Plugin Loaded (entry_command) + ↓ +[run-scan skill] + ├─→ Install Trivy + ├─→ Run security scan + ├─→ Generate trivy-results.json + └─→ Check for fixable vulnerabilities + ↓ + └─→ If vulnerabilities found → + ↓ + [fix-vulnerabilities skill] (auto-triggered) + ├─→ Parse scan results + ├─→ Prioritize by severity + ├─→ Update dependencies + ├─→ Run tests & verify + └─→ Create PR with fix +``` + +### GitHub Action Workflow + The action runs in two phases: 1. **Scan Phase** — Runs Trivy to detect vulnerabilities (fast, no AI costs) @@ -98,7 +149,38 @@ github-token: ${{ secrets.ALLHANDS_BOT_GITHUB_PAT || secrets.GITHUB_TOKEN }} ## Usage -### Automatic Scheduled Scans +### Using the Plugin with OpenHands SDK + +Load the plugin in your OpenHands agent: + +```python +from openhands.sdk import LLM, Agent, Conversation +from openhands.sdk.plugin import Plugin + +# Load the vulnerability-remediation plugin +plugin = Plugin.load("/path/to/plugins/vulnerability-remediation") + +# Create agent with plugin skills +agent = Agent( + llm=llm, + tools=tools, + agent_context=AgentContext(skills=plugin.skills) +) + +# Create conversation +conversation = Conversation(agent=agent) + +# The plugin's entry_command will trigger the run-scan skill automatically +conversation.send_message("Start vulnerability scanning") +conversation.run() +``` + +The plugin's `entry_command` instructs the agent to activate the `run-scan` skill, which will: +1. Install Trivy +2. Run a security scan +3. Automatically trigger `fix-vulnerabilities` if fixable vulnerabilities are found + +### Automatic Scheduled Scans (GitHub Actions) Once configured, the workflow runs automatically on the specified schedule. It will: diff --git a/plugins/vulnerability-remediation/skills/fix-vulnerabilities/README.md b/plugins/vulnerability-remediation/skills/fix-vulnerabilities/README.md new file mode 100644 index 00000000..f41edf7b --- /dev/null +++ b/plugins/vulnerability-remediation/skills/fix-vulnerabilities/README.md @@ -0,0 +1,117 @@ +# Fix Vulnerabilities Skill + +This skill provides detailed instructions for analyzing Trivy scan results and remediating security vulnerabilities across multiple package ecosystems. + +## Purpose + +Guide agents through the process of: +- Parsing Trivy JSON scan results +- Prioritizing vulnerabilities by severity and fixability +- Updating vulnerable dependencies per ecosystem +- Verifying fixes with re-scans +- Creating well-documented PRs with security context + +## Activation + +This skill is triggered: +- **Automatically** after a successful `run-scan` that finds fixable vulnerabilities +- **Manually** via keywords: "fix-vulnerabilities", "remediate vulnerabilities", "patch CVE" + +## Workflow + +1. **Parse Results** - Extract vulnerability details from `trivy-results.json` +2. **Prioritize** - Focus on CRITICAL/HIGH severity with available fixes +3. **Update Dependencies** - Apply ecosystem-specific update commands +4. **Verify** - Run tests and re-scan to confirm fix +5. **Create PR** - Submit fix with CVE references and security context + +## Supported Ecosystems + +The skill provides remediation instructions for: + +- **Node.js**: npm, yarn, pnpm +- **Python**: pip, pipenv, poetry +- **Java**: Maven, Gradle +- **Go**: go modules +- **Ruby**: bundler +- **Rust**: cargo +- **PHP**: composer +- **.NET**: NuGet + +## Best Practices + +### One CVE per PR (Recommended) +- Easier review process +- Isolated testing +- Clear rollback path +- Better audit trail + +### Batch Updates (Alternative) +- For low-risk updates +- Multiple low-severity CVEs +- Regular dependency maintenance + +## Example Workflow + +```bash +# 1. Parse scan results +python3 -c "import json; data = json.load(open('trivy-results.json')); print(len(data.get('Results', [])))" + +# 2. Update vulnerable package (Node.js example) +npm install vulnerable-package@fixed-version + +# 3. Verify fix +npm test +trivy fs . --format json --output trivy-results-after.json + +# 4. Create fix branch +git checkout -b fix/CVE-2023-12345 +git add . +git commit -m "fix: Update package to fix CVE-2023-12345" + +# 5. Create PR +gh pr create --title "Security: Fix CVE-2023-12345" --label security +``` + +## Security Context in PRs + +Each PR should include: +- CVE ID and severity +- Affected package and versions +- Fix description +- Links to security advisories +- Test results +- Verification that vulnerability is resolved + +## Troubleshooting + +### Fix Not Available +- Wait for upstream patch +- Apply workaround if documented +- Consider alternative packages + +### Breaking Changes +- Review migration guides +- Update dependent code +- Test incrementally +- Consider intermediate versions + +### Transitive Dependencies +- Update parent packages +- Use override/resolution features +- Check dependency tree + +## Integration + +This skill is part of the vulnerability-remediation plugin and works with: +- `run-scan` skill - Source of vulnerability data +- GitHub Actions - Automated remediation workflows +- `scan_and_remediate.py` - Batch processing automation + +## Related Resources + +- [OWASP Dependency Check](https://owasp.org/www-project-dependency-check/) +- [Snyk Vulnerability Database](https://security.snyk.io/) +- [GitHub Security Advisories](https://github.com/advisories) +- [npm audit](https://docs.npmjs.com/cli/v8/commands/npm-audit) +- [pip-audit](https://pypi.org/project/pip-audit/) diff --git a/plugins/vulnerability-remediation/skills/fix-vulnerabilities/SKILL.md b/plugins/vulnerability-remediation/skills/fix-vulnerabilities/SKILL.md new file mode 100644 index 00000000..f18525e8 --- /dev/null +++ b/plugins/vulnerability-remediation/skills/fix-vulnerabilities/SKILL.md @@ -0,0 +1,543 @@ +--- +name: fix-vulnerabilities +description: Analyze Trivy scan results and remediate security vulnerabilities by updating dependencies to fixed versions +triggers: +- fix-vulnerabilities +- remediate vulnerabilities +- update vulnerable dependencies +- patch CVE +--- + +# Vulnerability Remediation + +This skill guides you through analyzing Trivy scan results and fixing identified security vulnerabilities. + +## Automatic Activation + +**This skill automatically activates after a successful `run-scan` that finds fixable vulnerabilities.** + +You can also manually trigger remediation by referencing this skill when working with existing scan results. + +## Prerequisites + +- Trivy scan results file (`trivy-results.json`) exists +- Write access to dependency files +- Git repository for creating fix branches and PRs + +## Workflow Overview + +1. **Parse scan results** - Extract vulnerability details from JSON +2. **Prioritize fixes** - Focus on HIGH/CRITICAL with available fixes +3. **Update dependencies** - Upgrade to fixed versions per ecosystem +4. **Verify changes** - Ensure updates don't break builds +5. **Create PR** - Submit fix with detailed CVE information + +## Step 1: Parse Trivy Results + +### Extract Vulnerabilities + +```bash +# Check if scan results exist +if [ ! -f "trivy-results.json" ]; then + echo "Error: trivy-results.json not found. Run the run-scan skill first." + exit 1 +fi + +# Parse and display vulnerabilities +python3 << 'EOF' +import json + +with open('trivy-results.json', 'r') as f: + data = json.load(f) + +vulnerabilities = [] +for result in data.get('Results', []): + target = result.get('Target', 'Unknown') + for vuln in result.get('Vulnerabilities', []): + if vuln.get('FixedVersion'): # Only fixable vulnerabilities + vulnerabilities.append({ + 'target': target, + 'cve': vuln.get('VulnerabilityID'), + 'package': vuln.get('PkgName'), + 'installed': vuln.get('InstalledVersion'), + 'fixed': vuln.get('FixedVersion'), + 'severity': vuln.get('Severity'), + 'title': vuln.get('Title', ''), + 'references': vuln.get('References', []) + }) + +print(f"\nFound {len(vulnerabilities)} fixable vulnerabilities\n") +for vuln in vulnerabilities: + print(f"[{vuln['severity']}] {vuln['cve']}") + print(f" Package: {vuln['package']} ({vuln['installed']} → {vuln['fixed']})") + print(f" File: {vuln['target']}") + print() +EOF +``` + +### Filter by Severity (Optional) + +```bash +# Filter for CRITICAL and HIGH only +python3 << 'EOF' +import json + +with open('trivy-results.json', 'r') as f: + data = json.load(f) + +high_priority = [] +for result in data.get('Results', []): + for vuln in result.get('Vulnerabilities', []): + if vuln.get('Severity') in ['CRITICAL', 'HIGH'] and vuln.get('FixedVersion'): + high_priority.append(vuln) + +print(f"High priority vulnerabilities: {len(high_priority)}") +EOF +``` + +## Step 2: Remediation by Ecosystem + +### Node.js (npm/yarn/pnpm) + +**Identify the dependency file:** + +```bash +# Check which package manager is used +if [ -f "package-lock.json" ]; then + echo "Using npm" + PKG_MANAGER="npm" +elif [ -f "yarn.lock" ]; then + echo "Using yarn" + PKG_MANAGER="yarn" +elif [ -f "pnpm-lock.yaml" ]; then + echo "Using pnpm" + PKG_MANAGER="pnpm" +else + echo "No Node.js lock file found" +fi +``` + +**Update vulnerable package:** + +```bash +# For direct dependencies (in package.json) +npm install package-name@fixed-version + +# For transitive dependencies (indirect) +npm update package-name + +# Or force update all dependencies +npm audit fix + +# Verify the fix +npm audit +``` + +**For yarn:** + +```bash +yarn upgrade package-name@^fixed-version +yarn audit +``` + +**For pnpm:** + +```bash +pnpm update package-name +pnpm audit +``` + +### Python (pip/pipenv/poetry) + +**requirements.txt:** + +```bash +# Update the version in requirements.txt +sed -i 's/package-name==old-version/package-name==fixed-version/' requirements.txt + +# Reinstall +pip install -r requirements.txt --upgrade + +# Or use pip-audit for automated fixes +pip install pip-audit +pip-audit --fix +``` + +**Pipfile:** + +```bash +# Update Pipfile +pipenv install package-name==fixed-version +pipenv check +``` + +**pyproject.toml (Poetry):** + +```bash +# Update dependency +poetry add package-name@^fixed-version +poetry check +``` + +### Java (Maven/Gradle) + +**pom.xml (Maven):** + +```xml + + + group.id + package-name + fixed-version + +``` + +```bash +# Verify and install +mvn clean install +mvn dependency:tree +``` + +**build.gradle (Gradle):** + +```gradle +// Update version in build.gradle +dependencies { + implementation 'group.id:package-name:fixed-version' +} +``` + +```bash +# Verify +./gradlew build +./gradlew dependencies +``` + +### Go + +**go.mod:** + +```bash +# Update specific module +go get package-name@fixed-version + +# Or update all dependencies +go get -u ./... + +# Tidy up +go mod tidy + +# Verify +go build ./... +``` + +### Ruby + +**Gemfile:** + +```ruby +# Update gem version in Gemfile +gem 'package-name', '~> fixed-version' +``` + +```bash +# Update and install +bundle update package-name +bundle audit check +``` + +### Rust + +**Cargo.toml:** + +```toml +[dependencies] +package-name = "fixed-version" +``` + +```bash +# Update dependencies +cargo update package-name + +# Verify +cargo build +cargo audit +``` + +### PHP (Composer) + +**composer.json:** + +```bash +# Update package +composer require package-name:^fixed-version + +# Or update all +composer update + +# Security check +composer audit +``` + +## Step 3: Verify Changes + +### Run Tests + +```bash +# Generic test commands (adjust per project) +npm test # Node.js +pytest # Python +mvn test # Maven +./gradlew test # Gradle +go test ./... # Go +bundle exec rspec # Ruby +cargo test # Rust +composer test # PHP +``` + +### Verify Vulnerability is Fixed + +```bash +# Re-run Trivy scan +trivy fs . --format json --output trivy-results-after.json + +# Compare before/after +python3 << 'EOF' +import json + +with open('trivy-results.json', 'r') as f: + before = json.load(f) + +with open('trivy-results-after.json', 'r') as f: + after = json.load(f) + +# Count vulnerabilities +before_count = sum(len(r.get('Vulnerabilities', [])) for r in before.get('Results', [])) +after_count = sum(len(r.get('Vulnerabilities', [])) for r in after.get('Results', [])) + +print(f"Vulnerabilities before: {before_count}") +print(f"Vulnerabilities after: {after_count}") +print(f"Fixed: {before_count - after_count}") +EOF +``` + +## Step 4: Create Fix Branch and PR + +### Setup Git Branch + +```bash +# Extract CVE ID from the vulnerability being fixed +CVE_ID="CVE-2023-12345" # Replace with actual CVE +PACKAGE_NAME="example-package" # Replace with actual package + +# Create fix branch +BRANCH_NAME="fix/${CVE_ID}-${PACKAGE_NAME}" +git checkout -b "$BRANCH_NAME" + +# Stage changes +git add . + +# Commit with descriptive message +git commit -m "fix: Update ${PACKAGE_NAME} to fix ${CVE_ID} + +- Vulnerability: ${CVE_ID} +- Severity: HIGH/CRITICAL +- Package: ${PACKAGE_NAME} +- Fixed version: X.Y.Z +- Description: Brief vulnerability description + +This change updates the vulnerable dependency to address the security issue. +" +``` + +### Push and Create PR + +```bash +# Push branch +git push origin "$BRANCH_NAME" + +# Create PR using GitHub CLI (if available) +if command -v gh &> /dev/null; then + gh pr create \ + --title "Security: Fix ${CVE_ID} in ${PACKAGE_NAME}" \ + --body "## Security Vulnerability Fix + +### Summary +This PR fixes ${CVE_ID} by updating ${PACKAGE_NAME} to a patched version. + +### Vulnerability Details +- **CVE ID**: ${CVE_ID} +- **Severity**: HIGH/CRITICAL +- **Affected Package**: ${PACKAGE_NAME} +- **Installed Version**: X.Y.Z +- **Fixed Version**: A.B.C + +### Changes +- Updated dependency in [dependency file] +- Verified tests pass +- Confirmed vulnerability is resolved + +### References +- [CVE Details](https://nvd.nist.gov/vuln/detail/${CVE_ID}) +- [GitHub Advisory](https://github.com/advisories?query=${CVE_ID}) + +### Testing +- [ ] Unit tests pass +- [ ] Integration tests pass +- [ ] Trivy scan confirms fix +" \ + --label "security" \ + --label "dependencies" +else + echo "GitHub CLI not available. Create PR manually at:" + echo "https://github.com/\$OWNER/\$REPO/compare/$BRANCH_NAME" +fi +``` + +## Handling Multiple Vulnerabilities + +### Strategy: One CVE per PR (Recommended) + +This approach allows for: +- Easier review +- Isolated testing +- Rollback individual fixes if needed +- Clear audit trail + +```bash +# Process vulnerabilities one at a time +python3 << 'EOF' +import json + +with open('trivy-results.json', 'r') as f: + data = json.load(f) + +vulns = [] +for result in data.get('Results', []): + for vuln in result.get('Vulnerabilities', []): + if vuln.get('FixedVersion') and vuln.get('Severity') in ['CRITICAL', 'HIGH']: + vulns.append({ + 'cve': vuln.get('VulnerabilityID'), + 'package': vuln.get('PkgName'), + 'target': result.get('Target'), + 'fixed': vuln.get('FixedVersion') + }) + +# Write to file for iteration +with open('vulns-to-fix.json', 'w') as f: + json.dump(vulns, f, indent=2) + +print(f"Found {len(vulns)} vulnerabilities to fix") +EOF + +# Now process each vulnerability in separate branches +``` + +### Alternative: Batch Fix PR + +For projects with many low-risk updates: + +```bash +# Create single branch for all fixes +git checkout -b fix/security-updates-$(date +%Y%m%d) + +# Update all vulnerable packages +# ... apply all fixes ... + +git add . +git commit -m "fix: Batch security updates for multiple CVEs + +This PR addresses multiple security vulnerabilities: +- CVE-2023-XXXXX (CRITICAL) +- CVE-2023-YYYYY (HIGH) +- CVE-2023-ZZZZZ (HIGH) + +All dependencies have been updated to patched versions. +" +``` + +## Best Practices + +### 1. **Prioritize by Severity** + - Fix CRITICAL first + - Then HIGH + - MEDIUM/LOW can be batched + +### 2. **Check Breaking Changes** + - Review changelogs for major version updates + - Test thoroughly before merging + - Consider gradual rollout for high-risk changes + +### 3. **Update Lock Files** + - Always commit updated lock files (package-lock.json, yarn.lock, etc.) + - Lock files ensure reproducible builds + +### 4. **Document Security Context** + - Include CVE references in commit messages + - Link to security advisories + - Explain impact and mitigation + +### 5. **Automate Where Possible** + - Use `npm audit fix`, `pip-audit --fix`, etc. + - Set up automated dependency updates (Dependabot, Renovate) + +## Troubleshooting + +### Fix Version Not Available + +```bash +# Check if the fixed version exists +npm view package-name versions + +# If not, consider: +# 1. Waiting for the fix to be released +# 2. Applying a workaround +# 3. Finding an alternative package +``` + +### Breaking Changes in Fix + +```bash +# If fixed version breaks the build: +# 1. Check migration guides +# 2. Update dependent code +# 3. Consider intermediate versions +# 4. Test incrementally +``` + +### Transitive Dependencies + +```bash +# For indirect dependencies, update the parent: +npm update parent-package + +# Or use override/resolutions in package.json: +{ + "overrides": { + "vulnerable-package": "^fixed-version" + } +} +``` + +## Summary Checklist + +- [ ] Scan results parsed and vulnerabilities identified +- [ ] High-priority CVEs filtered (CRITICAL/HIGH with fixes) +- [ ] Dependencies updated per ecosystem best practices +- [ ] Tests run and passing +- [ ] Vulnerability fix verified with re-scan +- [ ] Fix branch created with descriptive name +- [ ] Commit message includes CVE details +- [ ] PR created with security context and references +- [ ] Labels applied (security, dependencies) +- [ ] Ready for review and merge + +## Additional Resources + +- [OWASP Dependency Check](https://owasp.org/www-project-dependency-check/) +- [Snyk Vulnerability Database](https://security.snyk.io/) +- [CVE Details](https://www.cvedetails.com/) +- [GitHub Security Advisories](https://github.com/advisories) +- [npm audit](https://docs.npmjs.com/cli/v8/commands/npm-audit) +- [pip-audit](https://pypi.org/project/pip-audit/) +- [Dependabot](https://github.com/dependabot) diff --git a/plugins/vulnerability-remediation/skills/github b/plugins/vulnerability-remediation/skills/github deleted file mode 120000 index f546d716..00000000 --- a/plugins/vulnerability-remediation/skills/github +++ /dev/null @@ -1 +0,0 @@ -../../../skills/github \ No newline at end of file diff --git a/plugins/vulnerability-remediation/skills/run-scan/README.md b/plugins/vulnerability-remediation/skills/run-scan/README.md new file mode 100644 index 00000000..543873fb --- /dev/null +++ b/plugins/vulnerability-remediation/skills/run-scan/README.md @@ -0,0 +1,58 @@ +# Run Scan Skill + +This skill provides comprehensive instructions for installing and using Trivy to scan repositories for security vulnerabilities. + +## Purpose + +Guide agents through the process of: +- Installing Trivy on various operating systems +- Running vulnerability scans with appropriate filters +- Understanding scan results +- Triggering the remediation workflow + +## Activation + +This skill is triggered by: +- The plugin's `entry_command` when the plugin is loaded +- Keywords: "run-scan", "vulnerability scan", "security scan", "trivy scan" + +## Workflow + +1. **Install Trivy** - Downloads and installs the latest version +2. **Run Scan** - Executes Trivy with severity filters (HIGH/CRITICAL recommended) +3. **Generate Results** - Outputs JSON file for programmatic analysis +4. **Auto-trigger Remediation** - If fixable vulnerabilities are found, the `fix-vulnerabilities` skill activates + +## Key Features + +- **Cross-platform support**: Linux, macOS, Docker +- **Configurable severity filters**: CRITICAL, HIGH, MEDIUM, LOW +- **Multiple output formats**: JSON, table, SARIF +- **Ecosystem detection**: Automatically identifies and scans 15+ package ecosystems +- **Offline mode**: Can run without internet after initial DB download + +## Example Usage + +```bash +# Quick scan for critical/high vulnerabilities +trivy fs . --severity HIGH,CRITICAL --format json --output trivy-results.json + +# Human-readable output +trivy fs . --severity HIGH,CRITICAL --format table + +# Skip unfixed vulnerabilities +trivy fs . --severity HIGH,CRITICAL --ignore-unfixed +``` + +## Integration + +This skill is part of the vulnerability-remediation plugin and works seamlessly with: +- `fix-vulnerabilities` skill - Automatically activated after successful scan +- GitHub Actions workflows - Used in automated CI/CD pipelines +- `scan_and_remediate.py` script - Python automation for batch processing + +## Related Resources + +- [Trivy Documentation](https://aquasecurity.github.io/trivy/) +- [CVE Database](https://nvd.nist.gov/) +- Parent plugin: `vulnerability-remediation` diff --git a/plugins/vulnerability-remediation/skills/run-scan/SKILL.md b/plugins/vulnerability-remediation/skills/run-scan/SKILL.md new file mode 100644 index 00000000..fdb87015 --- /dev/null +++ b/plugins/vulnerability-remediation/skills/run-scan/SKILL.md @@ -0,0 +1,195 @@ +--- +name: run-scan +description: Install Trivy vulnerability scanner and run comprehensive security scans on the repository +triggers: +- run-scan +- vulnerability scan +- security scan +- trivy scan +--- + +# Vulnerability Scanning with Trivy + +This skill guides you through installing Trivy and running vulnerability scans on your repository. + +## Overview + +Trivy is a comprehensive security scanner that detects: +- Vulnerabilities in dependencies (CVEs) +- Misconfigurations in infrastructure files +- Secrets and sensitive data +- License compliance issues + +## Installing Trivy + +### Linux (Debian/Ubuntu) + +```bash +# Download and install latest Trivy +TRIVY_VERSION=$(curl -sL "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name"' | sed -E 's/.*"([^"]+)".*/\1/') +curl -sL "https://github.com/aquasecurity/trivy/releases/download/${TRIVY_VERSION}/trivy_${TRIVY_VERSION#v}_Linux-64bit.tar.gz" | tar xzf - -C /usr/local/bin trivy + +# Verify installation +trivy --version +``` + +### macOS + +```bash +# Using Homebrew +brew install aquasecurity/trivy/trivy + +# Verify installation +trivy --version +``` + +### Alternative: Using Docker + +```bash +# Run Trivy in a container +docker run --rm -v $(pwd):/workspace aquasec/trivy:latest fs /workspace +``` + +## Running a Vulnerability Scan + +### Basic Scan + +Scan the current repository for vulnerabilities: + +```bash +trivy fs . --format json --output trivy-results.json +``` + +### Filtered Scan (Recommended) + +Scan only for HIGH and CRITICAL severity vulnerabilities with fixes available: + +```bash +trivy fs . \ + --severity HIGH,CRITICAL \ + --format json \ + --output trivy-results.json +``` + +### Scan with Detailed Output + +For human-readable output alongside JSON: + +```bash +# JSON for programmatic processing +trivy fs . --severity HIGH,CRITICAL --format json --output trivy-results.json + +# Table format for review +trivy fs . --severity HIGH,CRITICAL --format table +``` + +## Scan Configuration Options + +| Option | Description | Example | +|--------|-------------|---------| +| `--severity` | Filter by severity level | `--severity HIGH,CRITICAL` | +| `--vuln-type` | Vulnerability types to scan | `--vuln-type os,library` | +| `--ignore-unfixed` | Skip vulnerabilities without fixes | `--ignore-unfixed` | +| `--format` | Output format | `--format json` or `--format table` | +| `--output` | Save results to file | `--output results.json` | + +## Supported Ecosystems + +Trivy automatically detects and scans these package ecosystems: + +- **Node.js**: package.json, package-lock.json, yarn.lock, pnpm-lock.yaml +- **Python**: requirements.txt, Pipfile, Pipfile.lock, pyproject.toml, poetry.lock +- **Java**: pom.xml, build.gradle, gradle.lockfile +- **Go**: go.mod, go.sum +- **Ruby**: Gemfile, Gemfile.lock +- **Rust**: Cargo.toml, Cargo.lock +- **PHP**: composer.json, composer.lock +- **.NET**: packages.lock.json, *.deps.json +- **Docker**: Dockerfile, container images + +## Understanding Scan Results + +The JSON output contains vulnerability details: + +```json +{ + "Results": [ + { + "Target": "package-lock.json", + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2023-12345", + "PkgName": "example-package", + "InstalledVersion": "1.0.0", + "FixedVersion": "1.0.1", + "Severity": "HIGH", + "Title": "Security vulnerability description", + "Description": "Detailed vulnerability information", + "References": ["https://nvd.nist.gov/vuln/detail/CVE-2023-12345"] + } + ] + } + ] +} +``` + +## After Scanning + +Once the scan completes successfully and finds vulnerabilities that need fixing: + +**→ The `fix-vulnerabilities` skill will automatically activate to analyze and remediate the findings.** + +If no vulnerabilities are found or all found vulnerabilities have no fixes available, the process completes without remediation. + +## Scan Exit Codes + +- `0` - No vulnerabilities found +- `1` - Vulnerabilities detected (check severity filter) +- `>1` - Scan error occurred + +## Troubleshooting + +### Scan Takes Too Long + +```bash +# Skip OS packages if scanning a container +trivy fs . --vuln-type library + +# Skip specific directories +trivy fs . --skip-dirs node_modules,vendor +``` + +### False Positives + +Create a `.trivyignore` file in the repository root: + +``` +# Ignore specific CVEs +CVE-2023-12345 + +# Ignore by package +pkg:npm/example-package +``` + +### Network Issues + +```bash +# Use offline mode (requires pre-downloaded DB) +trivy fs . --offline-scan + +# Download vulnerability database separately +trivy image --download-db-only +``` + +## Summary Workflow + +1. **Install Trivy** using the appropriate method for your OS +2. **Run a scan** with severity filtering: `trivy fs . --severity HIGH,CRITICAL --format json --output trivy-results.json` +3. **Review results** in the JSON output file +4. **Proceed to remediation** - The `fix-vulnerabilities` skill will automatically activate if fixable vulnerabilities are found + +## Additional Resources + +- [Trivy Documentation](https://aquasecurity.github.io/trivy/) +- [CVE Database](https://nvd.nist.gov/) +- [GitHub Security Advisories](https://github.com/advisories) diff --git a/plugins/vulnerability-remediation/skills/security b/plugins/vulnerability-remediation/skills/security deleted file mode 120000 index b8c94874..00000000 --- a/plugins/vulnerability-remediation/skills/security +++ /dev/null @@ -1 +0,0 @@ -../../../skills/security \ No newline at end of file