Implementing multi-layer security scanning (container, SAST, DAST, SCA, secrets), SBOM generation, and risk-based vulnerability prioritization in CI/CD pipelines. Use when building DevSecOps workflows, ensuring compliance, or establishing security gates for container deployments.
View on GitHubskills/managing-vulnerabilities/SKILL.md
February 1, 2026
Select agents to install to:
npx add-skill https://github.com/ancoleman/ai-design-components/blob/main/skills/managing-vulnerabilities/SKILL.md -a claude-code --skill managing-vulnerabilitiesInstallation paths:
.claude/skills/managing-vulnerabilities/# Vulnerability Management Implement comprehensive vulnerability detection and remediation workflows across containers, source code, dependencies, and running applications. This skill covers multi-layer scanning strategies, SBOM generation (CycloneDX and SPDX), risk-based prioritization using CVSS/EPSS/KEV, and CI/CD security gate patterns. ## When to Use This Skill Invoke this skill when: - Building security scanning into CI/CD pipelines - Generating Software Bills of Materials (SBOMs) for compliance - Prioritizing vulnerability remediation using risk-based approaches - Implementing security gates (fail builds on critical vulnerabilities) - Scanning container images before deployment - Detecting secrets, misconfigurations, or code vulnerabilities - Establishing DevSecOps practices and automation - Meeting regulatory requirements (SBOM mandates, Executive Order 14028) ## Multi-Layer Scanning Strategy Vulnerability management requires scanning at multiple layers. Each layer detects different types of security issues. ### Layer Overview **Container Image Scanning** - Detects vulnerabilities in OS packages, language dependencies, and binaries - Tools: Trivy (comprehensive), Grype (accuracy-focused), Snyk Container (commercial) - When: Every container build, base image selection, registry admission control **SAST (Static Application Security Testing)** - Analyzes source code for security flaws before runtime - Tools: Semgrep (fast, semantic), Snyk Code (developer-first), SonarQube (enterprise) - When: Every commit, PR checks, main branch protection **DAST (Dynamic Application Security Testing)** - Tests running applications for vulnerabilities (black-box testing) - Tools: OWASP ZAP (open-source), StackHawk (CI/CD native), Burp Suite (manual + automated) - When: Staging environment testing, API validation, authentication testing **SCA (Software Composition Analysis)** - Analyzes third-party dependencies for known vulnerabilities - Tools: Dependabot (GitHub nat