Skip to content

[BUG] trivy sub-categorizaiton #4

New issue
New issue
Open
Bug
Open
[BUG] trivy sub-categorizaiton#4
Bug
Labels
bugSomething isn't workinggood first issueGood for newcomers
@skyopsai

Description

@skyopsai
skyopsai
opened on Nov 21, 2025

Bug Description

Trivy is currently categorized as a single SCA tool (sca-trivy) in devsecops/, but it's a multi-purpose scanner that handles container scanning, IaC analysis, secret detection, and SBOM validation. This creates unclear trigger conditions for the agent and doesn't reflect Trivy's full capabilities.

Affected Skill

Skill Name: sca-trivy
Skill Path: skills/devsecops/sca-trivy/

Current Problem

Issue 1: Naming is too narrow

  • Named sca-trivy but does much more than SCA
  • Agent unclear when to trigger (images vs IaC vs secrets)

Issue 2: Single mega-skill vs specialized skills

  • One skill trying to cover all use cases = SKILL.md > 500 lines
  • "Use when" description becomes vague: "Use when... scanning anything with Trivy"

Issue 3: Category fit

  • Fits in devsecops/ (CI/CD scanning)
  • Also fits in container-security/ (runtime scanning)
  • Also fits in secsdlc/ (security gates)

Expected Behavior

Agent should clearly know:

  • "Scan image for vulnerabilities" → triggers correct Trivy skill
  • "Check Terraform for misconfigurations" → triggers IaC-specific skill
  • Each skill has focused, clear "Use when" clause

Proposed Solutions

Proposed Solution: Specialized Skills (One Tool, Multiple Use Cases)

Rationale: Same tool, different specializations = clear triggers, no duplication

skills/devsecops/
├── sca-trivy/              # Images, dependencies, SBOM (PRIMARY)
└── iac-trivy/              # Terraform, K8s, Dockerfile (SPECIALIZED)

skills/container-security/
└── runtime-trivy/          # Running containers, K8s pods (SPECIALIZED)

Benefits:

  • ✅ Clear agent triggers
  • ✅ Each SKILL.md < 500 lines
  • ✅ Shared library eliminates code duplication
  • ✅ Better discoverability (search "IaC" finds iac-trivy)
  • ✅ Non-destructive (all use same tool binary)

Implementation:

# Shared library approach
skills/devsecops/sca-trivy/scripts/lib/trivy_wrapper.py
skills/devsecops/iac-trivy/scripts/lib/ → symlink to above
skills/container-security/runtime-trivy/scripts/lib/ → symlink to above

Alternative Considered: Single Skill

Keep one scan-trivy skill in devsecops/ that handles everything.

Rejected because:

  • ❌ SKILL.md becomes too long
  • ❌ Agent confusion on when to trigger
  • ❌ Violates single responsibility principle

Possible Action Items

  • Rename sca-trivy → keep name, update description to focus on images/dependencies
  • Create devsecops/iac-trivy/ for IaC scanning
  • Create container-security/runtime-trivy/ for container runtime scanning
  • Implement shared trivy_wrapper.py library
  • Update marketplace.json with three specialized skills
  • Update SKILL_REFERENCE.md with multi-skill pattern guidance

Additional Context

Similar tools for comparison:

  • Grype = Single purpose (CVE scanning) → Single skill ✅
  • Trivy = Multi-purpose → Multiple specialized skills ✅
  • Checkov = IaC-focused → Single skill ✅

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workinggood first issueGood for newcomers

    Type

    Bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions