Bug Description
Trivy is currently categorized as a single SCA tool (sca-trivy) in devsecops/, but it's a multi-purpose scanner that handles container scanning, IaC analysis, secret detection, and SBOM validation. This creates unclear trigger conditions for the agent and doesn't reflect Trivy's full capabilities.
Affected Skill
Skill Name: sca-trivy
Skill Path: skills/devsecops/sca-trivy/
Current Problem
Issue 1: Naming is too narrow
- Named
sca-trivy but does much more than SCA
- Agent unclear when to trigger (images vs IaC vs secrets)
Issue 2: Single mega-skill vs specialized skills
- One skill trying to cover all use cases = SKILL.md > 500 lines
- "Use when" description becomes vague: "Use when... scanning anything with Trivy"
Issue 3: Category fit
- Fits in
devsecops/ (CI/CD scanning)
- Also fits in
container-security/ (runtime scanning)
- Also fits in
secsdlc/ (security gates)
Expected Behavior
Agent should clearly know:
- "Scan image for vulnerabilities" → triggers correct Trivy skill
- "Check Terraform for misconfigurations" → triggers IaC-specific skill
- Each skill has focused, clear "Use when" clause
Proposed Solutions
Proposed Solution: Specialized Skills (One Tool, Multiple Use Cases)
Rationale: Same tool, different specializations = clear triggers, no duplication
skills/devsecops/
├── sca-trivy/ # Images, dependencies, SBOM (PRIMARY)
└── iac-trivy/ # Terraform, K8s, Dockerfile (SPECIALIZED)
skills/container-security/
└── runtime-trivy/ # Running containers, K8s pods (SPECIALIZED)
Benefits:
- ✅ Clear agent triggers
- ✅ Each SKILL.md < 500 lines
- ✅ Shared library eliminates code duplication
- ✅ Better discoverability (search "IaC" finds
iac-trivy)
- ✅ Non-destructive (all use same tool binary)
Implementation:
# Shared library approach
skills/devsecops/sca-trivy/scripts/lib/trivy_wrapper.py
skills/devsecops/iac-trivy/scripts/lib/ → symlink to above
skills/container-security/runtime-trivy/scripts/lib/ → symlink to above
Alternative Considered: Single Skill
Keep one scan-trivy skill in devsecops/ that handles everything.
Rejected because:
- ❌ SKILL.md becomes too long
- ❌ Agent confusion on when to trigger
- ❌ Violates single responsibility principle
Possible Action Items
Additional Context
Similar tools for comparison:
- Grype = Single purpose (CVE scanning) → Single skill ✅
- Trivy = Multi-purpose → Multiple specialized skills ✅
- Checkov = IaC-focused → Single skill ✅
Bug Description
Trivy is currently categorized as a single SCA tool (
sca-trivy) indevsecops/, but it's a multi-purpose scanner that handles container scanning, IaC analysis, secret detection, and SBOM validation. This creates unclear trigger conditions for the agent and doesn't reflect Trivy's full capabilities.Affected Skill
Skill Name: sca-trivy
Skill Path:
skills/devsecops/sca-trivy/Current Problem
Issue 1: Naming is too narrow
sca-trivybut does much more than SCAIssue 2: Single mega-skill vs specialized skills
Issue 3: Category fit
devsecops/(CI/CD scanning)container-security/(runtime scanning)secsdlc/(security gates)Expected Behavior
Agent should clearly know:
Proposed Solutions
Proposed Solution: Specialized Skills (One Tool, Multiple Use Cases)
Rationale: Same tool, different specializations = clear triggers, no duplication
Benefits:
iac-trivy)Implementation:
# Shared library approach skills/devsecops/sca-trivy/scripts/lib/trivy_wrapper.py skills/devsecops/iac-trivy/scripts/lib/ → symlink to above skills/container-security/runtime-trivy/scripts/lib/ → symlink to aboveAlternative Considered: Single Skill
Keep one
scan-trivyskill indevsecops/that handles everything.Rejected because:
Possible Action Items
sca-trivy→ keep name, update description to focus on images/dependenciesdevsecops/iac-trivy/for IaC scanningcontainer-security/runtime-trivy/for container runtime scanningtrivy_wrapper.pylibraryAdditional Context
Similar tools for comparison: