run-manual-docker-security-scan
Guide for running a manual Docker security scan for the tracker runtime image and documenting results. Covers build, Trivy scan, CVE triage, per-CVE catalog updates, and scan history updates. Use when asked to run a manual container scan, triage Docker CVEs, or refresh security scan docs.
Install
mkdir -p .claude/skills/run-manual-docker-security-scan && curl -L -o skill.zip "https://agentskills.codes/api/skills/download/16600" && unzip -o skill.zip -d .claude/skills/run-manual-docker-security-scan && rm skill.zipInstalls to .claude/skills/run-manual-docker-security-scan
Activation
This is the description your AI agent reads to decide when to run this skill — the better it matches your request, the more reliably it fires.
Guide for running a manual Docker security scan for the tracker runtime image and documenting results. Covers build, Trivy scan, CVE triage, per-CVE catalog updates, and scan history updates. Use when asked to run a manual container scan, triage Docker CVEs, or refresh security scan docs.About this skill
Run Manual Docker Security Scan
Use this workflow to run and document manual security scans for the tracker production container.
Scope
- Target image: tracker runtime image built from root
Containerfile. - Main severity gate:
HIGH,CRITICAL. - Documentation outputs:
docs/security/docker/scans/torrust-tracker.mddocs/security/docker/scans/README.mddocs/security/analysis/non-affecting/CVE-*.md(when non-affecting CVEs are analyzed)
Quick Commands
# 1) Build runtime image
docker build -t torrust-tracker:local -f Containerfile .
# 2) Gate scan (primary)
trivy image --severity HIGH,CRITICAL torrust-tracker:local
# 3) Full context scan (optional but recommended)
trivy image --severity MEDIUM,HIGH,CRITICAL torrust-tracker:local
Workflow
Step 1: Check Existing Catalog First
Before analyzing any CVE, search the existing catalog:
grep -R "CVE-<id>" docs/security/analysis/non-affecting/
If already present and requires-recheck-when conditions have not changed, reuse the existing verdict.
Step 2: Build and Scan
- Build local runtime image from
Containerfile. - Run the gate scan with
HIGH,CRITICAL. - Run optional full scan (
MEDIUM,HIGH,CRITICAL) to capture trend context.
Step 3: Update Scan History Docs
Update:
docs/security/docker/scans/torrust-tracker.mdwith:- date/time, Trivy version, totals by severity
- notable CVEs and rationale
docs/security/docker/scans/README.mdsummary table with latest status and date.
Step 4: Document New Non-Affecting CVEs
For any new non-affecting CVE, create docs/security/analysis/non-affecting/CVE-<id>.md with:
- frontmatter fields:
cve-iddate-analyzedsourcestatus: non-affectingreview-cadencerequires-recheck-when
- evidence-based explanation tied to tracker architecture
- conditions that would invalidate the current verdict
Step 5: Escalate Affecting CVEs
If a CVE is affecting:
- create/update a tracking issue
- include impact, affected component, exploitability context, and remediation plan
- update scan docs with current status and owner
Recheck Triggers
Re-evaluate catalog verdicts when any of these happen:
Containerfilebase image changes- new runtime/system dependency is introduced
- code path changes that satisfy a CVE file's
requires-recheck-whencondition
Completion Checklist
-
trivygate scan executed (HIGH,CRITICAL) - scan history files updated
- new CVEs cataloged or linked to existing catalog entries
- affecting CVEs escalated
-
linter allpasses