Trivy Offline Vulnerability Scan

What it does

This skill provides a concise, reproducible workflow for running the Trivy vulnerability scanner in fully offline mode against dependency files (for example, package-lock.json). It documents the exact CLI flags required to avoid network access, filter severities to HIGH and CRITICAL, and emit JSON output suitable for automated parsing. The skill includes flag explanations and a sample JSON output structure so agents can interpret results consistently.

When to use it

Use this skill when you need to scan project dependency manifests in air-gapped or restricted environments, or when CI runners lack internet access for DB updates. It's ideal for scheduled security checks where only high-severity findings should trigger alerts, and for automation pipelines that consume Trivy's JSON output for triage or reporting.

What's included

• Scripts: No separate scripts in the repo, but the SKILL.md contains a ready-to-run Trivy CLI command and flag reference.
• References: None bundled, but the skill documents the JSON output schema and important notes about FixedVersion and CVSS fields.
• Instructions: Step-by-step flags and a sample command for scanning npm package-lock.json, plus guidance on handling null/absent fields in results.

Compatible agents

This is a CLI-focused skill and works well with agent runtimes that can execute shell commands or orchestrate CI jobs (Copilot/Codex-like agents, CLI automation agents, or Claude Code style integrations).