scanning-container-security
Execute use when you need to work with security and compliance. This skill provides security scanning and vulnerability detection with comprehensive guidance and automation. Trigger with phrases like "scan for vulnerabilities", "implement security controls", or "audit security".
65
58%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/devops/container-security-scanner/skills/scanning-container-security/SKILL.mdQuality
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description covers the basics with explicit 'what' and 'when' components and includes trigger phrases, which is good. However, it remains fairly generic within the security domain—listing broad capabilities like 'security scanning' and 'vulnerability detection' without specifying concrete actions, supported tools, or file types. The trigger terms are reasonable but lack breadth and specificity to clearly distinguish this skill from other security-related skills.
Suggestions
Add specific concrete actions such as 'scan dependencies for CVEs', 'generate compliance reports', 'check code for OWASP Top 10 vulnerabilities' to improve specificity.
Expand trigger terms to include common user phrases and variations like 'CVE scan', 'dependency audit', 'SAST', 'compliance check', 'security review', 'pen test', or specific frameworks like 'SOC 2', 'HIPAA'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain (security and compliance) and mentions some actions like 'security scanning', 'vulnerability detection', and 'automation', but these are fairly broad and not concrete specific actions like 'scan Docker images for CVEs' or 'generate SBOM reports'. | 2 / 3 |
Completeness | The description answers both 'what' (security scanning and vulnerability detection with guidance and automation) and 'when' (explicit trigger phrases and a 'Use when' clause mentioning security and compliance work). Both components are present and explicit. | 3 / 3 |
Trigger Term Quality | It includes some relevant trigger phrases like 'scan for vulnerabilities', 'implement security controls', and 'audit security', which are reasonable terms users might say. However, it misses many common variations like 'CVE', 'penetration test', 'OWASP', 'compliance check', 'security review', or specific file/tool references. | 2 / 3 |
Distinctiveness Conflict Risk | While 'security and compliance' is a recognizable domain, the description is broad enough that it could overlap with more specific security skills (e.g., a dedicated SAST tool skill, a compliance reporting skill, or a network security skill). The triggers are somewhat generic within the security space. | 2 / 3 |
Total | 9 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a solid structural overview of container security scanning with useful error handling and tool references, but falls short on actionability—most steps are descriptive rather than providing executable commands or complete configuration snippets. The workflow lacks explicit validation checkpoints and feedback loops critical for security scanning operations. The content is moderately concise but could be tightened by removing the natural-language example prompts and replacing them with actual executable examples.
Suggestions
Add complete, executable code blocks for key steps: a full Trivy scan command with output parsing via jq, a complete GitHub Actions YAML snippet for CI/CD integration, and a sample remediated Dockerfile diff.
Insert explicit validation checkpoints into the workflow, e.g., 'After scanning, verify no Critical CVEs remain: `trivy image --severity CRITICAL --exit-code 1 <image:tag>`. Only proceed to deployment if exit code is 0.'
Replace the natural-language Examples section with concrete input/output examples showing actual scan commands and their expected output formats (e.g., a sample JSON vulnerability report snippet).
Consider creating bundle files for reusable assets like a sample .trivyignore file, a GitHub Actions workflow template, and a hardened Dockerfile template, then reference them from the main skill.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is reasonably efficient but includes some unnecessary elaboration. The Examples section lists natural language prompts rather than executable examples, and some instructions describe what to do at a high level rather than providing lean, precise commands. The error handling table and resources are useful but the overall content could be tightened. | 2 / 3 |
Actionability | The skill provides some concrete commands (e.g., `trivy image <image:tag>`, `hadolint Dockerfile`) but most instructions are descriptive rather than executable. There are no complete, copy-paste-ready code blocks or pipeline configurations. Steps like 'Evaluate image against CIS Docker Benchmark' and 'Produce remediation steps' are vague directives without concrete implementation. | 2 / 3 |
Workflow Clarity | Steps are listed in a logical sequence (lint → scan → report → remediate → integrate), but there are no explicit validation checkpoints or feedback loops. For security scanning—where false positives need triaging and builds should fail on thresholds—the workflow lacks explicit 'verify before proceeding' gates. The error handling table partially compensates but isn't integrated into the workflow steps. | 2 / 3 |
Progressive Disclosure | The content is well-sectioned (Overview, Prerequisites, Instructions, Output, Error Handling, Examples, Resources) which aids navigation. However, with no bundle files, all content is inline in a single file. The CI/CD pipeline configuration and remediation Dockerfile patches mentioned in Output could benefit from separate reference files. The Resources section provides external links but no internal file references for deeper content. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
3a2d27d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.