scanning-container-security
Execute use when you need to work with security and compliance. This skill provides security scanning and vulnerability detection with comprehensive guidance and automation. Trigger with phrases like "scan for vulnerabilities", "implement security controls", or "audit security".
52
58%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/devops/container-security-scanner/skills/scanning-container-security/SKILL.mdQuality
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description covers the basics of what the skill does and when to use it, including explicit trigger phrases. However, it remains fairly high-level and generic within the security domain—listing broad capabilities like 'security scanning' and 'vulnerability detection' without specifying concrete actions, supported tools, or file types. Greater specificity would help distinguish it from other potential security-related skills.
Suggestions
Add specific concrete actions such as 'scan container images for CVEs', 'check code for OWASP Top 10 vulnerabilities', or 'generate compliance reports for SOC2/HIPAA' to improve specificity.
Expand trigger terms to include common user phrases and variations like 'CVE scan', 'penetration test', 'SAST', 'dependency audit', 'compliance check', 'security review', and specific framework names.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain (security and compliance) and mentions some actions like 'security scanning', 'vulnerability detection', and 'automation', but these are fairly broad and not concrete specific actions like 'scan Docker images for CVEs' or 'generate SBOM reports'. | 2 / 3 |
Completeness | The description answers both 'what' (security scanning, vulnerability detection, guidance and automation) and 'when' (explicit trigger phrases and a 'Use when' clause mentioning security and compliance work). Both components are present and explicit. | 3 / 3 |
Trigger Term Quality | Includes some relevant trigger phrases like 'scan for vulnerabilities', 'implement security controls', and 'audit security', which are reasonable terms users might say. However, it misses many common variations like 'CVE', 'penetration test', 'OWASP', 'compliance check', 'security review', or specific tool names. | 2 / 3 |
Distinctiveness Conflict Risk | While 'security and compliance' is a recognizable domain, the description is broad enough that it could overlap with more specific security skills (e.g., a dedicated SAST tool skill, a compliance reporting skill, or a network security skill). The triggers help but are still fairly general within the security domain. | 2 / 3 |
Total | 9 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a well-structured overview of container security scanning with good tool coverage and a useful error handling table. However, it lacks executable, copy-paste-ready examples (pipeline configs, complete scan-and-remediate scripts) and explicit validation/feedback loops in the workflow. The content reads more like a checklist of what to do rather than precise instructions Claude can directly execute.
Suggestions
Add complete, executable code blocks for key workflows: a full Trivy scan command with JSON output piped through jq, a GitHub Actions YAML snippet for CI integration, and a remediated Dockerfile example.
Insert explicit validation checkpoints in the workflow, e.g., 'After scanning, verify no Critical CVEs remain: `trivy image --severity CRITICAL <image:tag> | jq .Results[].Vulnerabilities | length` should return 0 before proceeding.'
Move the detailed CI/CD pipeline configuration and remediation Dockerfile patches into separate bundle files (e.g., `ci-pipeline.yml`, `remediation-examples.md`) and reference them from the main skill.
Remove or condense the Examples section—the natural language prompts don't add actionable value—and replace with a concrete input/output example showing a scan command and its parsed results.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is reasonably efficient but includes some unnecessary sections like 'Examples' that just list natural language prompts rather than executable examples, and the 'Resources' section with URLs Claude likely already knows. The overview paragraph also restates what the title already conveys. | 2 / 3 |
Actionability | Instructions reference specific tools and some commands (e.g., `trivy image <image:tag>`, `hadolint Dockerfile`), but most steps are descriptive rather than executable. There are no complete, copy-paste-ready code blocks or pipeline configurations—just inline command fragments and high-level descriptions of what to do. | 2 / 3 |
Workflow Clarity | Steps are numbered and sequenced logically from linting through scanning to CI integration, but there are no explicit validation checkpoints or feedback loops. For security scanning—where false positives need triaging and rescanning after remediation is critical—the absence of verify-then-proceed gates is a notable gap. | 2 / 3 |
Progressive Disclosure | The content is organized into clear sections (Overview, Prerequisites, Instructions, Output, Error Handling, Examples, Resources), which is good structure. However, with no bundle files, the CI/CD pipeline configuration, remediation Dockerfile patches, and policy documents mentioned in Output have no supporting references. The content is somewhat monolithic for its scope. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
6e9558f
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.