Do I need to manually trigger scans?

No, the workflows are pre-configured to trigger automatically on every Pull Request and push to the main branch for continuous security.

What scanners are included in these workflows?

The workflows include CodeQL for static analysis (SAST), Trivy for container image scanning, and specialized tools for dependency vulnerability detection.

How are the security results visualized?

All scanning results are uploaded via SARIF format to the GitHub Security tab, providing a centralized dashboard for tracking and managing vulnerabilities.

Are these workflows secure by design?

Yes, the templates utilize SHA-pinned actions to prevent supply chain attacks and use minimal GITHUB_TOKEN permissions (security-events: write).

Can I block PRs based on security findings?

Absolutely. The workflows include security gates that can be configured to block merges when critical or high-severity vulnerabilities are detected.

Security Scanning Workflows

Name: Security Scanning Workflows
Author: adaptive-enforcement-lab

byadaptive-enforcement-lab

0•

Security & Testing

Automates comprehensive security scanning by integrating SAST, dependency checks, and container vulnerability detection into CI/CD pipelines.

This skill provides production-ready GitHub Actions templates for implementing a robust 'shift-left' security strategy. It simplifies the setup of complex security workflows, including CodeQL static analysis, Trivy container scanning, and dependency auditing. By leveraging SARIF uploads to the GitHub Security tab and implementing automated security gates, it ensures that vulnerabilities are identified and remediated before they reach production, all while adhering to security best practices like SHA-pinned actions and minimal GITHUB_TOKEN permissions.

Key Features

01Dependency vulnerability scanning with automated severity-based merge gates

02Standardized SARIF result uploading to the GitHub Security dashboard

03Hardened configurations using SHA-pinned actions and minimal permissions

040 GitHub stars

05SAST integration using CodeQL for deep code-level vulnerability detection

06Container image security scanning via Trivy for infrastructure protection

Use Cases

01Standardizing security compliance across multiple microservices with uniform scanning patterns.

02Implementing a complete DevSecOps pipeline for new or existing GitHub repositories.

03Preventing insecure code or vulnerable dependencies from reaching production via automated merge gates.

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add adaptive-enforcement-lab/claude-skills security-scanning-workflows

For use in Claude.ai and ChatGPT

Download Skill