Which SBOM format should I use?

This skill recommends CycloneDX for DevSecOps and vulnerability tracking due to its lightweight nature, while suggesting SPDX for legal, ISO-standard, or government compliance needs.

Does it work with specific CI/CD platforms?

The logic is platform-agnostic, but it provides specific implementation patterns and YAML examples for GitHub Actions, GitLab CI, and other popular automation tools.

What scanning tools does this skill support?

This skill provides guidance for industry-standard tools including Trivy, Grype, Semgrep, Gitleaks, Snyk, and OWASP ZAP across multiple security layers.

How does it help prioritize security fixes?

It implements a modern risk-based prioritization framework that combines CVSS scores with EPSS (exploitation probability) and CISA's KEV catalog to determine actual risk.

Can this skill help with SBOM compliance?

Yes, it includes detailed patterns for generating CycloneDX and SPDX format SBOMs to meet regulatory requirements like Executive Order 14028.

Vulnerability Management & DevSecOps

Name: Vulnerability Management & DevSecOps
Author: ancoleman

byancoleman

•

158

•

Security & Testing

Implements multi-layer security scanning, SBOM generation, and risk-based vulnerability prioritization within CI/CD pipelines.

This skill empowers Claude to design and implement comprehensive vulnerability management workflows across the entire software development lifecycle. It provides expert guidance on multi-layer scanning strategies—including SAST, DAST, SCA, and container security—while offering actionable frameworks for generating SBOMs and prioritizing remediation based on real-world risk metrics like CVSS, EPSS, and KEV. It is an essential tool for developers and DevOps engineers looking to automate security gates, ensure regulatory compliance, and establish robust DevSecOps practices in AI-assisted development environments.

Key Features

01Multi-layer security scanning integration (SAST, DAST, SCA, Secrets)

02Container image scanning and remediation workflows with Trivy and Grype

03158 GitHub stars

04SBOM generation and management using CycloneDX and SPDX standards

05Automated CI/CD security gate implementation and policy-as-code

06Risk-based prioritization framework using CVSS, EPSS, and KEV metrics

Use Cases

01Generating and auditing Software Bills of Materials (SBOMs) for regulatory compliance

02Establishing an SLA-driven vulnerability remediation strategy for engineering teams

03Automating security scanning and compliance gates in GitHub Actions or GitLab CI

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add ancoleman/ai-design-components managing-vulnerabilities

For use in Claude.ai and ChatGPT

Download Skill