@northbridge-security/secureai 0.1.13

package/tasks/claude.yml

@@ -0,0 +1,183 @@
+# Claude Code & MCP Task Library
+# Tasks for managing Claude Code integration and MCP servers
+
+version: "3"
+
+tasks:
+  default:
+    desc: "Show available Claude Code tasks"
+    aliases: [help, h]
+    silent: true
+    cmds:
+      - |
+        # Color codes
+        GREEN='\033[0;32m'
+        YELLOW='\033[0;33m'
+        BOLD='\033[1m'
+        NC='\033[0m'
+
+        echo -e "${BOLD}Claude Code & MCP Operations${NC}"
+        echo ""
+        echo "Command                            Alias     Description                              Examples"
+        echo "───────────────────────────────────────────────────────────────────────────────────────────────────"
+        echo -e "${BOLD}Settings Management:${NC}"
+        echo -e "  ${GREEN}task claude:settings:open${NC}        ${YELLOW}so${NC}        Open Claude settings.json in IDE"
+        echo -e "  ${GREEN}task claude:settings:show${NC}        ${YELLOW}ss${NC}        Show current Claude settings"
+        echo -e "  ${GREEN}task claude:settings:path${NC}        ${YELLOW}sp${NC}        Print Claude settings file path"
+        echo ""
+        echo -e "${BOLD}MCP Server Management:${NC}"
+        echo -e "  ${GREEN}task claude:mcp:install${NC}          ${YELLOW}mi${NC}        Install MCP server globally"
+        echo -e "  ${GREEN}task claude:mcp:verify${NC}           ${YELLOW}mv${NC}        Verify MCP server installation"
+        echo -e "  ${GREEN}task claude:mcp:status${NC}           ${YELLOW}ms${NC}        Show MCP server status"
+        echo -e "  ${GREEN}task claude:mcp:remove${NC}           ${YELLOW}mr${NC}        Remove MCP server"
+        echo ""
+        echo -e "${BOLD}Installer Testing:${NC}"
+        echo -e "  ${GREEN}task claude:installer:test${NC}       ${YELLOW}it${NC}        Run complete installer test suite"
+        echo -e "  ${GREEN}task claude:installer:test:force${NC} ${YELLOW}itf${NC}       Test force reinstall"
+        echo -e "  ${GREEN}task claude:installer:test:clean${NC} ${YELLOW}itc${NC}       Clean up test installations"
+
+  mcp:install:
+    desc: Install MCP server globally
+    aliases: [mi]
+    silent: true
+    cmds:
+      - |
+        # Source secrets if .env has 1Password references
+        if [ -f .env ] && grep -q "op://" .env 2>/dev/null; then
+          TEMP_ENV=$(task op:export)
+          source "$TEMP_ENV"
+        fi
+        bun run {{.TASKFILE_DIR}}/../src/tasks/claude/mcp-install.ts
+
+  mcp:verify:
+    desc: Verify MCP server installation
+    aliases: [mv]
+    silent: true
+    cmds:
+      - bun run {{.TASKFILE_DIR}}/../src/tasks/claude/mcp-verify.ts
+
+  mcp:remove:
+    desc: Remove MCP server
+    aliases: [mr]
+    silent: true
+    cmds:
+      - bun run {{.TASKFILE_DIR}}/../src/tasks/claude/mcp-remove.ts
+
+  mcp:status:
+    desc: Show MCP server status
+    aliases: [ms]
+    silent: true
+    cmds:
+      - bun run {{.TASKFILE_DIR}}/../src/tasks/claude/mcp-status.ts
+
+  installer:test:
+    desc: Run complete installer test suite
+    aliases: [it]
+    silent: true
+    cmds:
+      - bun run {{.TASKFILE_DIR}}/../src/tasks/claude/test-installer.ts
+
+  installer:test:force:
+    desc: Test force reinstall
+    aliases: [itf]
+    silent: true
+    cmds:
+      - bun run {{.TASKFILE_DIR}}/../src/tasks/claude/test-installer.ts --force
+
+  installer:test:clean:
+    desc: Clean up test installations
+    aliases: [itc]
+    silent: true
+    cmds:
+      - bun run {{.TASKFILE_DIR}}/../src/tasks/claude/clean-test.ts
+
+  # Settings Management
+  settings:open:
+    desc: Open Claude settings.json in detected IDE
+    aliases: [so]
+    silent: true
+    cmds:
+      - |
+        # Get Claude settings path (cross-platform)
+        case "$(uname -s)" in
+          Darwin|Linux)
+            SETTINGS_PATH="$HOME/.claude/settings.json"
+            ;;
+          MINGW*|MSYS*|CYGWIN*)
+            SETTINGS_PATH="$USERPROFILE/.claude/settings.json"
+            ;;
+          *)
+            SETTINGS_PATH="$HOME/.claude/settings.json"
+            ;;
+        esac
+
+        # Create settings file if it doesn't exist
+        if [ ! -f "$SETTINGS_PATH" ]; then
+          mkdir -p "$(dirname "$SETTINGS_PATH")"
+          echo '{}' > "$SETTINGS_PATH"
+          echo "Created new settings file: $SETTINGS_PATH"
+        fi
+
+        # Use core ide:open utility
+        task ide:open FILE="$SETTINGS_PATH"
+
+  settings:show:
+    desc: Show current Claude settings
+    aliases: [ss]
+    silent: true
+    cmds:
+      - |
+        GREEN='\033[0;32m'
+        YELLOW='\033[0;33m'
+        CYAN='\033[0;36m'
+        BOLD='\033[1m'
+        NC='\033[0m'
+
+        # Get Claude settings path (cross-platform)
+        case "$(uname -s)" in
+          Darwin|Linux)
+            SETTINGS_PATH="$HOME/.claude/settings.json"
+            ;;
+          MINGW*|MSYS*|CYGWIN*)
+            SETTINGS_PATH="$USERPROFILE/.claude/settings.json"
+            ;;
+          *)
+            SETTINGS_PATH="$HOME/.claude/settings.json"
+            ;;
+        esac
+
+        echo -e "${BOLD}Claude Settings${NC}"
+        echo -e "${CYAN}Path:${NC} $SETTINGS_PATH"
+        echo ""
+
+        if [ -f "$SETTINGS_PATH" ]; then
+          # Pretty print JSON with jq if available, otherwise cat
+          if command -v jq &> /dev/null; then
+            jq '.' "$SETTINGS_PATH"
+          else
+            cat "$SETTINGS_PATH"
+          fi
+        else
+          echo -e "${YELLOW}Settings file does not exist${NC}"
+          echo "Run 'task claude:settings:open' to create it"
+        fi
+
+  settings:path:
+    desc: Print Claude settings file path
+    aliases: [sp]
+    silent: true
+    cmds:
+      - |
+        # Get Claude settings path (cross-platform)
+        case "$(uname -s)" in
+          Darwin|Linux)
+            SETTINGS_PATH="$HOME/.claude/settings.json"
+            ;;
+          MINGW*|MSYS*|CYGWIN*)
+            SETTINGS_PATH="$USERPROFILE/.claude/settings.json"
+            ;;
+          *)
+            SETTINGS_PATH="$HOME/.claude/settings.json"
+            ;;
+        esac
+        echo "$SETTINGS_PATH"

package/tasks/docker.yml

@@ -0,0 +1,420 @@
+version: "3"
+
+vars:
+  CONTAINER_NAME: ai-toolkit-linux-debug
+  COMPOSE_FILE: docker/linux-debug/docker-compose.yml
+  DOCKER_SOCKET: /var/run/docker.sock
+  TRIVY_IMAGE: aquasec/trivy:latest
+  DEFAULT_SEVERITY: HIGH,CRITICAL
+
+includes:
+  linux:
+    taskfile: ../docker/linux-debug/linux.yml
+    dir: docker/linux-debug
+
+tasks:
+  default:
+    desc: "Show available Docker tasks"
+    silent: true
+    cmds:
+      - |
+        GREEN='\033[0;32m'
+        YELLOW='\033[0;33m'
+        BOLD='\033[1m'
+        NC='\033[0m'
+
+        echo -e "${BOLD}Docker Environment Tasks${NC}"
+        echo ""
+        echo "Command                                      Alias    Description                       Example"
+        echo "─────────────────────────────────────────────────────────────────────────────────────-----------------------------"
+
+      - task: linux:help:info
+
+      - |
+        GREEN='\033[0;32m'
+        YELLOW='\033[0;33m'
+        BOLD='\033[1m'
+        NC='\033[0m'
+        echo ""
+        echo -e "${BOLD}Image Operations:${NC}"
+        echo -e "  ${GREEN}task docker:build${NC}                                   Build with buildx (multi-arch)    IMAGE=... PATH=... [PUSH=true]"
+        echo -e "  ${GREEN}task docker:tag${NC}                                     Tag Docker image                  SOURCE=... TARGET=..."
+        echo -e "  ${GREEN}task docker:push${NC}                                    Push image to registry            IMAGE=... TAG=..."
+        echo ""
+        echo -e "${BOLD}GitHub Container Registry:${NC}"
+        echo -e "  ${GREEN}task docker:git:login${NC}                               Login to ghcr.io                  USER=... TOKEN=..."
+        echo -e "  ${GREEN}task docker:git:push${NC}                                Push to ghcr.io                   IMAGE=... TAG=... USER=..."
+        echo ""
+        echo -e "${BOLD}Security Scanning:${NC}"
+        echo -e "  ${GREEN}task docker:scan${NC}                                    Scan image or Dockerfile          IMAGE=... or FILE=..."
+        echo -e "  ${GREEN}task docker:scan:init${NC}                               Initialize Trivy cache"
+        echo ""
+        echo -e "${BOLD}Examples:${NC}"
+        echo -e "  # Test with local code (recommended)"
+        echo -e "  task docker:linux:build && task docker:linux:test"
+        echo ""
+        echo -e "  # Interactive debugging with SSH"
+        echo -e "  task docker:linux:up"
+        echo -e "  ssh -p 2222 developer@localhost"
+        echo -e "  task docker:linux:down"
+        echo ""
+        echo -e "  # Scan existing image by name"
+        echo -e "  task docker:scan IMAGE=myapp TAG=v1.0.0"
+        echo ""
+        echo -e "  # Build from Dockerfile and scan (config + vulnerabilities)"
+        echo -e "  task docker:scan FILE=Dockerfile"
+        echo -e "  task docker:scan FILE=/absolute/path/to/Dockerfile"
+        echo ""
+        echo -e "  # Build and push Docker image"
+        echo -e "  task docker:build IMAGE=myapp TAG=v1.0.0 PATH=."
+        echo -e "  task docker:git:push IMAGE=myapp TAG=v1.0.0 USER=username TOKEN=ghp_xxx"
+
+  # Build Docker image with buildx (multi-arch support)
+  build:
+    desc: "Build Docker image with buildx (multi-arch)"
+    silent: true
+    vars:
+      IMAGE_NAME: '{{.IMAGE | default ""}}'
+      IMAGE_TAG: '{{.TAG | default "latest"}}'
+      DOCKER_PATH: '{{.PATH | default "."}}'
+      DOCKERFILE: '{{.FILE | default "Dockerfile"}}'
+      PLATFORM: '{{.PLATFORM | default "linux/amd64,linux/arm64"}}'
+      PUSH_FLAG: '{{if eq .PUSH "true"}}--push{{else}}--load{{end}}'
+    cmds:
+      - |
+        GREEN='\033[0;32m'
+        RED='\033[0;31m'
+        YELLOW='\033[0;33m'
+        NC='\033[0m'
+
+        IMAGE="{{.IMAGE_NAME}}"
+        TAG="{{.IMAGE_TAG}}"
+        CONTEXT="{{.DOCKER_PATH}}"
+        DOCKERFILE="{{.DOCKERFILE}}"
+        PLATFORM="{{.PLATFORM}}"
+        PUSH="{{.PUSH_FLAG}}"
+
+        # Validate parameters
+        if [ -z "$IMAGE" ]; then
+          echo -e "${RED}✗${NC} Missing IMAGE parameter" >&2
+          echo "Usage: task docker:build IMAGE=myapp TAG=v1.0.0 PATH=. [PLATFORM=linux/amd64,linux/arm64] [PUSH=true]" >&2
+          exit 1
+        fi
+
+        # Check Docker is running
+        if ! docker info &>/dev/null; then
+          echo -e "${RED}✗${NC} Docker is not running" >&2
+          exit 1
+        fi
+
+        # Ensure buildx builder exists
+        if ! docker buildx inspect multiarch-builder &>/dev/null; then
+          echo -e "${GREEN}▶${NC} Creating buildx builder"
+          docker buildx create --name multiarch-builder --use &>/dev/null
+        fi
+
+        # Determine output mode
+        # --load only works with single platform, --push works with multi-arch
+        if [ "$PUSH" = "--load" ]; then
+          # For local loading, build for current platform only
+          CURRENT_ARCH=$(uname -m)
+          case "$CURRENT_ARCH" in
+            x86_64) BUILD_PLATFORM="linux/amd64" ;;
+            arm64|aarch64) BUILD_PLATFORM="linux/arm64" ;;
+            *) BUILD_PLATFORM="linux/amd64" ;;
+          esac
+          echo -e "${GREEN}▶${NC} Building ${IMAGE}:${TAG} for ${BUILD_PLATFORM} (local)"
+        else
+          # For push, use full platform list
+          BUILD_PLATFORM="$PLATFORM"
+          echo -e "${GREEN}▶${NC} Building ${IMAGE}:${TAG} for ${BUILD_PLATFORM} (push)"
+        fi
+
+        # Build with buildx
+        docker buildx build \
+          --builder multiarch-builder \
+          --platform "$BUILD_PLATFORM" \
+          $PUSH \
+          -t "${IMAGE}:${TAG}" \
+          -f "${CONTEXT}/${DOCKERFILE}" \
+          "$CONTEXT"
+
+        if [ $? -eq 0 ]; then
+          echo -e "${GREEN}✓${NC} Built: ${IMAGE}:${TAG}"
+        else
+          echo -e "${RED}✗${NC} Build failed" >&2
+          exit 1
+        fi
+
+  # Tag Docker image
+  tag:
+    desc: "Tag Docker image"
+    vars:
+      SOURCE_IMAGE: '{{.SOURCE | default ""}}'
+      TARGET_IMAGE: '{{.TARGET | default ""}}'
+    cmds:
+      - |
+        GREEN='\033[0;32m'
+        RED='\033[0;31m'
+        NC='\033[0m'
+
+        # Validate parameters
+        if [ -z "{{.SOURCE_IMAGE}}" ] || [ -z "{{.TARGET_IMAGE}}" ]; then
+          echo -e "${RED}✗${NC} Missing SOURCE or TARGET parameter" >&2
+          echo "Usage: task docker:tag SOURCE=myapp:v1.0.0 TARGET=myapp:latest" >&2
+          exit 1
+        fi
+
+        # Tag image
+        docker tag {{.SOURCE_IMAGE}} {{.TARGET_IMAGE}}
+        echo -e "${GREEN}✓${NC} Tagged: {{.SOURCE_IMAGE}} → {{.TARGET_IMAGE}}"
+
+  # Push Docker image to registry
+  push:
+    desc: "Push Docker image to registry"
+    vars:
+      IMAGE_NAME: '{{.IMAGE | default ""}}'
+      IMAGE_TAG: '{{.TAG | default "latest"}}'
+    cmds:
+      - |
+        GREEN='\033[0;32m'
+        RED='\033[0;31m'
+        NC='\033[0m'
+
+        # Validate parameters
+        if [ -z "{{.IMAGE_NAME}}" ]; then
+          echo -e "${RED}✗${NC} Missing IMAGE parameter" >&2
+          echo "Usage: task docker:push IMAGE=myapp TAG=v1.0.0" >&2
+          exit 1
+        fi
+
+        # Push image
+        echo -e "${GREEN}▶${NC} Pushing {{.IMAGE_NAME}}:{{.IMAGE_TAG}}"
+        docker push {{.IMAGE_NAME}}:{{.IMAGE_TAG}}
+        echo -e "${GREEN}✓${NC} Pushed: {{.IMAGE_NAME}}:{{.IMAGE_TAG}}"
+
+  # Login to GitHub Container Registry
+  git:login:
+    desc: "Login to GitHub Container Registry (ghcr.io)"
+    vars:
+      GITHUB_USER: '{{.USER | default ""}}'
+      GITHUB_TOKEN: '{{.TOKEN | default ""}}'
+    cmds:
+      - |
+        GREEN='\033[0;32m'
+        RED='\033[0;31m'
+        NC='\033[0m'
+
+        # Validate parameters
+        if [ -z "{{.GITHUB_USER}}" ] || [ -z "{{.GITHUB_TOKEN}}" ]; then
+          echo -e "${RED}✗${NC} Missing USER or TOKEN parameter" >&2
+          echo "Usage: task docker:git:login USER=username TOKEN=ghp_xxx" >&2
+          exit 1
+        fi
+
+        # Login to ghcr.io
+        echo {{.GITHUB_TOKEN}} | docker login ghcr.io -u {{.GITHUB_USER}} --password-stdin &>/dev/null
+        echo -e "${GREEN}✓${NC} Logged in to ghcr.io as {{.GITHUB_USER}}"
+
+  # Push image to GitHub Container Registry
+  git:push:
+    desc: "Push Docker image to GitHub Container Registry"
+    vars:
+      IMAGE_NAME: '{{.IMAGE | default ""}}'
+      IMAGE_TAG: '{{.TAG | default "latest"}}'
+      GITHUB_USER: '{{.USER | default ""}}'
+      GITHUB_TOKEN: '{{.TOKEN | default ""}}'
+      PUSH_LATEST: '{{.LATEST | default "false"}}'
+    cmds:
+      - |
+        GREEN='\033[0;32m'
+        RED='\033[0;31m'
+        NC='\033[0m'
+
+        # Validate parameters
+        if [ -z "{{.IMAGE_NAME}}" ] || [ -z "{{.GITHUB_USER}}" ] || [ -z "{{.GITHUB_TOKEN}}" ]; then
+          echo -e "${RED}✗${NC} Missing IMAGE, USER, or TOKEN parameter" >&2
+          echo "Usage: task docker:git:push IMAGE=myapp TAG=v1.0.0 USER=username TOKEN=ghp_xxx" >&2
+          exit 1
+        fi
+
+      # Login to GHCR
+      - task: git:login
+        vars:
+          USER: "{{.GITHUB_USER}}"
+          TOKEN: "{{.GITHUB_TOKEN}}"
+
+      # Tag for GHCR
+      - task: tag
+        vars:
+          SOURCE: "{{.IMAGE_NAME}}:{{.IMAGE_TAG}}"
+          TARGET: "ghcr.io/{{.GITHUB_USER}}/{{.IMAGE_NAME}}:{{.IMAGE_TAG}}"
+
+      # Push tagged image
+      - task: push
+        vars:
+          IMAGE: "ghcr.io/{{.GITHUB_USER}}/{{.IMAGE_NAME}}"
+          TAG: "{{.IMAGE_TAG}}"
+
+      # Optionally push latest tag
+      - |
+        if [ '{{.PUSH_LATEST}}' = 'true' ]; then
+          GREEN='\033[0;32m'
+          NC='\033[0m'
+          
+          docker tag {{.IMAGE_NAME}}:{{.IMAGE_TAG}} ghcr.io/{{.GITHUB_USER}}/{{.IMAGE_NAME}}:latest
+          docker push ghcr.io/{{.GITHUB_USER}}/{{.IMAGE_NAME}}:latest &>/dev/null
+          echo -e "${GREEN}✓${NC} Also pushed: ghcr.io/{{.GITHUB_USER}}/{{.IMAGE_NAME}}:latest"
+        fi
+
+  # Initialize Trivy cache volume
+  scan:init:
+    desc: "Initialize Trivy cache volume for vulnerability scanning"
+    silent: true
+    cmds:
+      - |
+        GREEN='\033[0;32m'
+        NC='\033[0m'
+
+        if ! docker volume ls --format "{{.Name}}" | grep -q "^trivy-cache$"; then
+          docker volume create trivy-cache &>/dev/null
+          echo -e "${GREEN}✓${NC} Created Trivy cache volume"
+        fi
+
+  # Unified security scanner - scans image by name or builds from Dockerfile
+  scan:
+    desc: "Scan Docker image or Dockerfile for vulnerabilities and misconfigurations"
+    silent: true
+    deps: [scan:init]
+    vars:
+      # Accept either IMAGE (existing image) or FILE (Dockerfile path)
+      IMAGE_REF: '{{.IMAGE | default ""}}'
+      IMAGE_TAG: '{{.TAG | default "latest"}}'
+      DOCKERFILE: '{{.FILE | default ""}}'
+      SEVERITY: "{{.SEVERITY | default .DEFAULT_SEVERITY}}"
+    cmds:
+      - |
+        GREEN='\033[0;32m'
+        RED='\033[0;31m'
+        YELLOW='\033[0;33m'
+        NC='\033[0m'
+
+        IMAGE_REF="{{.IMAGE_REF}}"
+        DOCKERFILE="{{.DOCKERFILE}}"
+        SEVERITY="{{.SEVERITY}}"
+        TAG="{{.IMAGE_TAG}}"
+
+        # Check Docker is running
+        if ! docker info &>/dev/null; then
+          echo -e "${RED}✗${NC} Docker is not running" >&2
+          exit 1
+        fi
+
+        # Determine scan mode
+        if [ -n "$IMAGE_REF" ]; then
+          # Mode 1: Scan existing image by name
+          SCAN_TARGET="${IMAGE_REF}:${TAG}"
+          echo -e "${GREEN}▶${NC} Scanning image ${SCAN_TARGET} for ${SEVERITY} vulnerabilities"
+
+          docker run --rm \
+            -v {{.DOCKER_SOCKET}}:{{.DOCKER_SOCKET}} \
+            -v trivy-cache:/root/.cache/trivy \
+            {{.TRIVY_IMAGE}} image \
+            --severity "$SEVERITY" \
+            --exit-code 1 \
+            "$SCAN_TARGET"
+
+          RESULT=$?
+
+          if [ $RESULT -eq 0 ]; then
+            echo -e "${GREEN}✓${NC} No ${SEVERITY} issues found"
+          else
+            echo -e "${YELLOW}⚠${NC} Issues found (exit code: $RESULT)"
+            exit $RESULT
+          fi
+
+        elif [ -n "$DOCKERFILE" ]; then
+          # Mode 2: Build from Dockerfile and scan
+
+          # Resolve to absolute path
+          DOCKERFILE_PATH="$DOCKERFILE"
+          if [[ "$DOCKERFILE_PATH" != /* ]]; then
+            DOCKERFILE_PATH="$(pwd)/$DOCKERFILE_PATH"
+          fi
+
+          # Check Dockerfile exists
+          if [ ! -f "$DOCKERFILE_PATH" ]; then
+            echo -e "${RED}✗${NC} Dockerfile not found: $DOCKERFILE_PATH" >&2
+            echo "Usage: task docker:scan FILE=path/to/Dockerfile" >&2
+            exit 1
+          fi
+
+          DOCKERFILE_DIR=$(dirname "$DOCKERFILE_PATH")
+          DOCKERFILE_NAME=$(basename "$DOCKERFILE_PATH")
+          TEMP_IMAGE="trivy-scan-$(date +%s)"
+
+          # Step 1: Scan Dockerfile for misconfigurations
+          echo -e "${GREEN}▶${NC} Scanning Dockerfile for ${SEVERITY} misconfigurations"
+
+          docker run --rm \
+            -v "$DOCKERFILE_DIR:/workspace:ro" \
+            -v trivy-cache:/root/.cache/trivy \
+            -w /workspace \
+            {{.TRIVY_IMAGE}} config \
+            --severity "$SEVERITY" \
+            --exit-code 1 \
+            "/workspace/$DOCKERFILE_NAME"
+
+          CONFIG_RESULT=$?
+          if [ $CONFIG_RESULT -ne 0 ]; then
+            echo -e "${YELLOW}⚠${NC} Dockerfile misconfigurations found"
+          fi
+
+          # Step 2: Build image for scanning
+          echo -e "${GREEN}▶${NC} Building image for scanning"
+
+          docker build \
+            -t "$TEMP_IMAGE" \
+            -f "$DOCKERFILE_PATH" \
+            "$DOCKERFILE_DIR"
+
+          BUILD_RESULT=$?
+          if [ $BUILD_RESULT -ne 0 ]; then
+            echo -e "${RED}✗${NC} Build failed" >&2
+            exit 1
+          fi
+
+          echo -e "${GREEN}✓${NC} Built image: ${TEMP_IMAGE}"
+
+          # Step 3: Scan built image for vulnerabilities
+          echo -e "${GREEN}▶${NC} Scanning image layers for ${SEVERITY} vulnerabilities"
+
+          docker run --rm \
+            -v {{.DOCKER_SOCKET}}:{{.DOCKER_SOCKET}} \
+            -v trivy-cache:/root/.cache/trivy \
+            {{.TRIVY_IMAGE}} image \
+            --severity "$SEVERITY" \
+            --exit-code 1 \
+            "$TEMP_IMAGE"
+
+          IMAGE_RESULT=$?
+
+          # Cleanup temporary image
+          docker rmi "$TEMP_IMAGE" &>/dev/null
+
+          # Combine results
+          if [ $CONFIG_RESULT -ne 0 ] || [ $IMAGE_RESULT -ne 0 ]; then
+            echo -e "${YELLOW}⚠${NC} Issues found"
+            exit 1
+          else
+            echo -e "${GREEN}✓${NC} No ${SEVERITY} issues found"
+          fi
+
+        else
+          echo -e "${RED}✗${NC} Missing IMAGE or FILE parameter" >&2
+          echo "" >&2
+          echo "Usage:" >&2
+          echo "  Scan existing image:  task docker:scan IMAGE=myapp TAG=v1.0.0" >&2
+          echo "  Build and scan:       task docker:scan FILE=path/to/Dockerfile" >&2
+          exit 1
+        fi