|
| 1 | +--- |
| 2 | +name: dependency-scanning |
| 3 | +description: Scan project dependencies for known CVEs and security vulnerabilities using ecosystem-native audit tools (npm audit, yarn audit, pnpm audit, pip-audit, cargo audit, govulncheck, bundler-audit, dotnet list package). |
| 4 | +metadata: |
| 5 | + agents: |
| 6 | + supported: |
| 7 | + - GitHub Copilot Coding Agent |
| 8 | + - Cursor |
| 9 | + - Codex |
| 10 | + - Claude Code |
| 11 | +allowed-tools: Bash Glob Read |
| 12 | +--- |
| 13 | + |
| 14 | +# Dependency Scanning Skill |
| 15 | + |
| 16 | +## Overview |
| 17 | + |
| 18 | +This skill detects known CVEs and security vulnerabilities in project dependencies by running the audit tool native to each package ecosystem. It supports JavaScript, Python, Rust, Ruby, Go, and .NET projects ÔÇö including multi-ecosystem monorepos. |
| 19 | + |
| 20 | +### What counts as a vulnerable dependency? |
| 21 | + |
| 22 | +A dependency is flagged when it has a publicly disclosed vulnerability that is catalogued in a security advisory database (the National Vulnerability Database, GitHub Advisory Database, OSV, RustSec Advisory Database, etc.). |
| 23 | + |
| 24 | +Treat these as actionable findings: |
| 25 | + |
| 26 | +- **Critical / High severity**: Actively exploitable vulnerabilities, remote code execution, privilege escalation. Prioritise these. |
| 27 | +- **Moderate severity**: Vulnerabilities with limited exploitability, denial-of-service, or that require specific preconditions. |
| 28 | +- **Low / Informational severity**: Minor issues, speculative attack vectors, or things requiring local access. Still worth reviewing but lower urgency. |
| 29 | + |
| 30 | +Not every flagged package represents actual risk to the project. Context matters: |
| 31 | + |
| 32 | +- A vulnerability in a **dev-only** dependency that never runs in production carries much lower risk. |
| 33 | +- A vulnerability requiring **specific user input or environment conditions** may not be reachable in the current application. |
| 34 | +- Some advisories are **disputed or already mitigated** upstream ÔÇö check the advisory link before escalating. |
| 35 | + |
| 36 | +### Why this is important |
| 37 | + |
| 38 | +Supply-chain attacks and dependency vulnerabilities are one of the most common entry points for security incidents. Running a dependency audit regularly ÔÇö and especially before releases ÔÇö helps catch known bad versions early, when the fix is simply upgrading a package. |
| 39 | + |
| 40 | +**Important**: Only run this skill when the user explicitly asks to scan dependencies or check for vulnerabilities. Do not trigger it as part of unrelated general workflows. |
| 41 | + |
| 42 | +## Ecosystem Support |
| 43 | + |
| 44 | +| Ecosystem | Lock / manifest file(s) | Audit tool | Availability | |
| 45 | +| ---------------- | ------------------------------------------------------------- | ----------------------- | ---------------------------------- | |
| 46 | +| npm | `package-lock.json`, `npm-shrinkwrap.json` | `npm audit` | Built-in (npm  6) | |
| 47 | +| Yarn Classic (v1) | `yarn.lock` (no `.yarnrc.yml`) | `yarn audit` | Built-in | |
| 48 | +| Yarn Berry (v2+) | `yarn.lock` + `.yarnrc.yml` | `yarn npm audit` | Built-in | |
| 49 | +| pnpm | `pnpm-lock.yaml` | `pnpm audit` | Built-in | |
| 50 | +| Python | `Pipfile.lock`, `pyproject.toml`, `requirements*.txt` | `pip-audit` | Install: `pip install pip-audit` | |
| 51 | +| Rust | `Cargo.lock` | `cargo audit` | Install: `cargo install cargo-audit` | |
| 52 | +| Ruby | `Gemfile.lock` | `bundler-audit` | Install: `gem install bundler-audit` | |
| 53 | +| Go | `go.sum` | `govulncheck` | Install: `go install golang.org/x/vuln/cmd/govulncheck@latest` | |
| 54 | +| .NET | `*.csproj`, `*.sln`, `packages.config` | `dotnet list package` | Built-in (.NET SDK  6) | |
| 55 | + |
| 56 | +## Common Scenarios |
| 57 | + |
| 58 | +| User goal | How to respond | |
| 59 | +| --------------------------------------------------- | ----------------------------------------------------------------- | |
| 60 | +| "Scan my project for vulnerabilities" | Auto-detect ecosystem(s), run audit, report findings | |
| 61 | +| "Check npm dependencies for CVEs" | Run `npm audit --json`, parse and report | |
| 62 | +| "Are there any critical vulnerabilities?" | Run audit, filter for critical/high severity, surface those first | |
| 63 | +| "How do I fix the vulnerabilities you found?" | Show the fix command (e.g. `npm audit fix`) per finding | |
| 64 | +| "Scan only production dependencies" | Pass `--production` / `--prod` flag where supported | |
| 65 | + |
| 66 | +## Detecting the Ecosystem |
| 67 | + |
| 68 | +Before running any audit, use `Glob` to identify which ecosystems are present. A project may have multiple. |
| 69 | + |
| 70 | +``` |
| 71 | +Detection order (check all, not just the first match): |
| 72 | +1. package-lock.json or npm-shrinkwrap.json  npm |
| 73 | +2. yarn.lock + .yarnrc.yml present  Yarn Berry (v2+): yarn npm audit |
| 74 | + yarn.lock without .yarnrc.yml  Yarn Classic (v1): yarn audit |
| 75 | +3. pnpm-lock.yaml  pnpm |
| 76 | +4. Cargo.lock  cargo audit |
| 77 | +5. Gemfile.lock  bundler-audit |
| 78 | +6. go.sum  govulncheck |
| 79 | +7. Pipfile.lock / pyproject.toml / requirements*.txt  pip-audit |
| 80 | +8. *.csproj / *.sln / packages.config  dotnet list package --vulnerable |
| 81 | +``` |
| 82 | + |
| 83 | +If multiple ecosystems are detected, run each audit in turn and aggregate the results. Monorepos with workspaces are common ÔÇö run from the relevant workspace root if applicable. |
| 84 | + |
| 85 | +## Running the Audit |
| 86 | + |
| 87 | +### JavaScript ÔÇö npm |
| 88 | + |
| 89 | +```bash |
| 90 | +npm audit --json 2>/dev/null |
| 91 | +``` |
| 92 | + |
| 93 | +To auto-fix non-breaking upgrades: |
| 94 | + |
| 95 | +```bash |
| 96 | +npm audit fix |
| 97 | +``` |
| 98 | + |
| 99 | +To fix breaking upgrades (bumps major versions ÔÇö review carefully): |
| 100 | + |
| 101 | +```bash |
| 102 | +npm audit fix --force |
| 103 | +``` |
| 104 | + |
| 105 | +To scan production dependencies only: |
| 106 | + |
| 107 | +```bash |
| 108 | +npm audit --json --production 2>/dev/null |
| 109 | +``` |
| 110 | + |
| 111 | +### JavaScript ÔÇö Yarn Classic (v1) |
| 112 | + |
| 113 | +```bash |
| 114 | +yarn audit --json 2>/dev/null |
| 115 | +``` |
| 116 | + |
| 117 | +Yarn v1 does not have an automatic fix command; fix by upgrading specific packages in `package.json`. |
| 118 | + |
| 119 | +### JavaScript ÔÇö Yarn Berry (v2+) |
| 120 | + |
| 121 | +```bash |
| 122 | +yarn npm audit --json 2>/dev/null |
| 123 | +``` |
| 124 | + |
| 125 | +### JavaScript ÔÇö pnpm |
| 126 | + |
| 127 | +```bash |
| 128 | +pnpm audit --json 2>/dev/null |
| 129 | +``` |
| 130 | + |
| 131 | +To fix: |
| 132 | + |
| 133 | +```bash |
| 134 | +pnpm audit --fix |
| 135 | +``` |
| 136 | + |
| 137 | +To scan production dependencies only: |
| 138 | + |
| 139 | +```bash |
| 140 | +pnpm audit --json --prod 2>/dev/null |
| 141 | +``` |
| 142 | + |
| 143 | +### Python ÔÇö pip-audit |
| 144 | + |
| 145 | +```bash |
| 146 | +pip-audit -f json 2>/dev/null |
| 147 | +``` |
| 148 | + |
| 149 | +If `pip-audit` is not installed, inform the user: |
| 150 | + |
| 151 | +> `pip-audit` is not installed. Install it with: `pip install pip-audit` |
| 152 | +
|
| 153 | +To scan a specific requirements file: |
| 154 | + |
| 155 | +```bash |
| 156 | +pip-audit -f json -r requirements.txt 2>/dev/null |
| 157 | +``` |
| 158 | + |
| 159 | +### Rust ÔÇö cargo audit |
| 160 | + |
| 161 | +```bash |
| 162 | +cargo audit --json 2>/dev/null |
| 163 | +``` |
| 164 | + |
| 165 | +If `cargo audit` is not installed, inform the user: |
| 166 | + |
| 167 | +> `cargo audit` is not installed. Install it with: `cargo install cargo-audit` |
| 168 | +
|
| 169 | +To fix (updates `Cargo.toml` where possible): |
| 170 | + |
| 171 | +```bash |
| 172 | +cargo audit fix |
| 173 | +``` |
| 174 | + |
| 175 | +### Ruby ÔÇö bundler-audit |
| 176 | + |
| 177 | +First update the advisory database, then scan: |
| 178 | + |
| 179 | +```bash |
| 180 | +bundler-audit update && bundler-audit check --format json 2>/dev/null |
| 181 | +``` |
| 182 | + |
| 183 | +If `bundler-audit` is not installed, inform the user: |
| 184 | + |
| 185 | +> `bundler-audit` is not installed. Install it with: `gem install bundler-audit` |
| 186 | +
|
| 187 | +### Go ÔÇö govulncheck |
| 188 | + |
| 189 | +```bash |
| 190 | +govulncheck -json ./... 2>/dev/null |
| 191 | +``` |
| 192 | + |
| 193 | +If `govulncheck` is not installed, inform the user: |
| 194 | + |
| 195 | +> `govulncheck` is not installed. Install it with: `go install golang.org/x/vuln/cmd/govulncheck@latest` |
| 196 | +
|
| 197 | +### .NET ÔÇö dotnet list package |
| 198 | + |
| 199 | +```bash |
| 200 | +dotnet list package --vulnerable 2>/dev/null |
| 201 | +``` |
| 202 | + |
| 203 | +For JSON output (.NET SDK  8): |
| 204 | + |
| 205 | +```bash |
| 206 | +dotnet list package --vulnerable --format json 2>/dev/null |
| 207 | +``` |
| 208 | + |
| 209 | +--- |
| 210 | + |
| 211 | +## Presenting Results |
| 212 | + |
| 213 | +Structure your report clearly. Lead with a summary, then detail each finding. |
| 214 | + |
| 215 | +### Summary line (always show) |
| 216 | + |
| 217 | +``` |
| 218 | +ƒöì Dependency scan complete ÔÇö X vulnerabilities found (A critical, B high, C moderate, D low) |
| 219 | +``` |
| 220 | + |
| 221 | +If nothing is found: |
| 222 | + |
| 223 | +``` |
| 224 | + No known vulnerabilities found in your dependencies. |
| 225 | +``` |
| 226 | + |
| 227 | +### Per-finding format |
| 228 | + |
| 229 | +For each vulnerability, show: |
| 230 | + |
| 231 | +``` |
| 232 | +[SEVERITY] package-name@affected-version |
| 233 | + CVE: CVE-YYYY-NNNNN (or advisory ID) |
| 234 | + Description: <one-line summary> |
| 235 | + Fix: Upgrade to package-name@fixed-version |
| 236 | + Advisory: <URL if available> |
| 237 | +``` |
| 238 | + |
| 239 | +### Severity ordering |
| 240 | + |
| 241 | +Always present findings in this order: **Critical  High  Moderate  Low  Informational** |
| 242 | + |
| 243 | +### Example output (npm) |
| 244 | + |
| 245 | +``` |
| 246 | +ƒöì Dependency scan complete ÔÇö 3 vulnerabilities found (1 critical, 1 high, 1 moderate) |
| 247 | +
|
| 248 | +[CRITICAL] lodash@4.17.15 |
| 249 | + CVE: CVE-2021-23337 |
| 250 | + Description: Command injection via template |
| 251 | + Fix: npm audit fix (upgrades to lodash@4.17.21) |
| 252 | + Advisory: https://github.com/advisories/GHSA-35jh-r3h4-6jhm |
| 253 | +
|
| 254 | +[HIGH] axios@0.21.0 |
| 255 | + CVE: CVE-2021-3749 |
| 256 | + Description: Inefficient regular expression complexity |
| 257 | + Fix: npm audit fix (upgrades to axios@0.21.2) |
| 258 | + Advisory: https://github.com/advisories/GHSA-cph5-m8f7-6c5x |
| 259 | +
|
| 260 | +[MODERATE] glob-parent@3.1.0 |
| 261 | + CVE: CVE-2020-28469 |
| 262 | + Description: Regular expression denial of service |
| 263 | + Fix: npm audit fix (upgrades to glob-parent@5.1.2) |
| 264 | + Advisory: https://github.com/advisories/GHSA-ww39-953v-wcq6 |
| 265 | +
|
| 266 | +ƒÆí Run `npm audit fix` to automatically resolve all 3 issues. |
| 267 | +``` |
| 268 | + |
| 269 | +### Example output (no vulnerabilities) |
| 270 | + |
| 271 | +``` |
| 272 | + No known vulnerabilities found in your npm dependencies. |
| 273 | + Scanned: 312 packages (189 direct, 123 transitive) |
| 274 | +``` |
| 275 | + |
| 276 | +--- |
| 277 | + |
| 278 | +## Handling Errors and Edge Cases |
| 279 | + |
| 280 | +| Situation | What to do | |
| 281 | +| ------------------------------------------------------ | ------------------------------------------------------------------------------------------------ | |
| 282 | +| Audit tool not installed | Inform the user and provide the install command. Do not silently skip. | |
| 283 | +| No lock file found | Inform the user: "No lock file detected. Run the package manager install command first." | |
| 284 | +| `npm audit` returns exit code 1 (vulnerabilities exist)| This is expected ÔÇö parse the JSON output normally. | |
| 285 | +| Network error / registry unreachable | Report the error and suggest retrying or checking connectivity. | |
| 286 | +| Production-only scan requested | Use `--production` / `--prod` flags where supported; note in the report which scope was scanned. | |
| 287 | +| `yarn audit` exits non-zero even with no issues | Check the JSON output; a non-zero exit alone is not sufficient to indicate vulnerabilities. | |
| 288 | +| `govulncheck` output references only stdlib | Mention that no third-party vulnerabilities were found but stdlib entries exist. | |
| 289 | + |
| 290 | +--- |
| 291 | + |
| 292 | +## Remediation Guidance |
| 293 | + |
| 294 | +After reporting findings, always include the appropriate fix command(s): |
| 295 | + |
| 296 | +| Ecosystem | Fix command | |
| 297 | +| ---------------- | ------------------------------------------------------------------------- | |
| 298 | +| npm | `npm audit fix` (or `npm audit fix --force` for breaking changes) | |
| 299 | +| Yarn Classic | Manually update `package.json` and re-run `yarn install` | |
| 300 | +| Yarn Berry | `yarn up <package>` | |
| 301 | +| pnpm | `pnpm audit --fix` or `pnpm update <package>` | |
| 302 | +| Python | `pip install --upgrade <package>` | |
| 303 | +| Rust | `cargo update <package>` or `cargo audit fix` | |
| 304 | +| Ruby | `bundle update <gem>` | |
| 305 | +| Go | `go get <module>@<fixed-version>` + `go mod tidy` | |
| 306 | +| .NET | `dotnet add package <package> --version <fixed-version>` | |
| 307 | + |
| 308 | +If a fix is not yet available (no patched version released), clearly state: |
| 309 | + |
| 310 | +> ÔÜá´©Å No fix is currently available for `package@version`. Consider evaluating whether this package can be replaced, isolated, or whether the vulnerable code path is reachable in your project. |
| 311 | +
|
| 312 | +--- |
| 313 | + |
| 314 | +## Scope and Limitations |
| 315 | + |
| 316 | +- This skill runs **locally** using the audit tools available in the development environment. It does not require GitHub credentials or network access to GitHub (though some tools query external advisory databases). |
| 317 | +- Results reflect the **advisory databases** used by each tool at the time of the scan. Keep audit tools and their databases up to date for best coverage. |
| 318 | +- This skill does **not** modify any files automatically unless the user explicitly asks for a fix. Always confirm before running a destructive fix command. |
| 319 | +- **Dev dependencies**: By default, scan all dependencies including dev. If the user only wants production scope, pass the appropriate flag and note it in the report. |
| 320 | + |
| 321 | +## Learn More |
| 322 | + |
| 323 | +- [npm audit docs](https://docs.npmjs.com/cli/commands/npm-audit) |
| 324 | +- [pnpm audit docs](https://pnpm.io/cli/audit) |
| 325 | +- [pip-audit on PyPI](https://pypi.org/project/pip-audit/) |
| 326 | +- [cargo-audit on crates.io](https://crates.io/crates/cargo-audit) |
| 327 | +- [bundler-audit on GitHub](https://github.com/rubysec/bundler-audit) |
| 328 | +- [govulncheck docs](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck) |
| 329 | +- [GitHub Advisory Database](https://github.com/advisories) |
| 330 | +- [National Vulnerability Database (NVD)](https://nvd.nist.gov/) |
| 331 | +- [OSV ÔÇö Open Source Vulnerabilities](https://osv.dev/) |
0 commit comments