Skip to content

Commit 1db9331

Browse files
MabCloudCopilot
andcommitted
feat: add dependency-scanning skill for CVE/vulnerability detection
Add a new skill under plugins/advanced-security/skills/dependency-scanning/ that guides agents through scanning project dependencies for known CVEs and security vulnerabilities using ecosystem-native audit tools. Supported ecosystems: - JavaScript: npm audit, yarn audit (v1 and Berry v2+), pnpm audit - Python: pip-audit - Rust: cargo audit - Ruby: bundler-audit - Go: govulncheck - .NET: dotnet list package --vulnerable The skill covers auto-detection of ecosystems via lock files, running the appropriate audit command with JSON output, presenting findings grouped by severity (critical -> high -> moderate -> low), and providing per-ecosystem remediation commands. Also fixes marketplace.json: spark plugin was referencing ./skills/spark which does not exist; the correct path is ./skills/spark-app-template. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent 6fe19e8 commit 1db9331

3 files changed

Lines changed: 340 additions & 3 deletions

File tree

.github/plugin/marketplace.json

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@
2424
"description": "Spark plugin for GitHub Copilot.",
2525
"version": "1.0.0",
2626
"skills": [
27-
"./skills/spark"
27+
"./skills/spark-app-template"
2828
]
2929
},
3030
{
@@ -33,7 +33,8 @@
3333
"description": "Advanced Security plugin for GitHub Copilot.",
3434
"version": "1.0.0",
3535
"skills": [
36-
"./skills/secret-scanning"
36+
"./skills/secret-scanning",
37+
"./skills/dependency-scanning"
3738
]
3839
}
3940
]

plugins/advanced-security/README.md

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,14 +4,19 @@ Security-focused plugin that brings GitHub Advanced Security capabilities into A
44

55
## What it does
66

7-
Advanced Security helps agents identify and prevent credential exposure during development by:
7+
Advanced Security helps agents identify and prevent security risks during development by:
88

99
- Scanning code snippets, files, and git changes for potential secrets
1010
- Using GitHub secret detection patterns through MCP tooling
1111
- Supporting pre-commit checks to catch leaked credentials early
12+
- Auditing project dependencies for known CVEs and security advisories across multiple ecosystems
1213

1314
## Skills
1415

1516
### `secret-scanning`
1617

1718
Activated when a user asks to check code, files, or git changes for exposed credentials. Uses the `run_secret_scanning` MCP tool to scan content for potential secrets before code is committed.
19+
20+
### `dependency-scanning`
21+
22+
Activated when a user asks to audit dependencies, check for known vulnerabilities, or find CVEs in project packages. Automatically detects the package manager in use (npm, Yarn, pnpm, pip, Cargo, bundler, Go modules, or .NET) and runs the appropriate native audit tool to surface vulnerable packages with severity levels and remediation guidance.
Lines changed: 331 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,331 @@
1+
---
2+
name: dependency-scanning
3+
description: Scan project dependencies for known CVEs and security vulnerabilities using ecosystem-native audit tools (npm audit, yarn audit, pnpm audit, pip-audit, cargo audit, govulncheck, bundler-audit, dotnet list package).
4+
metadata:
5+
agents:
6+
supported:
7+
- GitHub Copilot Coding Agent
8+
- Cursor
9+
- Codex
10+
- Claude Code
11+
allowed-tools: Bash Glob Read
12+
---
13+
14+
# Dependency Scanning Skill
15+
16+
## Overview
17+
18+
This skill detects known CVEs and security vulnerabilities in project dependencies by running the audit tool native to each package ecosystem. It supports JavaScript, Python, Rust, Ruby, Go, and .NET projects ÔÇö including multi-ecosystem monorepos.
19+
20+
### What counts as a vulnerable dependency?
21+
22+
A dependency is flagged when it has a publicly disclosed vulnerability that is catalogued in a security advisory database (the National Vulnerability Database, GitHub Advisory Database, OSV, RustSec Advisory Database, etc.).
23+
24+
Treat these as actionable findings:
25+
26+
- **Critical / High severity**: Actively exploitable vulnerabilities, remote code execution, privilege escalation. Prioritise these.
27+
- **Moderate severity**: Vulnerabilities with limited exploitability, denial-of-service, or that require specific preconditions.
28+
- **Low / Informational severity**: Minor issues, speculative attack vectors, or things requiring local access. Still worth reviewing but lower urgency.
29+
30+
Not every flagged package represents actual risk to the project. Context matters:
31+
32+
- A vulnerability in a **dev-only** dependency that never runs in production carries much lower risk.
33+
- A vulnerability requiring **specific user input or environment conditions** may not be reachable in the current application.
34+
- Some advisories are **disputed or already mitigated** upstream ÔÇö check the advisory link before escalating.
35+
36+
### Why this is important
37+
38+
Supply-chain attacks and dependency vulnerabilities are one of the most common entry points for security incidents. Running a dependency audit regularly ÔÇö and especially before releases ÔÇö helps catch known bad versions early, when the fix is simply upgrading a package.
39+
40+
**Important**: Only run this skill when the user explicitly asks to scan dependencies or check for vulnerabilities. Do not trigger it as part of unrelated general workflows.
41+
42+
## Ecosystem Support
43+
44+
| Ecosystem | Lock / manifest file(s) | Audit tool | Availability |
45+
| ---------------- | ------------------------------------------------------------- | ----------------------- | ---------------------------------- |
46+
| npm | `package-lock.json`, `npm-shrinkwrap.json` | `npm audit` | Built-in (npm  6) |
47+
| Yarn Classic (v1) | `yarn.lock` (no `.yarnrc.yml`) | `yarn audit` | Built-in |
48+
| Yarn Berry (v2+) | `yarn.lock` + `.yarnrc.yml` | `yarn npm audit` | Built-in |
49+
| pnpm | `pnpm-lock.yaml` | `pnpm audit` | Built-in |
50+
| Python | `Pipfile.lock`, `pyproject.toml`, `requirements*.txt` | `pip-audit` | Install: `pip install pip-audit` |
51+
| Rust | `Cargo.lock` | `cargo audit` | Install: `cargo install cargo-audit` |
52+
| Ruby | `Gemfile.lock` | `bundler-audit` | Install: `gem install bundler-audit` |
53+
| Go | `go.sum` | `govulncheck` | Install: `go install golang.org/x/vuln/cmd/govulncheck@latest` |
54+
| .NET | `*.csproj`, `*.sln`, `packages.config` | `dotnet list package` | Built-in (.NET SDK  6) |
55+
56+
## Common Scenarios
57+
58+
| User goal | How to respond |
59+
| --------------------------------------------------- | ----------------------------------------------------------------- |
60+
| "Scan my project for vulnerabilities" | Auto-detect ecosystem(s), run audit, report findings |
61+
| "Check npm dependencies for CVEs" | Run `npm audit --json`, parse and report |
62+
| "Are there any critical vulnerabilities?" | Run audit, filter for critical/high severity, surface those first |
63+
| "How do I fix the vulnerabilities you found?" | Show the fix command (e.g. `npm audit fix`) per finding |
64+
| "Scan only production dependencies" | Pass `--production` / `--prod` flag where supported |
65+
66+
## Detecting the Ecosystem
67+
68+
Before running any audit, use `Glob` to identify which ecosystems are present. A project may have multiple.
69+
70+
```
71+
Detection order (check all, not just the first match):
72+
1. package-lock.json or npm-shrinkwrap.json  npm
73+
2. yarn.lock + .yarnrc.yml present  Yarn Berry (v2+): yarn npm audit
74+
yarn.lock without .yarnrc.yml  Yarn Classic (v1): yarn audit
75+
3. pnpm-lock.yaml  pnpm
76+
4. Cargo.lock  cargo audit
77+
5. Gemfile.lock  bundler-audit
78+
6. go.sum  govulncheck
79+
7. Pipfile.lock / pyproject.toml / requirements*.txt  pip-audit
80+
8. *.csproj / *.sln / packages.config  dotnet list package --vulnerable
81+
```
82+
83+
If multiple ecosystems are detected, run each audit in turn and aggregate the results. Monorepos with workspaces are common ÔÇö run from the relevant workspace root if applicable.
84+
85+
## Running the Audit
86+
87+
### JavaScript ÔÇö npm
88+
89+
```bash
90+
npm audit --json 2>/dev/null
91+
```
92+
93+
To auto-fix non-breaking upgrades:
94+
95+
```bash
96+
npm audit fix
97+
```
98+
99+
To fix breaking upgrades (bumps major versions ÔÇö review carefully):
100+
101+
```bash
102+
npm audit fix --force
103+
```
104+
105+
To scan production dependencies only:
106+
107+
```bash
108+
npm audit --json --production 2>/dev/null
109+
```
110+
111+
### JavaScript ÔÇö Yarn Classic (v1)
112+
113+
```bash
114+
yarn audit --json 2>/dev/null
115+
```
116+
117+
Yarn v1 does not have an automatic fix command; fix by upgrading specific packages in `package.json`.
118+
119+
### JavaScript ÔÇö Yarn Berry (v2+)
120+
121+
```bash
122+
yarn npm audit --json 2>/dev/null
123+
```
124+
125+
### JavaScript ÔÇö pnpm
126+
127+
```bash
128+
pnpm audit --json 2>/dev/null
129+
```
130+
131+
To fix:
132+
133+
```bash
134+
pnpm audit --fix
135+
```
136+
137+
To scan production dependencies only:
138+
139+
```bash
140+
pnpm audit --json --prod 2>/dev/null
141+
```
142+
143+
### Python ÔÇö pip-audit
144+
145+
```bash
146+
pip-audit -f json 2>/dev/null
147+
```
148+
149+
If `pip-audit` is not installed, inform the user:
150+
151+
> `pip-audit` is not installed. Install it with: `pip install pip-audit`
152+
153+
To scan a specific requirements file:
154+
155+
```bash
156+
pip-audit -f json -r requirements.txt 2>/dev/null
157+
```
158+
159+
### Rust ÔÇö cargo audit
160+
161+
```bash
162+
cargo audit --json 2>/dev/null
163+
```
164+
165+
If `cargo audit` is not installed, inform the user:
166+
167+
> `cargo audit` is not installed. Install it with: `cargo install cargo-audit`
168+
169+
To fix (updates `Cargo.toml` where possible):
170+
171+
```bash
172+
cargo audit fix
173+
```
174+
175+
### Ruby ÔÇö bundler-audit
176+
177+
First update the advisory database, then scan:
178+
179+
```bash
180+
bundler-audit update && bundler-audit check --format json 2>/dev/null
181+
```
182+
183+
If `bundler-audit` is not installed, inform the user:
184+
185+
> `bundler-audit` is not installed. Install it with: `gem install bundler-audit`
186+
187+
### Go ÔÇö govulncheck
188+
189+
```bash
190+
govulncheck -json ./... 2>/dev/null
191+
```
192+
193+
If `govulncheck` is not installed, inform the user:
194+
195+
> `govulncheck` is not installed. Install it with: `go install golang.org/x/vuln/cmd/govulncheck@latest`
196+
197+
### .NET ÔÇö dotnet list package
198+
199+
```bash
200+
dotnet list package --vulnerable 2>/dev/null
201+
```
202+
203+
For JSON output (.NET SDK  8):
204+
205+
```bash
206+
dotnet list package --vulnerable --format json 2>/dev/null
207+
```
208+
209+
---
210+
211+
## Presenting Results
212+
213+
Structure your report clearly. Lead with a summary, then detail each finding.
214+
215+
### Summary line (always show)
216+
217+
```
218+
­ƒöì Dependency scan complete ÔÇö X vulnerabilities found (A critical, B high, C moderate, D low)
219+
```
220+
221+
If nothing is found:
222+
223+
```
224+
 No known vulnerabilities found in your dependencies.
225+
```
226+
227+
### Per-finding format
228+
229+
For each vulnerability, show:
230+
231+
```
232+
[SEVERITY] package-name@affected-version
233+
CVE: CVE-YYYY-NNNNN (or advisory ID)
234+
Description: <one-line summary>
235+
Fix: Upgrade to package-name@fixed-version
236+
Advisory: <URL if available>
237+
```
238+
239+
### Severity ordering
240+
241+
Always present findings in this order: **Critical  High  Moderate  Low  Informational**
242+
243+
### Example output (npm)
244+
245+
```
246+
­ƒöì Dependency scan complete ÔÇö 3 vulnerabilities found (1 critical, 1 high, 1 moderate)
247+
248+
[CRITICAL] lodash@4.17.15
249+
CVE: CVE-2021-23337
250+
Description: Command injection via template
251+
Fix: npm audit fix (upgrades to lodash@4.17.21)
252+
Advisory: https://github.com/advisories/GHSA-35jh-r3h4-6jhm
253+
254+
[HIGH] axios@0.21.0
255+
CVE: CVE-2021-3749
256+
Description: Inefficient regular expression complexity
257+
Fix: npm audit fix (upgrades to axios@0.21.2)
258+
Advisory: https://github.com/advisories/GHSA-cph5-m8f7-6c5x
259+
260+
[MODERATE] glob-parent@3.1.0
261+
CVE: CVE-2020-28469
262+
Description: Regular expression denial of service
263+
Fix: npm audit fix (upgrades to glob-parent@5.1.2)
264+
Advisory: https://github.com/advisories/GHSA-ww39-953v-wcq6
265+
266+
­ƒÆí Run `npm audit fix` to automatically resolve all 3 issues.
267+
```
268+
269+
### Example output (no vulnerabilities)
270+
271+
```
272+
 No known vulnerabilities found in your npm dependencies.
273+
Scanned: 312 packages (189 direct, 123 transitive)
274+
```
275+
276+
---
277+
278+
## Handling Errors and Edge Cases
279+
280+
| Situation | What to do |
281+
| ------------------------------------------------------ | ------------------------------------------------------------------------------------------------ |
282+
| Audit tool not installed | Inform the user and provide the install command. Do not silently skip. |
283+
| No lock file found | Inform the user: "No lock file detected. Run the package manager install command first." |
284+
| `npm audit` returns exit code 1 (vulnerabilities exist)| This is expected ÔÇö parse the JSON output normally. |
285+
| Network error / registry unreachable | Report the error and suggest retrying or checking connectivity. |
286+
| Production-only scan requested | Use `--production` / `--prod` flags where supported; note in the report which scope was scanned. |
287+
| `yarn audit` exits non-zero even with no issues | Check the JSON output; a non-zero exit alone is not sufficient to indicate vulnerabilities. |
288+
| `govulncheck` output references only stdlib | Mention that no third-party vulnerabilities were found but stdlib entries exist. |
289+
290+
---
291+
292+
## Remediation Guidance
293+
294+
After reporting findings, always include the appropriate fix command(s):
295+
296+
| Ecosystem | Fix command |
297+
| ---------------- | ------------------------------------------------------------------------- |
298+
| npm | `npm audit fix` (or `npm audit fix --force` for breaking changes) |
299+
| Yarn Classic | Manually update `package.json` and re-run `yarn install` |
300+
| Yarn Berry | `yarn up <package>` |
301+
| pnpm | `pnpm audit --fix` or `pnpm update <package>` |
302+
| Python | `pip install --upgrade <package>` |
303+
| Rust | `cargo update <package>` or `cargo audit fix` |
304+
| Ruby | `bundle update <gem>` |
305+
| Go | `go get <module>@<fixed-version>` + `go mod tidy` |
306+
| .NET | `dotnet add package <package> --version <fixed-version>` |
307+
308+
If a fix is not yet available (no patched version released), clearly state:
309+
310+
> ÔÜá´©Å No fix is currently available for `package@version`. Consider evaluating whether this package can be replaced, isolated, or whether the vulnerable code path is reachable in your project.
311+
312+
---
313+
314+
## Scope and Limitations
315+
316+
- This skill runs **locally** using the audit tools available in the development environment. It does not require GitHub credentials or network access to GitHub (though some tools query external advisory databases).
317+
- Results reflect the **advisory databases** used by each tool at the time of the scan. Keep audit tools and their databases up to date for best coverage.
318+
- This skill does **not** modify any files automatically unless the user explicitly asks for a fix. Always confirm before running a destructive fix command.
319+
- **Dev dependencies**: By default, scan all dependencies including dev. If the user only wants production scope, pass the appropriate flag and note it in the report.
320+
321+
## Learn More
322+
323+
- [npm audit docs](https://docs.npmjs.com/cli/commands/npm-audit)
324+
- [pnpm audit docs](https://pnpm.io/cli/audit)
325+
- [pip-audit on PyPI](https://pypi.org/project/pip-audit/)
326+
- [cargo-audit on crates.io](https://crates.io/crates/cargo-audit)
327+
- [bundler-audit on GitHub](https://github.com/rubysec/bundler-audit)
328+
- [govulncheck docs](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck)
329+
- [GitHub Advisory Database](https://github.com/advisories)
330+
- [National Vulnerability Database (NVD)](https://nvd.nist.gov/)
331+
- [OSV ÔÇö Open Source Vulnerabilities](https://osv.dev/)

0 commit comments

Comments
 (0)