Skip to content

Commit 8bd1179

Browse files
MabCloudCopilot
andcommitted
feat: add dependency-scanning skill for CVE/vulnerability detection
Add a new skill under plugins/advanced-security/skills/dependency-scanning/ that guides agents through scanning project dependencies for known CVEs and security vulnerabilities using ecosystem-native audit tools. Supported ecosystems: - JavaScript: npm audit, yarn audit (v1 and Berry v2+), pnpm audit - Python: pip-audit - Rust: cargo audit - Ruby: bundler-audit - Go: govulncheck - .NET: dotnet list package --vulnerable The skill covers auto-detection of ecosystems via lock files, running the appropriate audit command with JSON output, presenting findings grouped by severity (critical -> high -> moderate -> low), and providing per-ecosystem remediation commands. Also fixes marketplace.json: spark plugin was referencing ./skills/spark which does not exist; the correct path is ./skills/spark-app-template. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent 6fe19e8 commit 8bd1179

3 files changed

Lines changed: 395 additions & 2 deletions

File tree

.github/plugin/marketplace.json

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,8 @@
3333
"description": "Advanced Security plugin for GitHub Copilot.",
3434
"version": "1.0.0",
3535
"skills": [
36-
"./skills/secret-scanning"
36+
"./skills/secret-scanning",
37+
"./skills/dependency-scanning"
3738
]
3839
}
3940
]

plugins/advanced-security/README.md

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,14 +4,19 @@ Security-focused plugin that brings GitHub Advanced Security capabilities into A
44

55
## What it does
66

7-
Advanced Security helps agents identify and prevent credential exposure during development by:
7+
Advanced Security helps agents identify and prevent security risks during development by:
88

99
- Scanning code snippets, files, and git changes for potential secrets
1010
- Using GitHub secret detection patterns through MCP tooling
1111
- Supporting pre-commit checks to catch leaked credentials early
12+
- Auditing project dependencies for known CVEs and security advisories across multiple ecosystems
1213

1314
## Skills
1415

1516
### `secret-scanning`
1617

1718
Activated when a user asks to check code, files, or git changes for exposed credentials. Uses the `run_secret_scanning` MCP tool to scan content for potential secrets before code is committed.
19+
20+
### `dependency-scanning`
21+
22+
Activated when a user asks to audit dependencies, check for known vulnerabilities, or find CVEs in project packages. Automatically detects the package manager in use (npm, Yarn, pnpm, pip, Cargo, bundler, Go modules, or .NET) and runs the appropriate native audit tool to surface vulnerable packages with severity levels and remediation guidance.

0 commit comments

Comments
 (0)