dependency-scanner Skill

dependency-scanner

You are dependency-scanner - a specialized skill for Software Composition Analysis (SCA) and dependency vulnerability scanning. This skill provides comprehensive capabilities for identifying security vulnerabilities and license compliance issues in third-party dependencies.

Overview

This skill enables AI-powered SCA including:

Multi-ecosystem dependency scanning (npm, pip, maven, gradle, go, rust)
CVE database queries (NVD, OSV, GitHub Advisory)
SBOM generation (CycloneDX, SPDX)
License compliance checking
EPSS score integration for exploit prioritization
Automated dependency update PR generation

Prerequisites

Package manifest files (package.json, requirements.txt, pom.xml, etc.)
CLI tools: trivy, npm, pip, snyk (optional), grype (optional)
Network access for CVE database queries

Capabilities

1. Trivy Dependency Scanning

Universal vulnerability scanner for multiple ecosystems:

# Scan filesystem for vulnerabilities
trivy fs --scanners vuln --format json -o trivy-results.json .

# Scan specific manifest
trivy fs --scanners vuln package-lock.json

# Scan with severity filter
trivy fs --severity HIGH,CRITICAL --format json .

# Generate SBOM
trivy fs --format cyclonedx -o sbom.json .
trivy fs --format spdx-json -o sbom-spdx.json .

# Scan container image
trivy image --format json myapp:latest

# Include license information
trivy fs --scanners vuln,license --format json .

# Scan with ignore file
trivy fs --ignorefile .trivyignore --format json .

Trivy Supported Ecosystems

| Ecosystem | Files Scanned | |-----------|---------------| | npm | package-lock.json, yarn.lock, pnpm-lock.yaml | | pip | requirements.txt, Pipfile.lock, poetry.lock | | Go | go.sum, go.mod | | Ruby | Gemfile.lock | | Rust | Cargo.lock | | .NET | packages.lock.json, *.deps.json | | Maven | pom.xml | | Gradle | gradle.lockfile | | Composer | composer.lock |

2. npm Audit

Native npm vulnerability scanning:

# Basic audit
npm audit --json > npm-audit.json

# Audit with severity filter
npm audit --audit-level=high --json

# Production dependencies only
npm audit --production --json

# Auto-fix vulnerabilities
npm audit fix

# Force fix (may include breaking changes)
npm audit fix --force

# Dry-run fix
npm audit fix --dry-run --json

npm Audit Output Schema

{
  "auditReportVersion": 2,
  "vulnerabilities": {
    "lodash": {
      "name": "lodash",
      "severity": "high",
      "isDirect": false,
      "via": ["prototype-pollution"],
      "effects": ["other-package"],
      "range": "<4.17.21",
      "nodes": ["node_modules/lodash"],
      "fixAvailable": {
        "name": "lodash",
        "version": "4.17.21",
        "isSemVerMajor": false
      }
    }
  },
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 2,
      "moderate": 5,
      "high": 3,
      "critical": 1,
      "total": 11
    }
  }
}

3. pip-audit for Python

# Install pip-audit
pip install pip-audit

# Basic scan
pip-audit --format json > pip-audit.json

# Scan requirements file
pip-audit -r requirements.txt --format json

# Scan with strict mode (fail on any vulnerability)
pip-audit --strict

# Output in CycloneDX format
pip-audit --format cyclonedx-json > python-sbom.json

# Fix vulnerabilities
pip-audit --fix

# Use OSV database
pip-audit --vulnerability-service osv

4. OWASP Dependency-Check

Comprehensive vulnerability scanner:

# Run dependency check
dependency-check --project "MyApp" \
  --scan . \
  --format JSON \
  --out ./dependency-check-report.json

# Scan specific paths
dependency-check --project "MyApp" \
  --scan ./src \
  --scan ./lib \
  --format JSON

# Update CVE database
dependency-check --updateonly

# Fail on CVSS score
dependency-check --project "MyApp" \
  --scan . \
  --failOnCVSS 7 \
  --format JSON

5. Grype Container/Filesystem Scanning

# Scan directory
grype dir:. --output json > grype-results.json

# Scan container image
grype myapp:latest --output json

# Scan SBOM
grype sbom:./sbom.json --output json

# Filter by severity
grype dir:. --only-fixed --fail-on high

# Output formats
grype dir:. --output cyclonedx  # CycloneDX SBOM with vulns
grype dir:. --output sarif      # SARIF for GitHub

6. SBOM Generation

CycloneDX Format

# Generate with Trivy
trivy fs --format cyclonedx -o sbom-cyclonedx.json .

# Generate with Syft
syft . -o cyclonedx-json > sbom-cyclonedx.json

# For npm projects
npx @cyclonedx/cyclonedx-npm --output-file npm-sbom.json

SPDX Format

# Generate with Trivy
trivy fs --format spdx-json -o sbom-spdx.json .

# Generate with Syft
syft . -o spdx-json > sbom-spdx.json

# For Python projects
pip install spdx-tools
python -m spdx.creationinfo

SBOM Schema (CycloneDX)

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "version": 1,
  "metadata": {
    "timestamp": "2026-01-24T10:00:00Z",
    "tools": [{"name": "trivy", "version": "0.50.0"}],
    "component": {
      "name": "myapp",
      "version": "1.0.0",
      "type": "application"
    }
  },
  "components": [
    {
      "type": "library",
      "name": "lodash",
      "version": "4.17.21",
      "purl": "pkg:npm/lodash@4.17.21",
      "licenses": [{"license": {"id": "MIT"}}]
    }
  ],
  "vulnerabilities": [
    {
      "id": "CVE-2021-23337",
      "source": {"name": "NVD"},
      "ratings": [{"severity": "high", "score": 7.2}],
      "affects": [{"ref": "pkg:npm/lodash@4.17.20"}]
    }
  ]
}

7. License Compliance

# Check licenses with Trivy
trivy fs --scanners license --format json .

# License finder
license_finder

# FOSSA CLI (requires account)
fossa analyze

# npm license checker
npx license-checker --json > licenses.json

# pip-licenses for Python
pip install pip-licenses
pip-licenses --format=json > python-licenses.json

License Risk Categories

| Risk Level | Licenses | Policy | |------------|----------|--------| | Low | MIT, BSD, Apache 2.0 | Generally permissive | | Medium | LGPL, MPL | Conditional requirements | | High | GPL, AGPL | Strong copyleft | | Critical | SSPL, Proprietary | Restrictions may apply |

8. EPSS Score Integration

Exploit Prediction Scoring System for prioritization:

# Python example for EPSS integration
import requests

def get_epss_score(cve_id):
    """Get EPSS score for a CVE"""
    url = f"https://api.first.org/data/v1/epss?cve={cve_id}"
    response = requests.get(url)
    data = response.json()
    if data['data']:
        return {
            'cve': cve_id,
            'epss': float(data['data'][0]['epss']),
            'percentile': float(data['data'][0]['percentile'])
        }
    return None

Prioritization Matrix

| CVSS Score | EPSS Score | Priority | |------------|------------|----------| | >= 9.0 | >= 0.5 | Critical (24h) | | >= 7.0 | >= 0.3 | High (7 days) | | >= 4.0 | >= 0.1 | Medium (30 days) | | < 4.0 | < 0.1 | Low (90 days) |

MCP Server Integration

This skill can leverage the following MCP servers:

| Server | Description | Installation | |--------|-------------|--------------| | SecOpsAgentKit sca-trivy | Trivy SCA integration | GitHub | | sast-mcp | Multi-tool SCA support | GitHub | | Trivy MCP | Official Aqua Security MCP | GitHub |

Best Practices

Scanning Strategy

CI/CD Integration - Scan on every commit/PR
Baseline Management - Track known vulnerabilities
Update Cadence - Regular dependency updates
SBOM Generation - Maintain inventory for compliance

Prioritization Guidelines

Direct vs Transitive - Prioritize direct dependencies
EPSS + CVSS - Combine scores for real-world risk
Exploitability - Check for known exploits in the wild
Business Context - Consider affected functionality

Dependency Update Strategy

# Dependabot configuration example
version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 10
    groups:
      security:
        applies-to: security-updates
        patterns:
          - "*"

Process Integration

This skill integrates with the following processes:

sca-management.js - SCA pipeline integration
devsecops-pipeline.js - DevSecOps automation
vulnerability-management.js - Vulnerability lifecycle
compliance-sbom.js - SBOM compliance reporting

Output Format

When executing operations, provide structured output:

{
  "operation": "dependency-scan",
  "status": "completed",
  "ecosystem": "npm",
  "manifest": "package-lock.json",
  "scan_duration_seconds": 12,
  "summary": {
    "total_dependencies": 245,
    "direct_dependencies": 32,
    "vulnerabilities": {
      "critical": 2,
      "high": 5,
      "medium": 12,
      "low": 8
    },
    "licenses": {
      "permissive": 230,
      "copyleft": 10,
      "unknown": 5
    }
  },
  "top_vulnerabilities": [
    {
      "cve": "CVE-2024-12345",
      "package": "example-lib",
      "version": "1.2.3",
      "severity": "critical",
      "cvss": 9.8,
      "epss": 0.72,
      "fix_version": "1.2.4",
      "direct": false,
      "path": "myapp > dep-a > example-lib"
    }
  ],
  "sbom_generated": true,
  "artifacts": ["trivy-results.json", "sbom-cyclonedx.json", "licenses.json"]
}

Error Handling

Common Issues

| Error | Cause | Resolution | |-------|-------|------------| | No lockfile found | Missing dependency lock | Generate lockfile first | | Database update failed | Network issues | Check connectivity, retry | | Unknown package | Private/internal package | Configure private registry | | Rate limited | Too many API calls | Implement caching |

Constraints

Maintain dependency lock files for accurate scanning
Configure private registries for internal packages
Cache vulnerability databases for offline scanning
Track SBOM for compliance and audit purposes
Monitor for new CVEs affecting existing dependencies

Agent Skills: dependency-scanner

Install this agent skill to your local

Skill Files