Vulnerability Scanner Skill
Performs comprehensive security vulnerability scanning for dependencies and code, integrating with CVE databases and security platforms to identify, assess, and prioritize security risks for migration planning.
Purpose
Enable comprehensive security vulnerability detection for:
- CVE database checking for known vulnerabilities
- Severity assessment and prioritization
- Exploitability analysis
- Patch availability checking
- Transitive vulnerability chain mapping
- Risk scoring and remediation guidance
Capabilities
1. CVE Database Checking
- Query NVD (National Vulnerability Database)
- Check GitHub Advisory Database
- Query vendor-specific advisory databases
- Cross-reference multiple CVE sources
- Track CVE publication dates and updates
2. Severity Assessment
- CVSS (Common Vulnerability Scoring System) scoring
- Severity categorization (Critical, High, Medium, Low)
- Environmental score adjustments
- Temporal score analysis
- Impact assessment
3. Exploitability Analysis
- Check for known exploits in the wild
- Assess attack vector complexity
- Evaluate privileges required
- Analyze user interaction requirements
- Track exploit maturity level
4. Patch Availability Checking
- Identify available patches and fixes
- Check for security advisories
- Find upgrade paths to secure versions
- Track vendor patch timelines
- Monitor backport availability
5. Transitive Vulnerability Chain Mapping
- Map vulnerability paths through dependency trees
- Identify all affected dependency chains
- Calculate exposure scope
- Prioritize based on path depth
- Recommend targeted remediations
6. Risk Scoring
- Calculate composite risk scores
- Factor in business context
- Assess exposure likelihood
- Evaluate potential impact
- Generate prioritized remediation lists
Tool Integrations
This skill can leverage the following external tools when available:
| Tool | Purpose | Integration Method | |------|---------|-------------------| | Snyk | Comprehensive vulnerability scanning | CLI / API | | npm audit | Node.js vulnerability scanning | CLI | | OWASP Dependency-Check | Cross-platform scanning | CLI | | Trivy | Container and filesystem scanning | MCP Server / CLI | | Grype | Vulnerability scanner | CLI | | GitHub Dependabot | Advisory checking | API | | OSV Scanner | Google's vulnerability scanner | CLI | | Semgrep | SAST with security rules | CLI | | MCP-Scan | MCP server security | Tool |
Usage
Basic Scanning
# Invoke skill for vulnerability scanning
# The skill will scan dependencies and optionally code
# Expected inputs:
# - targetPath: Path to project root
# - scanScope: 'dependencies' | 'code' | 'full'
# - severityThreshold: 'critical' | 'high' | 'medium' | 'low'
# - outputFormat: 'json' | 'sarif' | 'markdown'
Scanning Workflow
-
Discovery Phase
- Identify package managers and dependency files
- Detect codebase languages
- Check for existing security configurations
-
Dependency Scanning
- Extract dependency information
- Query vulnerability databases
- Map vulnerabilities to dependencies
-
Code Scanning (Optional)
- Run SAST analysis
- Check for security anti-patterns
- Identify hardcoded secrets
-
Analysis Phase
- Calculate severity scores
- Assess exploitability
- Check patch availability
- Map transitive chains
-
Report Generation
- Generate prioritized vulnerability list
- Provide remediation guidance
- Create compliance reports
Output Schema
{
"scanId": "string",
"timestamp": "ISO8601",
"target": {
"path": "string",
"packageManagers": ["string"],
"languages": ["string"]
},
"summary": {
"totalVulnerabilities": "number",
"critical": "number",
"high": "number",
"medium": "number",
"low": "number",
"fixable": "number",
"riskScore": "number (0-100)"
},
"vulnerabilities": [
{
"id": "string (CVE-XXXX-XXXXX)",
"title": "string",
"description": "string",
"severity": "critical|high|medium|low",
"cvss": {
"score": "number",
"vector": "string",
"version": "string"
},
"package": {
"name": "string",
"version": "string",
"ecosystem": "string"
},
"affectedVersions": "string",
"fixedVersions": "string",
"patchAvailable": "boolean",
"exploitability": {
"hasKnownExploit": "boolean",
"exploitMaturity": "string",
"attackVector": "string"
},
"dependencyPath": ["string"],
"references": ["string"],
"remediation": {
"recommendation": "string",
"upgradeTarget": "string",
"alternativePackages": ["string"]
}
}
],
"securityIssues": [
{
"type": "string",
"severity": "string",
"file": "string",
"line": "number",
"description": "string",
"cwe": "string",
"recommendation": "string"
}
],
"compliance": {
"passesPolicy": "boolean",
"violations": ["string"],
"waivers": ["string"]
}
}
Integration with Migration Processes
This skill integrates with the following Code Migration/Modernization processes:
- dependency-analysis-updates: Security assessment of dependencies
- security-remediation-migration: Primary tool for security fixes
- cloud-migration: Security compliance for cloud deployment
- legacy-codebase-assessment: Security posture evaluation
Configuration
Skill Configuration File
Create .vulnerability-scanner.json in the project root:
{
"scanScope": "full",
"severityThreshold": "medium",
"failOnSeverity": "critical",
"databases": ["nvd", "ghsa", "osv"],
"excludeVulnerabilities": [],
"waivers": [
{
"id": "CVE-2021-12345",
"reason": "Not exploitable in our context",
"expiresAt": "2026-06-01"
}
],
"policy": {
"maxCritical": 0,
"maxHigh": 5,
"requirePatchWithin": {
"critical": "7d",
"high": "30d",
"medium": "90d"
}
},
"reporting": {
"formats": ["json", "sarif", "markdown"],
"outputDir": "./security-report"
}
}
MCP Server Integration
When MCP-Scan is available:
// Example MCP security scan
{
"tool": "mcp_scan_security",
"arguments": {
"target": "./",
"checks": ["toolPoisoning", "piiDetection", "promptInjection"]
}
}
When Trivy is available:
// Example Trivy vulnerability scan
{
"tool": "trivy_scan",
"arguments": {
"target": "./",
"scanners": ["vuln", "secret"],
"severity": "CRITICAL,HIGH"
}
}
Vulnerability Databases
Supported Databases
| Database | Coverage | Update Frequency | |----------|----------|------------------| | NVD | All CVEs | Hourly | | GitHub Advisory | Open source packages | Real-time | | OSV | Multi-ecosystem | Real-time | | Snyk DB | Proprietary enrichment | Real-time | | npm Advisory | Node.js packages | Real-time | | RustSec | Rust packages | Real-time |
Database Priority
- GitHub Advisory Database (most accurate for open source)
- NVD (comprehensive, standardized)
- OSV (aggregated, multi-ecosystem)
- Vendor-specific (ecosystem-specific details)
Severity Classification
CVSS v3.x Mapping
| CVSS Score | Severity | Action Required | |------------|----------|-----------------| | 9.0 - 10.0 | Critical | Immediate remediation | | 7.0 - 8.9 | High | Priority remediation | | 4.0 - 6.9 | Medium | Scheduled remediation | | 0.1 - 3.9 | Low | Monitor and plan |
Risk Prioritization Factors
- Severity Score: Base CVSS score
- Exploitability: Known exploits in the wild
- Exposure: Internet-facing vs internal
- Dependency Depth: Direct vs transitive
- Fix Availability: Patch/upgrade available
Best Practices
- Regular Scanning: Integrate into CI/CD pipelines
- Policy Enforcement: Define and enforce security policies
- Waiver Management: Document and review waivers regularly
- Prioritization: Focus on critical and exploitable vulnerabilities
- Monitoring: Set up alerts for new vulnerabilities
- Remediation Tracking: Track remediation progress over time
Related Skills
dependency-scanner: Dependency inventory and SBOM generationstatic-code-analyzer: Code-level security analysiscompliance-validator: Compliance checking
Related Agents
security-vulnerability-assessor: Uses this skill for security assessmentdependency-modernization-agent: Uses this skill for security updatesmigration-readiness-assessor: Uses this skill for security evaluation