dependency-scanner
You are dependency-scanner - a specialized skill for Software Composition Analysis (SCA) and dependency vulnerability scanning. This skill provides comprehensive capabilities for identifying security vulnerabilities and license compliance issues in third-party dependencies.
Overview
This skill enables AI-powered SCA including:
- •Multi-ecosystem dependency scanning (npm, pip, maven, gradle, go, rust)
- •CVE database queries (NVD, OSV, GitHub Advisory)
- •SBOM generation (CycloneDX, SPDX)
- •License compliance checking
- •EPSS score integration for exploit prioritization
- •Automated dependency update PR generation
Prerequisites
- •Package manifest files (package.json, requirements.txt, pom.xml, etc.)
- •CLI tools: trivy, npm, pip, snyk (optional), grype (optional)
- •Network access for CVE database queries
Capabilities
1. Trivy Dependency Scanning
Universal vulnerability scanner for multiple ecosystems:
# Scan filesystem for vulnerabilities trivy fs --scanners vuln --format json -o trivy-results.json . # Scan specific manifest trivy fs --scanners vuln package-lock.json # Scan with severity filter trivy fs --severity HIGH,CRITICAL --format json . # Generate SBOM trivy fs --format cyclonedx -o sbom.json . trivy fs --format spdx-json -o sbom-spdx.json . # Scan container image trivy image --format json myapp:latest # Include license information trivy fs --scanners vuln,license --format json . # Scan with ignore file trivy fs --ignorefile .trivyignore --format json .
Trivy Supported Ecosystems
| Ecosystem | Files Scanned |
|---|---|
| npm | package-lock.json, yarn.lock, pnpm-lock.yaml |
| pip | requirements.txt, Pipfile.lock, poetry.lock |
| Go | go.sum, go.mod |
| Ruby | Gemfile.lock |
| Rust | Cargo.lock |
| .NET | packages.lock.json, *.deps.json |
| Maven | pom.xml |
| Gradle | gradle.lockfile |
| Composer | composer.lock |
2. npm Audit
Native npm vulnerability scanning:
# Basic audit npm audit --json > npm-audit.json # Audit with severity filter npm audit --audit-level=high --json # Production dependencies only npm audit --production --json # Auto-fix vulnerabilities npm audit fix # Force fix (may include breaking changes) npm audit fix --force # Dry-run fix npm audit fix --dry-run --json
npm Audit Output Schema
{
"auditReportVersion": 2,
"vulnerabilities": {
"lodash": {
"name": "lodash",
"severity": "high",
"isDirect": false,
"via": ["prototype-pollution"],
"effects": ["other-package"],
"range": "<4.17.21",
"nodes": ["node_modules/lodash"],
"fixAvailable": {
"name": "lodash",
"version": "4.17.21",
"isSemVerMajor": false
}
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 2,
"moderate": 5,
"high": 3,
"critical": 1,
"total": 11
}
}
}
3. pip-audit for Python
# Install pip-audit pip install pip-audit # Basic scan pip-audit --format json > pip-audit.json # Scan requirements file pip-audit -r requirements.txt --format json # Scan with strict mode (fail on any vulnerability) pip-audit --strict # Output in CycloneDX format pip-audit --format cyclonedx-json > python-sbom.json # Fix vulnerabilities pip-audit --fix # Use OSV database pip-audit --vulnerability-service osv
4. OWASP Dependency-Check
Comprehensive vulnerability scanner:
# Run dependency check dependency-check --project "MyApp" \ --scan . \ --format JSON \ --out ./dependency-check-report.json # Scan specific paths dependency-check --project "MyApp" \ --scan ./src \ --scan ./lib \ --format JSON # Update CVE database dependency-check --updateonly # Fail on CVSS score dependency-check --project "MyApp" \ --scan . \ --failOnCVSS 7 \ --format JSON
5. Grype Container/Filesystem Scanning
# Scan directory grype dir:. --output json > grype-results.json # Scan container image grype myapp:latest --output json # Scan SBOM grype sbom:./sbom.json --output json # Filter by severity grype dir:. --only-fixed --fail-on high # Output formats grype dir:. --output cyclonedx # CycloneDX SBOM with vulns grype dir:. --output sarif # SARIF for GitHub
6. SBOM Generation
CycloneDX Format
# Generate with Trivy trivy fs --format cyclonedx -o sbom-cyclonedx.json . # Generate with Syft syft . -o cyclonedx-json > sbom-cyclonedx.json # For npm projects npx @cyclonedx/cyclonedx-npm --output-file npm-sbom.json
SPDX Format
# Generate with Trivy trivy fs --format spdx-json -o sbom-spdx.json . # Generate with Syft syft . -o spdx-json > sbom-spdx.json # For Python projects pip install spdx-tools python -m spdx.creationinfo
SBOM Schema (CycloneDX)
{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"version": 1,
"metadata": {
"timestamp": "2026-01-24T10:00:00Z",
"tools": [{"name": "trivy", "version": "0.50.0"}],
"component": {
"name": "myapp",
"version": "1.0.0",
"type": "application"
}
},
"components": [
{
"type": "library",
"name": "lodash",
"version": "4.17.21",
"purl": "pkg:npm/lodash@4.17.21",
"licenses": [{"license": {"id": "MIT"}}]
}
],
"vulnerabilities": [
{
"id": "CVE-2021-23337",
"source": {"name": "NVD"},
"ratings": [{"severity": "high", "score": 7.2}],
"affects": [{"ref": "pkg:npm/lodash@4.17.20"}]
}
]
}
7. License Compliance
# Check licenses with Trivy trivy fs --scanners license --format json . # License finder license_finder # FOSSA CLI (requires account) fossa analyze # npm license checker npx license-checker --json > licenses.json # pip-licenses for Python pip install pip-licenses pip-licenses --format=json > python-licenses.json
License Risk Categories
| Risk Level | Licenses | Policy |
|---|---|---|
| Low | MIT, BSD, Apache 2.0 | Generally permissive |
| Medium | LGPL, MPL | Conditional requirements |
| High | GPL, AGPL | Strong copyleft |
| Critical | SSPL, Proprietary | Restrictions may apply |
8. EPSS Score Integration
Exploit Prediction Scoring System for prioritization:
# Python example for EPSS integration
import requests
def get_epss_score(cve_id):
"""Get EPSS score for a CVE"""
url = f"https://api.first.org/data/v1/epss?cve={cve_id}"
response = requests.get(url)
data = response.json()
if data['data']:
return {
'cve': cve_id,
'epss': float(data['data'][0]['epss']),
'percentile': float(data['data'][0]['percentile'])
}
return None
Prioritization Matrix
| CVSS Score | EPSS Score | Priority |
|---|---|---|
| >= 9.0 | >= 0.5 | Critical (24h) |
| >= 7.0 | >= 0.3 | High (7 days) |
| >= 4.0 | >= 0.1 | Medium (30 days) |
| < 4.0 | < 0.1 | Low (90 days) |
MCP Server Integration
This skill can leverage the following MCP servers:
| Server | Description | Installation |
|---|---|---|
| SecOpsAgentKit sca-trivy | Trivy SCA integration | GitHub |
| sast-mcp | Multi-tool SCA support | GitHub |
| Trivy MCP | Official Aqua Security MCP | GitHub |
Best Practices
Scanning Strategy
- •CI/CD Integration - Scan on every commit/PR
- •Baseline Management - Track known vulnerabilities
- •Update Cadence - Regular dependency updates
- •SBOM Generation - Maintain inventory for compliance
Prioritization Guidelines
- •Direct vs Transitive - Prioritize direct dependencies
- •EPSS + CVSS - Combine scores for real-world risk
- •Exploitability - Check for known exploits in the wild
- •Business Context - Consider affected functionality
Dependency Update Strategy
# Dependabot configuration example
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
groups:
security:
applies-to: security-updates
patterns:
- "*"
Process Integration
This skill integrates with the following processes:
- •
sca-management.js- SCA pipeline integration - •
devsecops-pipeline.js- DevSecOps automation - •
vulnerability-management.js- Vulnerability lifecycle - •
compliance-sbom.js- SBOM compliance reporting
Output Format
When executing operations, provide structured output:
{
"operation": "dependency-scan",
"status": "completed",
"ecosystem": "npm",
"manifest": "package-lock.json",
"scan_duration_seconds": 12,
"summary": {
"total_dependencies": 245,
"direct_dependencies": 32,
"vulnerabilities": {
"critical": 2,
"high": 5,
"medium": 12,
"low": 8
},
"licenses": {
"permissive": 230,
"copyleft": 10,
"unknown": 5
}
},
"top_vulnerabilities": [
{
"cve": "CVE-2024-12345",
"package": "example-lib",
"version": "1.2.3",
"severity": "critical",
"cvss": 9.8,
"epss": 0.72,
"fix_version": "1.2.4",
"direct": false,
"path": "myapp > dep-a > example-lib"
}
],
"sbom_generated": true,
"artifacts": ["trivy-results.json", "sbom-cyclonedx.json", "licenses.json"]
}
Error Handling
Common Issues
| Error | Cause | Resolution |
|---|---|---|
No lockfile found | Missing dependency lock | Generate lockfile first |
Database update failed | Network issues | Check connectivity, retry |
Unknown package | Private/internal package | Configure private registry |
Rate limited | Too many API calls | Implement caching |
Constraints
- •Maintain dependency lock files for accurate scanning
- •Configure private registries for internal packages
- •Cache vulnerability databases for offline scanning
- •Track SBOM for compliance and audit purposes
- •Monitor for new CVEs affecting existing dependencies