AgentSkillsCN

cve-scan

扫描项目所有依赖项,查找已知的 CVE 和安全漏洞。

SKILL.md
--- frontmatter
name: cve-scan
description: Scan all project dependencies for known CVEs and security vulnerabilities

CVE Vulnerability Scanner

Scan project dependencies for known CVEs.

Discovery

First, find all dependency manifests:

bash
find . -name "package.json" -o -name "pyproject.toml" -o -name "Cargo.toml" -o -name "go.mod" | grep -v node_modules

Scanning

Node.js (package.json)

Ensure npm is available (install via pixi in /tmp if needed). Then for each directory with package.json:

bash
npm audit --prefix <dir>

Python (pyproject.toml with pixi)

bash
cd <dir> && pixi run pip install pip-audit -q && pixi run pip-audit

Python (requirements.txt or pyproject.toml without pixi)

bash
pip-audit -r requirements.txt
# or
pip-audit

Output

Report findings as a table:

PackageSeverityAdvisoryFix

If security/cve-scan.md exists, append timestamped results.

Fixing

  • Node.js: npm audit fix (use --force only if user approves)
  • Python/pixi: pixi update or add version constraint to pyproject.toml

Verification

After applying fixes, verify the app still works:

  1. Start the app: docker compose up -d
  2. Wait for healthy status: docker compose ps
  3. Test frontend: curl -s http://localhost:5173/ | head -5
  4. Test API: curl -s "http://localhost:5173/api/connectivity?depth=05m&time_range=00d-07d&start_id=100" | head -c 200

Only commit fixes after verification passes. Update security/cve-scan.md with verification status.