Vulnerability Scanner Skill

Performs comprehensive security vulnerability scanning for dependencies and code, integrating with CVE databases and security platforms to identify, assess, and prioritize security risks for migration planning.

Purpose

Enable comprehensive security vulnerability detection for:

• CVE database checking for known vulnerabilities
• Severity assessment and prioritization
• Exploitability analysis
• Patch availability checking
• Transitive vulnerability chain mapping
• Risk scoring and remediation guidance

Capabilities

1. CVE Database Checking

• Query NVD (National Vulnerability Database)
• Check GitHub Advisory Database
• Query vendor-specific advisory databases
• Cross-reference multiple CVE sources
• Track CVE publication dates and updates

2. Severity Assessment

• CVSS (Common Vulnerability Scoring System) scoring
• Severity categorization (Critical, High, Medium, Low)
• Environmental score adjustments
• Temporal score analysis
• Impact assessment

3. Exploitability Analysis

• Check for known exploits in the wild
• Assess attack vector complexity
• Evaluate privileges required
• Analyze user interaction requirements
• Track exploit maturity level

4. Patch Availability Checking

• Identify available patches and fixes
• Check for security advisories
• Find upgrade paths to secure versions
• Track vendor patch timelines
• Monitor backport availability

5. Transitive Vulnerability Chain Mapping

• Map vulnerability paths through dependency trees
• Identify all affected dependency chains
• Calculate exposure scope
• Prioritize based on path depth
• Recommend targeted remediations

6. Risk Scoring

• Calculate composite risk scores
• Factor in business context
• Assess exposure likelihood
• Evaluate potential impact
• Generate prioritized remediation lists

Tool Integrations

This skill can leverage the following external tools when available:

Tool	Purpose	Integration Method
Snyk	Comprehensive vulnerability scanning	CLI / API
npm audit	Node.js vulnerability scanning	CLI
OWASP Dependency-Check	Cross-platform scanning	CLI
Trivy	Container and filesystem scanning	MCP Server / CLI
Grype	Vulnerability scanner	CLI
GitHub Dependabot	Advisory checking	API
OSV Scanner	Google's vulnerability scanner	CLI
Semgrep	SAST with security rules	CLI
MCP-Scan	MCP server security	Tool

Usage

Basic Scanning

# Invoke skill for vulnerability scanning
# The skill will scan dependencies and optionally code

# Expected inputs:
# - targetPath: Path to project root
# - scanScope: 'dependencies' | 'code' | 'full'
# - severityThreshold: 'critical' | 'high' | 'medium' | 'low'
# - outputFormat: 'json' | 'sarif' | 'markdown'

Scanning Workflow

1. Discovery Phase

   • Identify package managers and dependency files
   • Detect codebase languages
   • Check for existing security configurations

2. Dependency Scanning

   • Extract dependency information
   • Query vulnerability databases
   • Map vulnerabilities to dependencies

3. Code Scanning (Optional)

   • Run SAST analysis
   • Check for security anti-patterns
   • Identify hardcoded secrets

4. Analysis Phase

   • Calculate severity scores
   • Assess exploitability
   • Check patch availability
   • Map transitive chains

5. Report Generation

   • Generate prioritized vulnerability list
   • Provide remediation guidance
   • Create compliance reports

Output Schema

{
  "scanId": "string",
  "timestamp": "ISO8601",
  "target": {
    "path": "string",
    "packageManagers": ["string"],
    "languages": ["string"]
  },
  "summary": {
    "totalVulnerabilities": "number",
    "critical": "number",
    "high": "number",
    "medium": "number",
    "low": "number",
    "fixable": "number",
    "riskScore": "number (0-100)"
  },
  "vulnerabilities": [
    {
      "id": "string (CVE-XXXX-XXXXX)",
      "title": "string",
      "description": "string",
      "severity": "critical|high|medium|low",
      "cvss": {
        "score": "number",
        "vector": "string",
        "version": "string"
      },
      "package": {
        "name": "string",
        "version": "string",
        "ecosystem": "string"
      },
      "affectedVersions": "string",
      "fixedVersions": "string",
      "patchAvailable": "boolean",
      "exploitability": {
        "hasKnownExploit": "boolean",
        "exploitMaturity": "string",
        "attackVector": "string"
      },
      "dependencyPath": ["string"],
      "references": ["string"],
      "remediation": {
        "recommendation": "string",
        "upgradeTarget": "string",
        "alternativePackages": ["string"]
      }
    }
  ],
  "securityIssues": [
    {
      "type": "string",
      "severity": "string",
      "file": "string",
      "line": "number",
      "description": "string",
      "cwe": "string",
      "recommendation": "string"
    }
  ],
  "compliance": {
    "passesPolicy": "boolean",
    "violations": ["string"],
    "waivers": ["string"]
  }
}

Integration with Migration Processes

This skill integrates with the following Code Migration/Modernization processes:

• dependency-analysis-updates: Security assessment of dependencies
• security-remediation-migration: Primary tool for security fixes
• cloud-migration: Security compliance for cloud deployment
• legacy-codebase-assessment: Security posture evaluation

Configuration

Skill Configuration File

Create .vulnerability-scanner.json in the project root:

{
  "scanScope": "full",
  "severityThreshold": "medium",
  "failOnSeverity": "critical",
  "databases": ["nvd", "ghsa", "osv"],
  "excludeVulnerabilities": [],
  "waivers": [
    {
      "id": "CVE-2021-12345",
      "reason": "Not exploitable in our context",
      "expiresAt": "2026-06-01"
    }
  ],
  "policy": {
    "maxCritical": 0,
    "maxHigh": 5,
    "requirePatchWithin": {
      "critical": "7d",
      "high": "30d",
      "medium": "90d"
    }
  },
  "reporting": {
    "formats": ["json", "sarif", "markdown"],
    "outputDir": "./security-report"
  }
}

MCP Server Integration

When MCP-Scan is available:

// Example MCP security scan
{
  "tool": "mcp_scan_security",
  "arguments": {
    "target": "./",
    "checks": ["toolPoisoning", "piiDetection", "promptInjection"]
  }
}

When Trivy is available:

// Example Trivy vulnerability scan
{
  "tool": "trivy_scan",
  "arguments": {
    "target": "./",
    "scanners": ["vuln", "secret"],
    "severity": "CRITICAL,HIGH"
  }
}

Vulnerability Databases

Supported Databases

Database	Coverage	Update Frequency
NVD	All CVEs	Hourly
GitHub Advisory	Open source packages	Real-time
OSV	Multi-ecosystem	Real-time
Snyk DB	Proprietary enrichment	Real-time
npm Advisory	Node.js packages	Real-time
RustSec	Rust packages	Real-time

Database Priority

1. GitHub Advisory Database (most accurate for open source)
2. NVD (comprehensive, standardized)
3. OSV (aggregated, multi-ecosystem)
4. Vendor-specific (ecosystem-specific details)

Severity Classification

CVSS v3.x Mapping

CVSS Score	Severity	Action Required
9.0 - 10.0	Critical	Immediate remediation
7.0 - 8.9	High	Priority remediation
4.0 - 6.9	Medium	Scheduled remediation
0.1 - 3.9	Low	Monitor and plan

Risk Prioritization Factors

1. Severity Score: Base CVSS score
2. Exploitability: Known exploits in the wild
3. Exposure: Internet-facing vs internal
4. Dependency Depth: Direct vs transitive
5. Fix Availability: Patch/upgrade available

Best Practices

1. Regular Scanning: Integrate into CI/CD pipelines
2. Policy Enforcement: Define and enforce security policies
3. Waiver Management: Document and review waivers regularly
4. Prioritization: Focus on critical and exploitable vulnerabilities
5. Monitoring: Set up alerts for new vulnerabilities
6. Remediation Tracking: Track remediation progress over time

Related Skills

• dependency-scanner: Dependency inventory and SBOM generation
• static-code-analyzer: Code-level security analysis
• compliance-validator: Compliance checking

Related Agents

• security-vulnerability-assessor: Uses this skill for security assessment
• dependency-modernization-agent: Uses this skill for security updates
• migration-readiness-assessor: Uses this skill for security evaluation

References

• MCP-Scan
• Trivy
• Snyk
• OWASP Dependency-Check
• OSV Scanner
• NVD
• GitHub Advisory Database