From ai-security-skills
Scans project dependencies for known CVEs across Node.js, Python, Go, Java, Ruby, Rust, .NET, PHP ecosystems using osv-scanner, npm audit, etc. For reviewing manifests, triaging alerts, pre-deployment checks.
npx claudepluginhub cmaenner/agent-security-playbookThis skill uses the workspace's default tool permissions.
Scan dependencies for known CVEs by following the full procedure in `plays/tier1-code-analysis/sca-audit.md`.
Scans project dependencies for known CVEs across npm, pip, cargo, Go, and Java ecosystems. Reports vulnerable packages with severity, affected versions, and fixes.
Scans project dependencies for CVEs and vulnerabilities across npm, pip, .NET, and Rust ecosystems using npm audit, pip-audit, dotnet list, and cargo audit. Generates reports with severity tables, CVE details, and remediation plans.
Audits dependencies for vulnerabilities, outdated versions, transitive issues, and licenses in Node.js, Python, PHP, Ruby, Go, and Rust projects using npm audit, pip-audit, and equivalents.
Share bugs, ideas, or general feedback.
Scan dependencies for known CVEs by following the full procedure in plays/tier1-code-analysis/sca-audit.md.
Identify Dependency Manifests — Scan for all dependency files and lockfiles across ecosystems (Node.js, Python, Go, Java, Ruby, Rust, .NET, PHP). Prefer lockfiles for exact resolved versions.
Run Vulnerability Scan — Use available tools in preference order:
osv-scanner --lockfile=<path> --format=json (recommended, multi-ecosystem)npm audit --json (Node.js)pip-audit -r requirements.txt --format=json (Python)govulncheck ./... (Go)trivy fs --format json --scanners vuln <path> (multi-ecosystem)brew install osv-scanner). Manual analysis is not viable — even small projects have 50+ dependencies. For individual package triage, point the user to OSV.dev.Analyze Results — For each vulnerability: determine reachability (is the vulnerable code path used?), check exploitability context (deployment matters), and identify fix availability (patch vs major version bump).
Dependency Health — Beyond CVEs, flag unmaintained packages (2+ years inactive), typosquatting risks, license concerns, and version pinning issues.
Scan summary (ecosystems, dependency count, scanner used), findings sorted by severity using templates/finding.md, condensed table for medium/low, dependency health flags, and exact remediation commands.