name: dependency-scan
description: Scans project dependencies for known vulnerabilities, outdated packages, and license compliance issues. Supports vulnerability scanning (CVE detection), SBOM generation, license compliance checking, and supply chain security analysis across multiple ecosystems (npm, pip, cargo, go, maven, etc.). Trigger keywords: dependency scan, vulnerability, CVE, Snyk, Dependabot, Renovate, npm audit, cargo audit, pip-audit, safety, outdated packages, SBOM, software bill of materials, license compliance, supply chain, security advisory, transitive dependency, lock file.
allowed-tools: Read, Grep, Glob, Bash

Dependency Scan

Overview

This skill focuses on identifying security vulnerabilities, outdated packages, and license compliance issues in project dependencies. It covers multiple package ecosystems (JavaScript/Node.js, Python, Rust, Go, Ruby, Java, .NET, PHP) and provides remediation guidance, SBOM generation, and supply chain security analysis.

When to Use

• Scanning dependencies for CVEs and security advisories
• Checking for outdated or unmaintained packages
• Generating Software Bill of Materials (SBOM)
• Verifying license compliance and compatibility
• Analyzing supply chain risks and transitive dependencies
• Setting up automated dependency updates (Dependabot, Renovate, Snyk)
• Investigating security alerts from GitHub/GitLab
• Auditing dependencies before production deployment

Instructions

1. Identify Dependencies

• Parse manifest files (package.json, requirements.txt, etc.)
• Build complete dependency tree
• Identify direct vs transitive dependencies
• Check for phantom dependencies

2. Vulnerability Scanning

• Check against CVE databases
• Identify severity levels
• Find affected versions
• Check for available patches

3. Assess Risks

• Evaluate exploitability
• Check for active exploitation
• Assess impact on application
• Prioritize remediations

4. Report and Remediate

• Document all findings
• Provide upgrade paths
• Suggest alternatives
• Create remediation plan

5. Language-Specific Scanning

JavaScript/Node.js:
- Use npm audit or yarn audit for vulnerability scanning
- Check package-lock.json or yarn.lock for reproducibility
- Consider npm-check-updates for upgrade analysis
- Use license-checker for license compliance

Python:
- Use pip-audit or safety for CVE scanning
- Check requirements.txt and Pipfile.lock
- Use pip-compile with --generate-hashes for integrity
- Consider pipdeptree for dependency visualization

Rust:
- Use cargo audit for RustSec advisories
- Check Cargo.lock for reproducible builds
- Use cargo outdated for version analysis
- Consider cargo deny for policy enforcement

Go:
- Use govulncheck for vulnerability scanning
- Check go.sum for module integrity
- Use go list -m all to enumerate dependencies
- Consider nancy for OSS Index checking

6. SBOM Generation

Generate Software Bill of Materials for supply chain transparency:

CycloneDX:
- npm install -g @cyclonedx/cyclonedx-npm && cyclonedx-npm --output-file sbom.json
- cargo install cargo-cyclonedx && cargo cyclonedx
- pip install cyclonedx-bom && cyclonedx-py

SPDX:
- Use syft (universal tool): syft . -o spdx-json > sbom.spdx.json
- Use trivy for container images: trivy image --format spdx-json myimage:tag

Purpose: Track all components for vulnerability management, license compliance, and incident response.

7. License Compliance Checking

Ensure all dependencies have compatible licenses:

Automated Tools:
- Node.js: npx license-checker --onlyAllow 'MIT;Apache-2.0;BSD-2-Clause;BSD-3-Clause;ISC'
- Rust: cargo deny check licenses
- Python: pip-licenses
- Universal: fossology, scancode-toolkit

License Categories:
- Permissive: MIT, Apache-2.0, BSD (generally safe)
- Weak Copyleft: MPL, LGPL (check linking requirements)
- Strong Copyleft: GPL, AGPL (may require source disclosure)
- Unknown/Missing: Investigate before use

Best Practices

1. Regular Scanning: Automate daily/weekly scans
2. Lock Files: Use lockfiles for reproducibility
3. Minimal Dependencies: Only include what's needed
4. Verify Sources: Use trusted registries
5. Review Updates: Don't blindly update
6. License Compliance: Ensure compatible licenses
7. SBOM: Maintain software bill of materials

Examples

Example 1: Scanning Commands by Ecosystem

# JavaScript/Node.js
npm audit
npm audit --json > audit-report.json
npm outdated
npx npm-check-updates

# Python
pip-audit
safety check
pip list --outdated
pip-compile --generate-hashes

# Rust
cargo audit
cargo outdated
cargo deny check

# Go
go list -m all | nancy sleuth
govulncheck ./...

# Ruby
bundle audit
bundle outdated

# Java/Maven
mvn dependency-check:check
mvn versions:display-dependency-updates

# .NET
dotnet list package --vulnerable
dotnet list package --outdated

# PHP
composer audit
composer outdated

Example 2: GitHub Actions Dependency Scanning

name: Dependency Scanning

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    - cron: "0 6 * * *" # Daily at 6 AM

jobs:
  dependency-scan:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: "fs"
          scan-ref: "."
          format: "sarif"
          output: "trivy-results.sarif"
          severity: "CRITICAL,HIGH"

      - name: Upload Trivy scan results
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: "trivy-results.sarif"

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: "20"

      - name: Run npm audit
        run: |
          npm ci
          npm audit --audit-level=high

      - name: Check for outdated packages
        run: npm outdated || true

      - name: License check
        run: npx license-checker --onlyAllow 'MIT;Apache-2.0;BSD-2-Clause;BSD-3-Clause;ISC'

  snyk-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --severity-threshold=high

Example 3: Dependency Analysis Report Template

# Dependency Security Report

**Generated:** 2024-01-15
**Project:** my-application
**Total Dependencies:** 245 (42 direct, 203 transitive)

## Summary

| Severity | Count | Status             |
| -------- | ----- | ------------------ |
| Critical | 2     | Action Required    |
| High     | 5     | Action Required    |
| Medium   | 12    | Review Recommended |
| Low      | 8     | Monitor            |

## Critical Vulnerabilities

### CVE-2024-1234 - Remote Code Execution in lodash

- **Package:** [email protected]
- **Severity:** Critical (CVSS 9.8)
- **Affected Versions:** < 4.17.21
- **Fixed Version:** 4.17.21
- **Path:** my-app > express > lodash
- **Description:** Prototype pollution vulnerability allowing RCE
- **Remediation:** `npm update lodash`

### CVE-2024-5678 - SQL Injection in sequelize

- **Package:** [email protected]
- **Severity:** Critical (CVSS 9.1)
- **Affected Versions:** < 6.29.0
- **Fixed Version:** 6.29.0
- **Path:** my-app > sequelize
- **Description:** SQL injection via raw query methods
- **Remediation:** `npm update sequelize`

## License Compliance

| License      | Count | Compliance           |
| ------------ | ----- | -------------------- |
| MIT          | 180   | Approved             |
| Apache-2.0   | 45    | Approved             |
| BSD-3-Clause | 15    | Approved             |
| GPL-3.0      | 3     | Review Required      |
| Unknown      | 2     | Investigation Needed |

## Recommendations

1. **Immediate:** Update lodash and sequelize to fix critical vulnerabilities
2. **Short-term:** Review GPL-licensed dependencies for compatibility
3. **Ongoing:** Enable Dependabot/Renovate for automated updates

Example 4: Renovate Configuration

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["config:base", ":semanticCommits", ":preserveSemverRanges"],
  "schedule": ["before 6am on Monday"],
  "vulnerabilityAlerts": {
    "enabled": true,
    "labels": ["security"]
  },
  "packageRules": [
    {
      "matchUpdateTypes": ["major"],
      "labels": ["major-update"],
      "automerge": false
    },
    {
      "matchUpdateTypes": ["minor", "patch"],
      "matchCurrentVersion": "!/^0/",
      "automerge": true,
      "automergeType": "pr",
      "platformAutomerge": true
    },
    {
      "matchPackagePatterns": ["^@types/"],
      "automerge": true,
      "groupName": "type definitions"
    },
    {
      "matchDepTypes": ["devDependencies"],
      "automerge": true,
      "groupName": "dev dependencies"
    }
  ],
  "prConcurrentLimit": 5,
  "prHourlyLimit": 2
}