sca-security
Software Composition Analysis (SCA)
Router skill for dependency security: SBOM generation, multi-source vuln correlation, license compliance, supply chain review, and reachability-driven triage. Optimized for polyglot repositories and PR-time lockfile review. Load the relevant workflow + ecosystem reference on demand — do not read the whole skill up front.
When to Use
- Scanning project dependencies for known vulnerabilities (CVE / GHSA / OSV)
- Generating an SBOM (CycloneDX or SPDX) for a repo, container, or binary
- Reviewing a PR's lockfile delta for new vulns, license changes, malicious packages
- Reachability analysis to prioritize the 5-15% of findings that are actually exploitable
- License compliance against an allow/deny policy
- Supply chain review: typosquatting, dependency confusion, malicious package triage
- Ecosystem-specific audits: npm, yarn, pnpm, pip, poetry, Maven, Gradle, Go, Cargo, Ruby, Composer
- CI/CD integration for continuous dependency scanning
Trigger Phrases
- "scan dependencies", "check package vulnerabilities", "run npm audit"
- "generate SBOM", "CycloneDX", "SPDX"
More from hardw00t/ai-security-arsenal
android-pentest
Comprehensive Android mobile application penetration testing with rooted-device ADB and Frida-based MCP tooling. Covers OWASP MASTG full methodology: recon, static + dynamic analysis, SSL/root bypass, IPC fuzzing, data exfiltration, crypto audit, and reporting. Triggers on requests to pentest Android apps, analyze APKs, bypass mobile security controls, or run MASVS/MASTG assessments.
36api-security
Comprehensive API security testing skill for REST, GraphQL, gRPC, and WebSocket APIs. This skill should be used when performing API penetration testing, testing for OWASP API Top 10 vulnerabilities, fuzzing API endpoints, testing authentication/authorization, and analyzing API specifications. Triggers on requests to test API security, pentest REST APIs, test GraphQL endpoints, analyze OpenAPI/Swagger specs, or find API vulnerabilities.
13ios-pentest
Comprehensive iOS mobile application penetration testing skill with Frida/Objection integration for jailbroken and non-jailbroken devices. This skill should be used when performing security assessments on iOS applications including static analysis, dynamic analysis, runtime manipulation, traffic interception, keychain analysis, and vulnerability identification. Triggers on requests to pentest iOS apps, test iPhone/iPad security, analyze IPAs, bypass security controls, or perform OWASP MASTG iOS assessments.
10container-security
Container and Kubernetes security assessment skill for Docker, Kubernetes, and container orchestration platforms. This skill should be used when scanning container images for vulnerabilities, auditing Kubernetes cluster security, testing container escape scenarios, reviewing Docker configurations, or performing container runtime security analysis. Triggers on requests to scan Docker images, audit Kubernetes security, test container configurations, or assess container orchestration security.
9iac-security
Infrastructure as Code security scanning skill for Terraform, CloudFormation, Kubernetes manifests, Helm charts, and ARM templates. This skill should be used when auditing IaC configurations for misconfigurations, scanning Terraform plans, validating Kubernetes security policies, checking cloud infrastructure compliance, or integrating security into CI/CD pipelines. Triggers on requests to scan Terraform, audit CloudFormation, check Kubernetes manifests, validate Helm charts, or find IaC security issues.
6cloud-security
Multi-cloud security assessment skill for AWS, Azure, and GCP. This skill should be used when performing cloud security audits, scanning for misconfigurations, testing IAM policies, auditing storage permissions, and identifying privilege escalation paths. Triggers on requests to audit cloud security, scan AWS/Azure/GCP, check cloud misconfigurations, or perform cloud penetration testing.
6