dependency-scanning
Dependency Scanning
This skill enables the agent to analyze a project's direct and transitive dependencies for known security vulnerabilities, outdated packages, and license compliance issues. The agent parses manifest and lock files, queries vulnerability databases (NVD, GitHub Advisory, OSV), produces structured reports with CVE identifiers and remediation guidance, and can generate a Software Bill of Materials (SBOM) in standard formats.
Workflow
-
Detect Package Ecosystem and Manifest Files — Identify the project's language ecosystem by locating dependency manifests such as
package.jsonandpackage-lock.json(Node.js),requirements.txtandPipfile.lock(Python),pom.xmlorbuild.gradle(Java),go.sum(Go), orGemfile.lock(Ruby). Detect monorepo structures with multiple manifests. -
Resolve the Full Dependency Tree — Parse lock files to build the complete dependency graph including transitive dependencies. Identify dependency depth, shared sub-dependencies, and version constraints. Flag phantom dependencies that are used in code but missing from the manifest.
-
Scan Against Vulnerability Databases — Query the National Vulnerability Database (NVD), GitHub Advisory Database, and OSV for each resolved package and version. Match results by CPE or PURL identifier. Record CVE IDs, CVSS scores, severity levels, affected version ranges, and fixed versions where available.
-
Assess License Compliance — Extract the declared license for each dependency and compare it against the project's license policy. Flag copyleft licenses (GPL, AGPL) in proprietary projects, identify packages with no declared license, and detect license conflicts between direct and transitive dependencies.
-
Generate SBOM and Vulnerability Report — Produce a Software Bill of Materials in CycloneDX or SPDX format. Generate a vulnerability report sorted by severity, including CVE identifiers, affected dependency paths, available fix versions, and whether the vulnerable code path is reachable.
-
Recommend and Apply Fixes — Suggest the minimum version upgrades required to resolve vulnerabilities without breaking changes. Where possible, generate updated manifest and lock files automatically. Flag cases where no fix is available and suggest alternative packages or workarounds.
Supported Technologies
More from seb1n/awesome-ai-agent-skills
summarization
Summarize text using extractive, abstractive, hierarchical, and multi-document techniques, producing concise outputs at configurable detail levels.
23proofreading
Proofread and correct text for grammar, spelling, punctuation, style, clarity, and consistency, with support for multiple style guides and readability analysis.
19note-taking
Capture, organize, and retrieve notes efficiently using structured formats, tagging, and file management for meetings, ideas, research, and daily logs.
18knowledge-graph-creation
Build structured knowledge graphs from unstructured text by extracting entities, mapping relationships, generating graph triples, and visualizing the result.
17data-analysis
Analyze datasets to extract insights through statistical methods, trend identification, hypothesis testing, and correlation analysis.
14data-visualization
Create clear, effective charts and dashboards from structured data using matplotlib, seaborn, and plotly.
14