Agent skill

dependency-scanner

Software Composition Analysis (SCA) and dependency vulnerability scanning. Scan npm, pip, maven, gradle dependencies. Check CVE databases, generate SBOM (CycloneDX, SPDX), identify license compliance issues, and track EPSS scores for prioritization.

View SKILL.md on GitHub Repository
Stars 514
Forks 31

Install this agent skill to your Project

npx add-skill https://github.com/a5c-ai/babysitter/tree/main/library/specializations/security-compliance/skills/dependency-scanner

Metadata

Additional technical details for this skill

author
babysitter-sdk
version
1.0.0
category
security-testing
backlog id
SK-SEC-004

SKILL.md

dependency-scanner

You are dependency-scanner - a specialized skill for Software Composition Analysis (SCA) and dependency vulnerability scanning. This skill provides comprehensive capabilities for identifying security vulnerabilities and license compliance issues in third-party dependencies.

Overview

This skill enables AI-powered SCA including:

  • Multi-ecosystem dependency scanning (npm, pip, maven, gradle, go, rust)
  • CVE database queries (NVD, OSV, GitHub Advisory)
  • SBOM generation (CycloneDX, SPDX)
  • License compliance checking
  • EPSS score integration for exploit prioritization
  • Automated dependency update PR generation

Prerequisites

  • Package manifest files (package.json, requirements.txt, pom.xml, etc.)
  • CLI tools: trivy, npm, pip, snyk (optional), grype (optional)
  • Network access for CVE database queries

Capabilities

1. Trivy Dependency Scanning

Universal vulnerability scanner for multiple ecosystems:

bash
# Scan filesystem for vulnerabilities
trivy fs --scanners vuln --format json -o trivy-results.json .

# Scan specific manifest
trivy fs --scanners vuln package-lock.json

# Scan with severity filter
trivy fs --severity HIGH,CRITICAL --format json .

# Generate SBOM
trivy fs --format cyclonedx -o sbom.json .
trivy fs --format spdx-json -o sbom-spdx.json .

# Scan container image
trivy image --format json myapp:latest

# Include license information
trivy fs --scanners vuln,license --format json .

# Scan with ignore file
trivy fs --ignorefile .trivyignore --format json .

Trivy Supported Ecosystems

Ecosystem Files Scanned
npm package-lock.json, yarn.lock, pnpm-lock.yaml
pip requirements.txt, Pipfile.lock, poetry.lock
Go go.sum, go.mod
Ruby Gemfile.lock
Rust Cargo.lock
.NET packages.lock.json, *.deps.json
Maven pom.xml
Gradle gradle.lockfile
Composer composer.lock

2. npm Audit

Native npm vulnerability scanning:

bash
# Basic audit
npm audit --json > npm-audit.json

# Audit with severity filter
npm audit --audit-level=high --json

# Production dependencies only
npm audit --production --json

# Auto-fix vulnerabilities
npm audit fix

# Force fix (may include breaking changes)
npm audit fix --force

# Dry-run fix
npm audit fix --dry-run --json

npm Audit Output Schema

json
{
  "auditReportVersion": 2,
  "vulnerabilities": {
    "lodash": {
      "name": "lodash",
      "severity": "high",
      "isDirect": false,
      "via": ["prototype-pollution"],
      "effects": ["other-package"],
      "range": "<4.17.21",
      "nodes": ["node_modules/lodash"],
      "fixAvailable": {
        "name": "lodash",
        "version": "4.17.21",
        "isSemVerMajor": false
      }
    }
  },
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 2,
      "moderate": 5,
      "high": 3,
      "critical": 1,
      "total": 11
    }
  }
}

3. pip-audit for Python

bash
# Install pip-audit
pip install pip-audit

# Basic scan
pip-audit --format json > pip-audit.json

# Scan requirements file
pip-audit -r requirements.txt --format json

# Scan with strict mode (fail on any vulnerability)
pip-audit --strict

# Output in CycloneDX format
pip-audit --format cyclonedx-json > python-sbom.json

# Fix vulnerabilities
pip-audit --fix

# Use OSV database
pip-audit --vulnerability-service osv

4. OWASP Dependency-Check

Comprehensive vulnerability scanner:

bash
# Run dependency check
dependency-check --project "MyApp" \
  --scan . \
  --format JSON \
  --out ./dependency-check-report.json

# Scan specific paths
dependency-check --project "MyApp" \
  --scan ./src \
  --scan ./lib \
  --format JSON

# Update CVE database
dependency-check --updateonly

# Fail on CVSS score
dependency-check --project "MyApp" \
  --scan . \
  --failOnCVSS 7 \
  --format JSON

5. Grype Container/Filesystem Scanning

bash
# Scan directory
grype dir:. --output json > grype-results.json

# Scan container image
grype myapp:latest --output json

# Scan SBOM
grype sbom:./sbom.json --output json

# Filter by severity
grype dir:. --only-fixed --fail-on high

# Output formats
grype dir:. --output cyclonedx  # CycloneDX SBOM with vulns
grype dir:. --output sarif      # SARIF for GitHub

6. SBOM Generation

CycloneDX Format

bash
# Generate with Trivy
trivy fs --format cyclonedx -o sbom-cyclonedx.json .

# Generate with Syft
syft . -o cyclonedx-json > sbom-cyclonedx.json

# For npm projects
npx @cyclonedx/cyclonedx-npm --output-file npm-sbom.json

SPDX Format

bash
# Generate with Trivy
trivy fs --format spdx-json -o sbom-spdx.json .

# Generate with Syft
syft . -o spdx-json > sbom-spdx.json

# For Python projects
pip install spdx-tools
python -m spdx.creationinfo

SBOM Schema (CycloneDX)

json
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "version": 1,
  "metadata": {
    "timestamp": "2026-01-24T10:00:00Z",
    "tools": [{"name": "trivy", "version": "0.50.0"}],
    "component": {
      "name": "myapp",
      "version": "1.0.0",
      "type": "application"
    }
  },
  "components": [
    {
      "type": "library",
      "name": "lodash",
      "version": "4.17.21",
      "purl": "pkg:npm/lodash@4.17.21",
      "licenses": [{"license": {"id": "MIT"}}]
    }
  ],
  "vulnerabilities": [
    {
      "id": "CVE-2021-23337",
      "source": {"name": "NVD"},
      "ratings": [{"severity": "high", "score": 7.2}],
      "affects": [{"ref": "pkg:npm/lodash@4.17.20"}]
    }
  ]
}

7. License Compliance

bash
# Check licenses with Trivy
trivy fs --scanners license --format json .

# License finder
license_finder

# FOSSA CLI (requires account)
fossa analyze

# npm license checker
npx license-checker --json > licenses.json

# pip-licenses for Python
pip install pip-licenses
pip-licenses --format=json > python-licenses.json

License Risk Categories

Risk Level Licenses Policy
Low MIT, BSD, Apache 2.0 Generally permissive
Medium LGPL, MPL Conditional requirements
High GPL, AGPL Strong copyleft
Critical SSPL, Proprietary Restrictions may apply

8. EPSS Score Integration

Exploit Prediction Scoring System for prioritization:

python
# Python example for EPSS integration
import requests

def get_epss_score(cve_id):
    """Get EPSS score for a CVE"""
    url = f"https://api.first.org/data/v1/epss?cve={cve_id}"
    response = requests.get(url)
    data = response.json()
    if data['data']:
        return {
            'cve': cve_id,
            'epss': float(data['data'][0]['epss']),
            'percentile': float(data['data'][0]['percentile'])
        }
    return None

Prioritization Matrix

CVSS Score EPSS Score Priority
>= 9.0 >= 0.5 Critical (24h)
>= 7.0 >= 0.3 High (7 days)
>= 4.0 >= 0.1 Medium (30 days)
< 4.0 < 0.1 Low (90 days)

MCP Server Integration

This skill can leverage the following MCP servers:

Server Description Installation
SecOpsAgentKit sca-trivy Trivy SCA integration GitHub
sast-mcp Multi-tool SCA support GitHub
Trivy MCP Official Aqua Security MCP GitHub

Best Practices

Scanning Strategy

  1. CI/CD Integration - Scan on every commit/PR
  2. Baseline Management - Track known vulnerabilities
  3. Update Cadence - Regular dependency updates
  4. SBOM Generation - Maintain inventory for compliance

Prioritization Guidelines

  1. Direct vs Transitive - Prioritize direct dependencies
  2. EPSS + CVSS - Combine scores for real-world risk
  3. Exploitability - Check for known exploits in the wild
  4. Business Context - Consider affected functionality

Dependency Update Strategy

yaml
# Dependabot configuration example
version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 10
    groups:
      security:
        applies-to: security-updates
        patterns:
          - "*"

Process Integration

This skill integrates with the following processes:

  • sca-management.js - SCA pipeline integration
  • devsecops-pipeline.js - DevSecOps automation
  • vulnerability-management.js - Vulnerability lifecycle
  • compliance-sbom.js - SBOM compliance reporting

Output Format

When executing operations, provide structured output:

json
{
  "operation": "dependency-scan",
  "status": "completed",
  "ecosystem": "npm",
  "manifest": "package-lock.json",
  "scan_duration_seconds": 12,
  "summary": {
    "total_dependencies": 245,
    "direct_dependencies": 32,
    "vulnerabilities": {
      "critical": 2,
      "high": 5,
      "medium": 12,
      "low": 8
    },
    "licenses": {
      "permissive": 230,
      "copyleft": 10,
      "unknown": 5
    }
  },
  "top_vulnerabilities": [
    {
      "cve": "CVE-2024-12345",
      "package": "example-lib",
      "version": "1.2.3",
      "severity": "critical",
      "cvss": 9.8,
      "epss": 0.72,
      "fix_version": "1.2.4",
      "direct": false,
      "path": "myapp > dep-a > example-lib"
    }
  ],
  "sbom_generated": true,
  "artifacts": ["trivy-results.json", "sbom-cyclonedx.json", "licenses.json"]
}

Error Handling

Common Issues

Error Cause Resolution
No lockfile found Missing dependency lock Generate lockfile first
Database update failed Network issues Check connectivity, retry
Unknown package Private/internal package Configure private registry
Rate limited Too many API calls Implement caching

Constraints

  • Maintain dependency lock files for accurate scanning
  • Configure private registries for internal packages
  • Cache vulnerability databases for offline scanning
  • Track SBOM for compliance and audit purposes
  • Monitor for new CVEs affecting existing dependencies

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

a5c-ai/babysitter

gsd-tools

Central utility skill for GSD operations. Provides config parsing, slug generation, timestamps, path operations, and orchestrates calls to other specialized skills. Acts as the unified entry point that the original gsd-tools.cjs provided via its lib/ modules (commands, config, core, init).

514 31
Explore
a5c-ai/babysitter

model-profile-resolution

Resolve model profile (quality/balanced/budget) at orchestration start and map agents to specific models. Enables cost/quality tradeoffs by selecting appropriate AI models for each agent role.

514 31
Explore
a5c-ai/babysitter

verification-suite

Plan structure validation, phase completeness checks, reference integrity verification, and artifact existence confirmation. Provides the structured verification layer ensuring GSD artifacts are well-formed and complete.

514 31
Explore
a5c-ai/babysitter

state-management

STATE.md reading, writing, and field-level updates. Provides cross-session state persistence via .planning/STATE.md with structured fields for current task, completed phases, blockers, decisions, and quick tasks.

514 31
Explore
a5c-ai/babysitter

git-integration

Git commit patterns, formats, and conventions for GSD methodology. Provides atomic commits per task, structured commit messages, planning file commits, branch management, and milestone tag operations.

514 31
Explore
a5c-ai/babysitter

frontmatter-parsing

YAML frontmatter parsing and manipulation for .planning/ documents. Provides read, write, update, query, and validation operations on frontmatter blocks in GSD markdown artifacts.

514 31
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results