Agent skill

dependency-scanner

Comprehensive dependency scanning, inventory generation, and SBOM creation for migration readiness assessment

View SKILL.md on GitHub Repository
Stars 514
Forks 31

Install this agent skill to your Project

npx add-skill https://github.com/a5c-ai/babysitter/tree/main/library/specializations/code-migration-modernization/skills/dependency-scanner

SKILL.md

Dependency Scanner Skill

Performs comprehensive dependency scanning and inventory generation for codebases, supporting migration planning and security assessments through SBOM (Software Bill of Materials) generation.

Purpose

Enable comprehensive dependency management for:

  • Direct and transitive dependency extraction
  • Dependency tree visualization
  • Version conflict detection
  • Circular dependency identification
  • License extraction and compliance
  • SBOM generation (CycloneDX, SPDX formats)

Capabilities

1. Direct/Transitive Dependency Extraction

  • Parse package manifests (package.json, pom.xml, requirements.txt, etc.)
  • Resolve full dependency trees including transitive dependencies
  • Identify version constraints and resolution results
  • Track dependency sources and registries

2. Dependency Tree Visualization

  • Generate hierarchical dependency graphs
  • Export to DOT, JSON, or Mermaid formats
  • Highlight problematic paths
  • Calculate tree depth and breadth metrics

3. Version Conflict Detection

  • Identify version conflicts in dependency trees
  • Detect peer dependency violations
  • Find incompatible version ranges
  • Suggest resolution strategies

4. Circular Dependency Identification

  • Detect circular dependency chains
  • Map dependency cycles
  • Assess impact of circular dependencies
  • Recommend breaking strategies

5. License Extraction

  • Extract license information from dependencies
  • Identify license types (MIT, Apache, GPL, etc.)
  • Flag copyleft licenses
  • Track dual-licensed packages

6. SBOM Generation

  • Generate CycloneDX format SBOMs
  • Generate SPDX format SBOMs
  • Include vulnerability references
  • Support machine-readable and human-readable outputs

Tool Integrations

This skill can leverage the following external tools when available:

Tool Purpose Integration Method
npm/yarn/pnpm Node.js dependencies CLI
Maven Java dependencies CLI
Gradle Java/Kotlin dependencies CLI
pip/pipenv/poetry Python dependencies CLI
Bundler Ruby dependencies CLI
Cargo Rust dependencies CLI
Go Modules Go dependencies CLI
Snyk Security scanning CLI / API
OWASP Dependency-Check Vulnerability scanning CLI
Trivy SBOM generation MCP Server / CLI
Syft SBOM generation CLI

Usage

Basic Scanning

bash
# Invoke skill for dependency scanning
# The skill will auto-detect package managers and scan accordingly

# Expected inputs:
# - targetPath: Path to project root
# - scanDepth: 'direct' | 'transitive' | 'full'
# - outputFormat: 'json' | 'tree' | 'sbom-cyclonedx' | 'sbom-spdx'
# - includeLicenses: boolean

Scanning Workflow

  1. Detection Phase

    • Identify package managers in use
    • Locate manifest files
    • Check for lock files

  2. Extraction Phase

    • Parse manifest files
    • Resolve dependency trees
    • Extract version information

  3. Analysis Phase

    • Detect conflicts
    • Identify circular dependencies
    • Extract licenses

  4. Output Generation

    • Generate inventory reports
    • Create SBOMs if requested
    • Produce visualization artifacts

Output Schema

json
{
  "scanId": "string",
  "timestamp": "ISO8601",
  "target": {
    "path": "string",
    "packageManagers": ["string"],
    "manifestFiles": ["string"]
  },
  "summary": {
    "totalDependencies": "number",
    "directDependencies": "number",
    "transitiveDependencies": "number",
    "uniquePackages": "number",
    "treeDepth": "number"
  },
  "dependencies": [
    {
      "name": "string",
      "version": "string",
      "type": "direct|transitive",
      "parent": "string|null",
      "license": "string",
      "repository": "string",
      "depth": "number"
    }
  ],
  "conflicts": [
    {
      "package": "string",
      "versions": ["string"],
      "sources": ["string"],
      "recommendation": "string"
    }
  ],
  "circularDependencies": [
    {
      "chain": ["string"],
      "severity": "high|medium|low"
    }
  ],
  "licenses": {
    "summary": {
      "MIT": "number",
      "Apache-2.0": "number",
      "GPL-3.0": "number"
    },
    "copyleft": ["string"],
    "unknown": ["string"]
  },
  "sbom": {
    "format": "cyclonedx|spdx",
    "version": "string",
    "path": "string"
  }
}

Integration with Migration Processes

This skill integrates with the following Code Migration/Modernization processes:

  • dependency-analysis-updates: Primary tool for dependency assessment
  • legacy-codebase-assessment: Dependency inventory for legacy systems
  • framework-upgrade: Compatibility analysis for upgrades
  • cloud-migration: Dependency portability assessment

Configuration

Skill Configuration File

Create .dependency-scanner.json in the project root:

json
{
  "packageManagers": ["auto"],
  "excludePaths": ["node_modules", ".git"],
  "scanDepth": "full",
  "includeDev": true,
  "includeOptional": false,
  "licensePolicy": {
    "allowed": ["MIT", "Apache-2.0", "BSD-3-Clause", "ISC"],
    "flagged": ["GPL-3.0", "AGPL-3.0"],
    "blocked": []
  },
  "sbomConfig": {
    "format": "cyclonedx",
    "version": "1.5",
    "includeVulnerabilities": true
  }
}

MCP Server Integration

When Trivy SBOM Generator MCP Server is available:

javascript
// Example MCP tool invocation
{
  "tool": "trivy_generate_sbom",
  "arguments": {
    "target": "./",
    "format": "cyclonedx",
    "output": "./sbom.json"
  }
}

When GitHub Dependabot MCP Server is available:

javascript
// Example dependency update check
{
  "tool": "dependabot_check_updates",
  "arguments": {
    "repo": "owner/repo",
    "ecosystem": "npm"
  }
}

Package Manager Support

Node.js (npm/yarn/pnpm)

bash
# Auto-detected files:
# - package.json
# - package-lock.json
# - yarn.lock
# - pnpm-lock.yaml

Java (Maven/Gradle)

bash
# Auto-detected files:
# - pom.xml
# - build.gradle
# - build.gradle.kts

Python (pip/pipenv/poetry)

bash
# Auto-detected files:
# - requirements.txt
# - Pipfile
# - pyproject.toml
# - setup.py

Ruby (Bundler)

bash
# Auto-detected files:
# - Gemfile
# - Gemfile.lock

Go (Modules)

bash
# Auto-detected files:
# - go.mod
# - go.sum

Rust (Cargo)

bash
# Auto-detected files:
# - Cargo.toml
# - Cargo.lock

Best Practices

  1. Lock File Usage: Always include lock files for reproducible scans
  2. Regular Scanning: Integrate into CI/CD for continuous monitoring
  3. SBOM Storage: Store SBOMs alongside releases for compliance
  4. License Reviews: Review license changes in dependency updates
  5. Conflict Resolution: Address version conflicts before migration

Related Skills

  • vulnerability-scanner: Security scanning of dependencies
  • license-compliance-checker: Detailed license analysis
  • dependency-updater: Automated dependency updates

Related Agents

  • dependency-modernization-agent: Uses this skill for dependency management
  • migration-readiness-assessor: Uses this skill for readiness evaluation
  • security-vulnerability-assessor: Uses this skill for dependency security

References

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

a5c-ai/babysitter

gsd-tools

Central utility skill for GSD operations. Provides config parsing, slug generation, timestamps, path operations, and orchestrates calls to other specialized skills. Acts as the unified entry point that the original gsd-tools.cjs provided via its lib/ modules (commands, config, core, init).

514 31
Explore
a5c-ai/babysitter

model-profile-resolution

Resolve model profile (quality/balanced/budget) at orchestration start and map agents to specific models. Enables cost/quality tradeoffs by selecting appropriate AI models for each agent role.

514 31
Explore
a5c-ai/babysitter

verification-suite

Plan structure validation, phase completeness checks, reference integrity verification, and artifact existence confirmation. Provides the structured verification layer ensuring GSD artifacts are well-formed and complete.

514 31
Explore
a5c-ai/babysitter

state-management

STATE.md reading, writing, and field-level updates. Provides cross-session state persistence via .planning/STATE.md with structured fields for current task, completed phases, blockers, decisions, and quick tasks.

514 31
Explore
a5c-ai/babysitter

git-integration

Git commit patterns, formats, and conventions for GSD methodology. Provides atomic commits per task, structured commit messages, planning file commits, branch management, and milestone tag operations.

514 31
Explore
a5c-ai/babysitter

frontmatter-parsing

YAML frontmatter parsing and manipulation for .planning/ documents. Provides read, write, update, query, and validation operations on frontmatter blocks in GSD markdown artifacts.

514 31
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results