ReddRadar
Agent skill
loom-dependency-scan
Stars
36
Forks
1
Install this agent skill to your Project
npx add-skill https://github.com/cosmix/loom/tree/main/skills/loom-dependency-scan
SKILL.md
Dependency Scan
Overview
This skill focuses on identifying security vulnerabilities, outdated packages, and license compliance issues in project dependencies. It covers multiple package ecosystems (JavaScript/Node.js, Python, Rust, Go, Ruby, Java, .NET, PHP) and provides remediation guidance, SBOM generation, and supply chain security analysis.
When to Use
- Scanning dependencies for CVEs and security advisories
- Checking for outdated or unmaintained packages
- Generating Software Bill of Materials (SBOM)
- Verifying license compliance and compatibility
- Analyzing supply chain risks and transitive dependencies
- Setting up automated dependency updates (Dependabot, Renovate, Snyk)
- Investigating security alerts from GitHub/GitLab
- Auditing dependencies before production deployment
Instructions
1. Identify Dependencies
- Parse manifest files (package.json, requirements.txt, etc.)
- Build complete dependency tree
- Identify direct vs transitive dependencies
- Check for phantom dependencies
2. Vulnerability Scanning
- Check against CVE databases
- Identify severity levels
- Find affected versions
- Check for available patches
3. Assess Risks
- Evaluate exploitability
- Check for active exploitation
- Assess impact on application
- Prioritize remediations
4. Report and Remediate
- Document all findings
- Provide upgrade paths
- Suggest alternatives
- Create remediation plan
5. Language-Specific Scanning
JavaScript/Node.js:
- Use
npm auditoryarn auditfor vulnerability scanning - Check
package-lock.jsonoryarn.lockfor reproducibility - Consider
npm-check-updatesfor upgrade analysis - Use
license-checkerfor license compliance
Python:
- Use
pip-auditorsafetyfor CVE scanning - Check
requirements.txtandPipfile.lock - Use
pip-compilewith--generate-hashesfor integrity - Consider
pipdeptreefor dependency visualization
Rust:
- Use
cargo auditfor RustSec advisories - Check
Cargo.lockfor reproducible builds - Use
cargo outdatedfor version analysis - Consider
cargo denyfor policy enforcement
Go:
- Use
govulncheckfor vulnerability scanning - Check
go.sumfor module integrity - Use
go list -m allto enumerate dependencies - Consider
nancyfor OSS Index checking
6. SBOM Generation
Generate Software Bill of Materials for supply chain transparency:
CycloneDX:
npm install -g @cyclonedx/cyclonedx-npm && cyclonedx-npm --output-file sbom.jsoncargo install cargo-cyclonedx && cargo cyclonedxpip install cyclonedx-bom && cyclonedx-py
SPDX:
- Use
syft(universal tool):syft . -o spdx-json > sbom.spdx.json - Use
trivyfor container images:trivy image --format spdx-json myimage:tag
Purpose: Track all components for vulnerability management, license compliance, and incident response.
7. License Compliance Checking
Ensure all dependencies have compatible licenses:
Automated Tools:
- Node.js:
npx license-checker --onlyAllow 'MIT;Apache-2.0;BSD-2-Clause;BSD-3-Clause;ISC' - Rust:
cargo deny check licenses - Python:
pip-licenses - Universal:
fossology,scancode-toolkit
License Categories:
- Permissive: MIT, Apache-2.0, BSD (generally safe)
- Weak Copyleft: MPL, LGPL (check linking requirements)
- Strong Copyleft: GPL, AGPL (may require source disclosure)
- Unknown/Missing: Investigate before use
Best Practices
- Regular Scanning: Automate daily/weekly scans
- Lock Files: Use lockfiles for reproducibility
- Minimal Dependencies: Only include what's needed
- Verify Sources: Use trusted registries
- Review Updates: Don't blindly update
- License Compliance: Ensure compatible licenses
- SBOM: Maintain software bill of materials
Examples
Example 1: Scanning Commands by Ecosystem
bash
# JavaScript/Node.js
npm audit
npm audit --json > audit-report.json
npm outdated
npx npm-check-updates
# Python
pip-audit
safety check
pip list --outdated
pip-compile --generate-hashes
# Rust
cargo audit
cargo outdated
cargo deny check
# Go
go list -m all | nancy sleuth
govulncheck ./...
# Ruby
bundle audit
bundle outdated
# Java/Maven
mvn dependency-check:check
mvn versions:display-dependency-updates
# .NET
dotnet list package --vulnerable
dotnet list package --outdated
# PHP
composer audit
composer outdated
Example 2: GitHub Actions Dependency Scanning
yaml
name: Dependency Scanning
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: "0 6 * * *" # Daily at 6 AM
jobs:
dependency-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: "fs"
scan-ref: "."
format: "sarif"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH"
- name: Upload Trivy scan results
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: "trivy-results.sarif"
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: "20"
- name: Run npm audit
run: |
npm ci
npm audit --audit-level=high
- name: Check for outdated packages
run: npm outdated || true
- name: License check
run: npx license-checker --onlyAllow 'MIT;Apache-2.0;BSD-2-Clause;BSD-3-Clause;ISC'
snyk-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high
Example 3: Dependency Analysis Report Template
markdown
# Dependency Security Report
**Generated:** 2024-01-15
**Project:** my-application
**Total Dependencies:** 245 (42 direct, 203 transitive)
## Summary
| Severity | Count | Status |
| -------- | ----- | ------------------ |
| Critical | 2 | Action Required |
| High | 5 | Action Required |
| Medium | 12 | Review Recommended |
| Low | 8 | Monitor |
## Critical Vulnerabilities
### CVE-2024-1234 - Remote Code Execution in lodash
- **Package:** lodash@4.17.20
- **Severity:** Critical (CVSS 9.8)
- **Affected Versions:** < 4.17.21
- **Fixed Version:** 4.17.21
- **Path:** my-app > express > lodash
- **Description:** Prototype pollution vulnerability allowing RCE
- **Remediation:** `npm update lodash`
### CVE-2024-5678 - SQL Injection in sequelize
- **Package:** sequelize@6.28.0
- **Severity:** Critical (CVSS 9.1)
- **Affected Versions:** < 6.29.0
- **Fixed Version:** 6.29.0
- **Path:** my-app > sequelize
- **Description:** SQL injection via raw query methods
- **Remediation:** `npm update sequelize`
## License Compliance
| License | Count | Compliance |
| ------------ | ----- | -------------------- |
| MIT | 180 | Approved |
| Apache-2.0 | 45 | Approved |
| BSD-3-Clause | 15 | Approved |
| GPL-3.0 | 3 | Review Required |
| Unknown | 2 | Investigation Needed |
## Recommendations
1. **Immediate:** Update lodash and sequelize to fix critical vulnerabilities
2. **Short-term:** Review GPL-licensed dependencies for compatibility
3. **Ongoing:** Enable Dependabot/Renovate for automated updates
Example 4: Renovate Configuration
json
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["config:base", ":semanticCommits", ":preserveSemverRanges"],
"schedule": ["before 6am on Monday"],
"vulnerabilityAlerts": {
"enabled": true,
"labels": ["security"]
},
"packageRules": [
{
"matchUpdateTypes": ["major"],
"labels": ["major-update"],
"automerge": false
},
{
"matchUpdateTypes": ["minor", "patch"],
"matchCurrentVersion": "!/^0/",
"automerge": true,
"automergeType": "pr",
"platformAutomerge": true
},
{
"matchPackagePatterns": ["^@types/"],
"automerge": true,
"groupName": "type definitions"
},
{
"matchDepTypes": ["devDependencies"],
"automerge": true,
"groupName": "dev dependencies"
}
],
"prConcurrentLimit": 5,
"prHourlyLimit": 2
}
Didn't find tool you were looking for?