Marketplace
dependency-vulnerability-scanner
Scans dependencies for known vulnerabilities (npm audit, pip-audit, etc.), generates reports, and suggests fixes. Use when user asks to "check vulnerabilities", "security scan", "audit dependencies", "check CVEs", or "vulnerable packages".
allowed_tools: Read, Write, Bash, Glob
$ 安裝
git clone https://github.com/Dexploarer/claudius-skills /tmp/claudius-skills && cp -r /tmp/claudius-skills/examples/intermediate/security-skills/dependency-scanner ~/.claude/skills/claudius-skills// tip: Run this command in your terminal to install the skill
SKILL.md
name: dependency-vulnerability-scanner description: Scans dependencies for known vulnerabilities (npm audit, pip-audit, etc.), generates reports, and suggests fixes. Use when user asks to "check vulnerabilities", "security scan", "audit dependencies", "check CVEs", or "vulnerable packages". allowed-tools: [Read, Write, Bash, Glob]
Dependency Vulnerability Scanner
Scans project dependencies for known security vulnerabilities and provides remediation guidance.
When to Use
- "Check for vulnerable dependencies"
- "Security audit my dependencies"
- "Scan for CVEs"
- "Check npm/pip vulnerabilities"
- "Update vulnerable packages"
Instructions
1. Detect Package Manager
# Node.js
[ -f "package.json" ] && echo "npm/yarn"
# Python
[ -f "requirements.txt" ] && echo "pip"
# Ruby
[ -f "Gemfile" ] && echo "bundler"
# Go
[ -f "go.mod" ] && echo "go modules"
# Rust
[ -f "Cargo.toml" ] && echo "cargo"
2. Run Security Audit
npm (Node.js)
Basic audit:
npm audit
# Output:
# found 3 vulnerabilities (2 moderate, 1 high)
# run `npm audit fix` to fix them
Detailed report:
npm audit --json > audit-report.json
npm audit --production # Only production dependencies
Auto-fix:
npm audit fix # Safe fixes
npm audit fix --force # May introduce breaking changes
Yarn
yarn audit
# Fix vulnerabilities
yarn upgrade-interactive
# Generate report
yarn audit --json > audit-report.json
pip (Python)
# Install pip-audit
pip install pip-audit
# Run audit
pip-audit
# With fix suggestions
pip-audit --fix
# Check requirements file
pip-audit --requirement requirements.txt
# Output JSON
pip-audit --format json > audit-report.json
Safety (Python alternative)
pip install safety
# Check installed packages
safety check
# Check requirements
safety check --file requirements.txt
# Full report
safety check --full-report
Bundle Audit (Ruby)
gem install bundler-audit
# Update vulnerability database
bundle audit update
# Run audit
bundle audit check
# Auto-update
bundle audit check --update
Snyk (Multi-language)
# Install
npm install -g snyk
# Authenticate
snyk auth
# Test project
snyk test
# Monitor continuously
snyk monitor
# Fix vulnerabilities
snyk fix
OWASP Dependency-Check
# Download
wget https://github.com/jeremylong/DependencyCheck/releases/download/v8.0.0/dependency-check-8.0.0-release.zip
unzip dependency-check-8.0.0-release.zip
# Run scan
./dependency-check/bin/dependency-check.sh \
--project "My Project" \
--scan ./
# Generate HTML report
--format HTML --out ./reports
3. Parse and Categorize Results
Severity levels:
- Critical: Immediate action required
- High: Fix ASAP
- Moderate: Plan to fix
- Low: Monitor and assess
Example output analysis:
{
"vulnerabilities": [
{
"name": "lodash",
"severity": "high",
"via": ["prototype-pollution"],
"fixAvailable": {
"name": "lodash",
"version": "4.17.21"
}
}
]
}
4. Generate Security Report
# Dependency Vulnerability Report
**Date:** 2024-01-15
**Project:** my-app
**Total Dependencies:** 250
**Vulnerabilities Found:** 12
## Summary
- Critical: 1
- High: 3
- Moderate: 5
- Low: 3
## Critical Vulnerabilities
### 1. Prototype Pollution in lodash (CVE-2020-8203)
**Severity:** Critical
**Package:** lodash@4.17.15
**Fixed in:** lodash@4.17.21
**CVSS Score:** 9.8
**Description:**
Prototype pollution vulnerability allows attackers to modify object prototypes.
**Impact:**
Remote code execution possible if attacker controls input to vulnerable functions.
**Remediation:**
```bash
npm install lodash@4.17.21
Priority: Immediate (deploy within 24 hours)
High Vulnerabilities
2. Regular Expression Denial of Service in trim (CVE-2020-7753)
Severity: High Package: trim@0.0.1 Fixed in: trim@1.0.1 CVSS Score: 7.5
Description: ReDoS vulnerability in input parsing.
Remediation:
npm install trim@1.0.1
Priority: High (fix this week)
[... more vulnerabilities ...]
Recommendations
-
Immediate Actions (Critical)
- Update lodash to 4.17.21
- Test thoroughly
- Deploy to production
-
Short-term (High)
- Update trim, axios, express
- Review indirect dependencies
- Run integration tests
-
Long-term (Moderate/Low)
- Schedule updates for moderate issues
- Monitor low severity issues
- Consider alternative packages
Prevention
- Enable Dependabot/Renovate
- Run audits in CI/CD
- Review dependencies before adding
- Keep dependencies up to date
### 5. Automated Scanning in CI/CD
**GitHub Actions:**
```yaml
name: Security Audit
on:
schedule:
- cron: '0 0 * * 1' # Weekly
pull_request:
push:
branches: [main]
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: '20'
- name: Run npm audit
run: |
npm audit --audit-level=moderate
npm audit --json > audit-report.json
- name: Upload audit report
uses: actions/upload-artifact@v3
with:
name: audit-report
path: audit-report.json
- name: Fail on high vulnerabilities
run: npm audit --audit-level=high
With Snyk:
- name: Run Snyk
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high
6. Dependabot Configuration
.github/dependabot.yml:
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
reviewers:
- "security-team"
labels:
- "dependencies"
- "security"
commit-message:
prefix: "chore"
include: "scope"
# Security updates only
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
open-pull-requests-limit: 5
allow:
- dependency-type: "direct"
versioning-strategy: increase-if-necessary
7. License Compliance
Check licenses:
# Install license-checker
npm install -g license-checker
# Check all licenses
license-checker
# Generate report
license-checker --json > licenses.json
# Check for problematic licenses
license-checker --onlyAllow 'MIT;Apache-2.0;BSD-3-Clause'
Python:
pip install pip-licenses
pip-licenses
# Format as table
pip-licenses --format=markdown
# Check compatibility
pip-licenses --fail-on 'GPL'
8. Supply Chain Security
Verify package integrity:
# npm
npm audit signatures
# Check for suspicious packages
npx socket npm i lodash
Monitor for typosquatting:
# Install confused
npm install -g confused
# Check for dependency confusion
confused -l package.json
9. Continuous Monitoring
Setup alerts:
// In package.json
{
"scripts": {
"audit": "npm audit",
"audit:fix": "npm audit fix",
"audit:report": "npm audit --json > reports/audit-$(date +%Y%m%d).json",
"precommit": "npm audit --audit-level=high"
}
}
Husky hook:
{
"husky": {
"hooks": {
"pre-commit": "npm audit --audit-level=high"
}
}
}
10. Best Practices
DO:
- Run audits regularly (weekly minimum)
- Fix critical/high vulnerabilities immediately
- Review audit reports before releases
- Use automated tools (Dependabot, Renovate)
- Monitor security advisories
- Document exceptions/accepted risks
- Test fixes in staging first
DON'T:
- Ignore audit warnings
- Use --force without understanding impact
- Skip security updates
- Add packages without review
- Disable audit checks
- Use outdated dependencies unnecessarily
Common Vulnerability Types
1. Prototype Pollution
// Vulnerable code
function merge(target, source) {
for (let key in source) {
target[key] = source[key]
}
}
// Attack
merge({}, JSON.parse('{"__proto__":{"isAdmin":true}}'))
// Fix: Use Object.create(null) or hasOwnProperty
2. Regular Expression DoS (ReDoS)
// Vulnerable regex
/^(a+)+$/
// Attack: Long string of 'a's causes catastrophic backtracking
// Fix: Avoid nested quantifiers, use atomic groups
3. SQL Injection
// Vulnerable
db.query(`SELECT * FROM users WHERE id = ${userId}`)
// Fix: Use parameterized queries
db.query('SELECT * FROM users WHERE id = ?', [userId])
4. Cross-Site Scripting (XSS)
// Vulnerable
element.innerHTML = userInput
// Fix: Use textContent or sanitize
element.textContent = userInput
// or
element.innerHTML = DOMPurify.sanitize(userInput)
Remediation Priority Matrix
| Severity | Exploitability | Priority | Timeline |
|---|---|---|---|
| Critical | High | P0 | 24 hours |
| Critical | Medium | P1 | 1 week |
| High | High | P1 | 1 week |
| High | Medium | P2 | 2 weeks |
| Moderate | High | P2 | 2 weeks |
| Moderate | Medium | P3 | 1 month |
| Low | Any | P4 | Next cycle |
Compliance Requirements
SOC 2:
- Regular vulnerability scanning
- Documented remediation process
- Evidence of timely fixes
PCI DSS:
- Monthly vulnerability scans
- Fix critical vulnerabilities within 30 days
- Patch management process
HIPAA:
- Regular security assessments
- Document risk analysis
- Timely vulnerability remediation
Tools Comparison
| Tool | Languages | Cost | Features |
|---|---|---|---|
| npm audit | Node.js | Free | Basic, fast |
| Snyk | Multi | Free tier | Advanced, auto-fix |
| Dependabot | Multi | Free | Auto PRs |
| WhiteSource | Multi | Paid | Enterprise features |
| Sonatype | Multi | Paid | Policy enforcement |
Repository
Dexploarer
Author
Dexploarer/claudius-skills/examples/intermediate/security-skills/dependency-scanner
1
Stars
1
Forks
Updated1h ago
Added6d ago