a5c-ai/dependency-scanner

Dependency Scanner Skill

Performs comprehensive dependency scanning and inventory generation for codebases, supporting migration planning and security assessments through SBOM (Software Bill of Materials) generation.

Purpose

Enable comprehensive dependency management for:

• Direct and transitive dependency extraction
• Dependency tree visualization
• Version conflict detection
• Circular dependency identification
• License extraction and compliance
• SBOM generation (CycloneDX, SPDX formats)

Capabilities

1. Direct/Transitive Dependency Extraction

• Parse package manifests (package.json, pom.xml, requirements.txt, etc.)
• Resolve full dependency trees including transitive dependencies
• Identify version constraints and resolution results
• Track dependency sources and registries

2. Dependency Tree Visualization

• Generate hierarchical dependency graphs
• Export to DOT, JSON, or Mermaid formats
• Highlight problematic paths
• Calculate tree depth and breadth metrics

3. Version Conflict Detection

• Identify version conflicts in dependency trees
• Detect peer dependency violations
• Find incompatible version ranges
• Suggest resolution strategies

4. Circular Dependency Identification

• Detect circular dependency chains
• Map dependency cycles
• Assess impact of circular dependencies
• Recommend breaking strategies

5. License Extraction

• Extract license information from dependencies
• Identify license types (MIT, Apache, GPL, etc.)
• Flag copyleft licenses
• Track dual-licensed packages

6. SBOM Generation

• Generate CycloneDX format SBOMs
• Generate SPDX format SBOMs
• Include vulnerability references
• Support machine-readable and human-readable outputs

Tool Integrations

This skill can leverage the following external tools when available:

| Tool | Purpose | Integration Method | |------|---------|-------------------| | npm/yarn/pnpm | Node.js dependencies | CLI | | Maven | Java dependencies | CLI | | Gradle | Java/Kotlin dependencies | CLI | | pip/pipenv/poetry | Python dependencies | CLI | | Bundler | Ruby dependencies | CLI | | Cargo | Rust dependencies | CLI | | Go Modules | Go dependencies | CLI | | Snyk | Security scanning | CLI / API | | OWASP Dependency-Check | Vulnerability scanning | CLI | | Trivy | SBOM generation | MCP Server / CLI | | Syft | SBOM generation | CLI |

Usage

Basic Scanning

# Invoke skill for dependency scanning
# The skill will auto-detect package managers and scan accordingly

# Expected inputs:
# - targetPath: Path to project root
# - scanDepth: 'direct' | 'transitive' | 'full'
# - outputFormat: 'json' | 'tree' | 'sbom-cyclonedx' | 'sbom-spdx'
# - includeLicenses: boolean

Scanning Workflow

1. Detection Phase

   • Identify package managers in use
   • Locate manifest files
   • Check for lock files

2. Extraction Phase

   • Parse manifest files
   • Resolve dependency trees
   • Extract version information

3. Analysis Phase

   • Detect conflicts
   • Identify circular dependencies
   • Extract licenses

4. Output Generation

   • Generate inventory reports
   • Create SBOMs if requested
   • Produce visualization artifacts

Output Schema

{
  "scanId": "string",
  "timestamp": "ISO8601",
  "target": {
    "path": "string",
    "packageManagers": ["string"],
    "manifestFiles": ["string"]
  },
  "summary": {
    "totalDependencies": "number",
    "directDependencies": "number",
    "transitiveDependencies": "number",
    "uniquePackages": "number",
    "treeDepth": "number"
  },
  "dependencies": [
    {
      "name": "string",
      "version": "string",
      "type": "direct|transitive",
      "parent": "string|null",
      "license": "string",
      "repository": "string",
      "depth": "number"
    }
  ],
  "conflicts": [
    {
      "package": "string",
      "versions": ["string"],
      "sources": ["string"],
      "recommendation": "string"
    }
  ],
  "circularDependencies": [
    {
      "chain": ["string"],
      "severity": "high|medium|low"
    }
  ],
  "licenses": {
    "summary": {
      "MIT": "number",
      "Apache-2.0": "number",
      "GPL-3.0": "number"
    },
    "copyleft": ["string"],
    "unknown": ["string"]
  },
  "sbom": {
    "format": "cyclonedx|spdx",
    "version": "string",
    "path": "string"
  }
}

Integration with Migration Processes

This skill integrates with the following Code Migration/Modernization processes:

• dependency-analysis-updates: Primary tool for dependency assessment
• legacy-codebase-assessment: Dependency inventory for legacy systems
• framework-upgrade: Compatibility analysis for upgrades
• cloud-migration: Dependency portability assessment

Configuration

Skill Configuration File

Create .dependency-scanner.json in the project root:

{
  "packageManagers": ["auto"],
  "excludePaths": ["node_modules", ".git"],
  "scanDepth": "full",
  "includeDev": true,
  "includeOptional": false,
  "licensePolicy": {
    "allowed": ["MIT", "Apache-2.0", "BSD-3-Clause", "ISC"],
    "flagged": ["GPL-3.0", "AGPL-3.0"],
    "blocked": []
  },
  "sbomConfig": {
    "format": "cyclonedx",
    "version": "1.5",
    "includeVulnerabilities": true
  }
}

MCP Server Integration

When Trivy SBOM Generator MCP Server is available:

// Example MCP tool invocation
{
  "tool": "trivy_generate_sbom",
  "arguments": {
    "target": "./",
    "format": "cyclonedx",
    "output": "./sbom.json"
  }
}

When GitHub Dependabot MCP Server is available:

// Example dependency update check
{
  "tool": "dependabot_check_updates",
  "arguments": {
    "repo": "owner/repo",
    "ecosystem": "npm"
  }
}

Package Manager Support

Node.js (npm/yarn/pnpm)

# Auto-detected files:
# - package.json
# - package-lock.json
# - yarn.lock
# - pnpm-lock.yaml

Java (Maven/Gradle)

# Auto-detected files:
# - pom.xml
# - build.gradle
# - build.gradle.kts

Python (pip/pipenv/poetry)

# Auto-detected files:
# - requirements.txt
# - Pipfile
# - pyproject.toml
# - setup.py

Ruby (Bundler)

# Auto-detected files:
# - Gemfile
# - Gemfile.lock

Go (Modules)

# Auto-detected files:
# - go.mod
# - go.sum

Rust (Cargo)

# Auto-detected files:
# - Cargo.toml
# - Cargo.lock

Best Practices

1. Lock File Usage: Always include lock files for reproducible scans
2. Regular Scanning: Integrate into CI/CD for continuous monitoring
3. SBOM Storage: Store SBOMs alongside releases for compliance
4. License Reviews: Review license changes in dependency updates
5. Conflict Resolution: Address version conflicts before migration

Related Skills

• vulnerability-scanner: Security scanning of dependencies
• license-compliance-checker: Detailed license analysis
• dependency-updater: Automated dependency updates

Related Agents

• dependency-modernization-agent: Uses this skill for dependency management
• migration-readiness-assessor: Uses this skill for readiness evaluation
• security-vulnerability-assessor: Uses this skill for dependency security

References

• SBOM Generator MCP Server (Trivy)
• GitHub Dependabot MCP Server
• Renovate
• OWASP Dependency-Check
• CycloneDX Specification
• SPDX Specification