a5c-ai/vulnerability-scanner
library/specializations/code-migration-modernization/skills/vulnerability-scanner/SKILL.md
Security vulnerability scanning for dependencies and code, with CVE database checking and risk assessment
$ install --global
skillsauthnpx skillsauth add a5c-ai/babysitter vulnerability-scannerInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 28, 2026, 4:40 PM189.8s2 files scanned
SKILL.md
- name:
- vulnerability-scanner
- description:
- Security vulnerability scanning for dependencies and code, with CVE database checking and risk assessment
- allowed-tools:
- ["Bash", "Read", "Write", "Grep", "Glob", "Edit"]
Vulnerability Scanner Skill
Performs comprehensive security vulnerability scanning for dependencies and code, integrating with CVE databases and security platforms to identify, assess, and prioritize security risks for migration planning.
Purpose
Enable comprehensive security vulnerability detection for:
- CVE database checking for known vulnerabilities
- Severity assessment and prioritization
- Exploitability analysis
- Patch availability checking
- Transitive vulnerability chain mapping
- Risk scoring and remediation guidance
Capabilities
1. CVE Database Checking
- Query NVD (National Vulnerability Database)
- Check GitHub Advisory Database
- Query vendor-specific advisory databases
- Cross-reference multiple CVE sources
- Track CVE publication dates and updates
2. Severity Assessment
- CVSS (Common Vulnerability Scoring System) scoring
- Severity categorization (Critical, High, Medium, Low)
- Environmental score adjustments
- Temporal score analysis
- Impact assessment
3. Exploitability Analysis
- Check for known exploits in the wild
- Assess attack vector complexity
- Evaluate privileges required
- Analyze user interaction requirements
- Track exploit maturity level
4. Patch Availability Checking
- Identify available patches and fixes
- Check for security advisories
- Find upgrade paths to secure versions
- Track vendor patch timelines
- Monitor backport availability
5. Transitive Vulnerability Chain Mapping
- Map vulnerability paths through dependency trees
- Identify all affected dependency chains
- Calculate exposure scope
- Prioritize based on path depth
- Recommend targeted remediations
6. Risk Scoring
- Calculate composite risk scores
- Factor in business context
- Assess exposure likelihood
- Evaluate potential impact
- Generate prioritized remediation lists
Tool Integrations
This skill can leverage the following external tools when available:
| Tool | Purpose | Integration Method | |------|---------|-------------------| | Snyk | Comprehensive vulnerability scanning | CLI / API | | npm audit | Node.js vulnerability scanning | CLI | | OWASP Dependency-Check | Cross-platform scanning | CLI | | Trivy | Container and filesystem scanning | MCP Server / CLI | | Grype | Vulnerability scanner | CLI | | GitHub Dependabot | Advisory checking | API | | OSV Scanner | Google's vulnerability scanner | CLI | | Semgrep | SAST with security rules | CLI | | MCP-Scan | MCP server security | Tool |
Usage
Basic Scanning
# Invoke skill for vulnerability scanning
# The skill will scan dependencies and optionally code
# Expected inputs:
# - targetPath: Path to project root
# - scanScope: 'dependencies' | 'code' | 'full'
# - severityThreshold: 'critical' | 'high' | 'medium' | 'low'
# - outputFormat: 'json' | 'sarif' | 'markdown'
Scanning Workflow
-
Discovery Phase
- Identify package managers and dependency files
- Detect codebase languages
- Check for existing security configurations
-
Dependency Scanning
- Extract dependency information
- Query vulnerability databases
- Map vulnerabilities to dependencies
-
Code Scanning (Optional)
- Run SAST analysis
- Check for security anti-patterns
- Identify hardcoded secrets
-
Analysis Phase
- Calculate severity scores
- Assess exploitability
- Check patch availability
- Map transitive chains
-
Report Generation
- Generate prioritized vulnerability list
- Provide remediation guidance
- Create compliance reports
Output Schema
{
"scanId": "string",
"timestamp": "ISO8601",
"target": {
"path": "string",
"packageManagers": ["string"],
"languages": ["string"]
},
"summary": {
"totalVulnerabilities": "number",
"critical": "number",
"high": "number",
"medium": "number",
"low": "number",
"fixable": "number",
"riskScore": "number (0-100)"
},
"vulnerabilities": [
{
"id": "string (CVE-XXXX-XXXXX)",
"title": "string",
"description": "string",
"severity": "critical|high|medium|low",
"cvss": {
"score": "number",
"vector": "string",
"version": "string"
},
"package": {
"name": "string",
"version": "string",
"ecosystem": "string"
},
"affectedVersions": "string",
"fixedVersions": "string",
"patchAvailable": "boolean",
"exploitability": {
"hasKnownExploit": "boolean",
"exploitMaturity": "string",
"attackVector": "string"
},
"dependencyPath": ["string"],
"references": ["string"],
"remediation": {
"recommendation": "string",
"upgradeTarget": "string",
"alternativePackages": ["string"]
}
}
],
"securityIssues": [
{
"type": "string",
"severity": "string",
"file": "string",
"line": "number",
"description": "string",
"cwe": "string",
"recommendation": "string"
}
],
"compliance": {
"passesPolicy": "boolean",
"violations": ["string"],
"waivers": ["string"]
}
}
Integration with Migration Processes
This skill integrates with the following Code Migration/Modernization processes:
- dependency-analysis-updates: Security assessment of dependencies
- security-remediation-migration: Primary tool for security fixes
- cloud-migration: Security compliance for cloud deployment
- legacy-codebase-assessment: Security posture evaluation
Configuration
Skill Configuration File
Create .vulnerability-scanner.json in the project root:
{
"scanScope": "full",
"severityThreshold": "medium",
"failOnSeverity": "critical",
"databases": ["nvd", "ghsa", "osv"],
"excludeVulnerabilities": [],
"waivers": [
{
"id": "CVE-2021-12345",
"reason": "Not exploitable in our context",
"expiresAt": "2026-06-01"
}
],
"policy": {
"maxCritical": 0,
"maxHigh": 5,
"requirePatchWithin": {
"critical": "7d",
"high": "30d",
"medium": "90d"
}
},
"reporting": {
"formats": ["json", "sarif", "markdown"],
"outputDir": "./security-report"
}
}
MCP Server Integration
When MCP-Scan is available:
// Example MCP security scan
{
"tool": "mcp_scan_security",
"arguments": {
"target": "./",
"checks": ["toolPoisoning", "piiDetection", "promptInjection"]
}
}
When Trivy is available:
// Example Trivy vulnerability scan
{
"tool": "trivy_scan",
"arguments": {
"target": "./",
"scanners": ["vuln", "secret"],
"severity": "CRITICAL,HIGH"
}
}
Vulnerability Databases
Supported Databases
| Database | Coverage | Update Frequency | |----------|----------|------------------| | NVD | All CVEs | Hourly | | GitHub Advisory | Open source packages | Real-time | | OSV | Multi-ecosystem | Real-time | | Snyk DB | Proprietary enrichment | Real-time | | npm Advisory | Node.js packages | Real-time | | RustSec | Rust packages | Real-time |
Database Priority
- GitHub Advisory Database (most accurate for open source)
- NVD (comprehensive, standardized)
- OSV (aggregated, multi-ecosystem)
- Vendor-specific (ecosystem-specific details)
Severity Classification
CVSS v3.x Mapping
| CVSS Score | Severity | Action Required | |------------|----------|-----------------| | 9.0 - 10.0 | Critical | Immediate remediation | | 7.0 - 8.9 | High | Priority remediation | | 4.0 - 6.9 | Medium | Scheduled remediation | | 0.1 - 3.9 | Low | Monitor and plan |
Risk Prioritization Factors
- Severity Score: Base CVSS score
- Exploitability: Known exploits in the wild
- Exposure: Internet-facing vs internal
- Dependency Depth: Direct vs transitive
- Fix Availability: Patch/upgrade available
Best Practices
- Regular Scanning: Integrate into CI/CD pipelines
- Policy Enforcement: Define and enforce security policies
- Waiver Management: Document and review waivers regularly
- Prioritization: Focus on critical and exploitable vulnerabilities
- Monitoring: Set up alerts for new vulnerabilities
- Remediation Tracking: Track remediation progress over time
Related Skills
dependency-scanner: Dependency inventory and SBOM generationstatic-code-analyzer: Code-level security analysiscompliance-validator: Compliance checking
Related Agents
security-vulnerability-assessor: Uses this skill for security assessmentdependency-modernization-agent: Uses this skill for security updatesmigration-readiness-assessor: Uses this skill for security evaluation
References
- MCP-Scan
- Trivy
- Snyk
- OWASP Dependency-Check
- OSV Scanner
- NVD
- GitHub Advisory Database
Related Skills
a5c-ai/model-card-generator
development
VerifiedTrustedCommunity
Model documentation skill for generating model cards following Google's model card framework.
680SKILL.mdUpdated Apr 28, 2026
a5c-ai/mlflow-experiment-tracker
development
VerifiedTrustedCommunity
MLflow integration skill for experiment tracking, model registry, and artifact management. Enables LLMs to log experiments, compare runs, manage model lifecycle, and retrieve artifacts through the MLflow API.
680SKILL.mdUpdated Apr 28, 2026
a5c-ai/lime-explainer
data-ai
VerifiedTrustedCommunity
LIME-based local explanation skill for individual predictions across tabular, text, and image data.
680SKILL.mdUpdated Apr 28, 2026
a5c-ai/kubeflow-pipeline-executor
devops
VerifiedTrustedCommunity
Kubeflow Pipelines skill for ML workflow orchestration, component management, and Kubernetes-native ML.
680SKILL.mdUpdated Apr 28, 2026