agentsecops/sca-blackduck
skills/appsec/sca-blackduck/SKILL.md
Software Composition Analysis (SCA) using Synopsys Black Duck for identifying open source vulnerabilities, license compliance risks, and supply chain security threats with CVE, CWE, and OWASP framework mapping. Use when: (1) Scanning dependencies for known vulnerabilities and security risks, (2) Analyzing open source license compliance and legal risks, (3) Identifying outdated or unmaintained dependencies, (4) Integrating SCA into CI/CD pipelines for continuous dependency monitoring, (5) Providing remediation guidance for vulnerable dependencies with CVE and CWE mappings, (6) Assessing supply chain security risks and third-party component threats.
$ install --global
skillsauthnpx skillsauth add agentsecops/secopsagentkit sca-blackduckInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 30, 2026, 4:58 PM54.4s13 files scanned
SKILL.md
- name:
- sca-blackduck
- description:
- >
- CWE, and OWASP framework mapping. Use when:
- (1) Scanning dependencies for known
- version:
- 0.1.0
- maintainer:
- SirAppSec
- category:
- appsec
- tags:
- [sca, blackduck, dependency-scanning, vulnerability-management, license-compliance, supply-chain, cve, owasp]
- frameworks:
- [OWASP, CWE, NIST, SOC2, PCI-DSS]
- tools:
- [docker, git, detect]
- access:
- [blackduck-url, api-token]
- - https:
- //www.cisa.gov/sbom
Software Composition Analysis with Black Duck
Overview
Perform comprehensive Software Composition Analysis (SCA) using Synopsys Black Duck to identify security vulnerabilities, license compliance risks, and supply chain threats in open source dependencies. This skill provides automated dependency scanning, vulnerability detection with CVE mapping, license risk analysis, and remediation guidance aligned with OWASP and NIST standards.
Quick Start
Scan a project for dependency vulnerabilities:
# Using Black Duck Detect (recommended)
bash <(curl -s -L https://detect.synopsys.com/detect.sh) \
--blackduck.url=$BLACKDUCK_URL \
--blackduck.api.token=$BLACKDUCK_TOKEN \
--detect.project.name="MyProject" \
--detect.project.version.name="1.0.0"
Scan with policy violation enforcement:
# Fail build on policy violations
bash <(curl -s -L https://detect.synopsys.com/detect.sh) \
--blackduck.url=$BLACKDUCK_URL \
--blackduck.api.token=$BLACKDUCK_TOKEN \
--detect.policy.check.fail.on.severities=BLOCKER,CRITICAL
Core Workflows
Workflow 1: Initial Dependency Security Assessment
Progress:
[ ] 1. Identify package managers and dependency manifests in codebase
[ ] 2. Run scripts/blackduck_scan.py with project detection
[ ] 3. Analyze vulnerability findings categorized by severity (CRITICAL, HIGH, MEDIUM, LOW)
[ ] 4. Map CVE findings to CWE and OWASP Top 10 categories
[ ] 5. Review license compliance risks and policy violations
[ ] 6. Generate prioritized remediation report with upgrade recommendations
Work through each step systematically. Check off completed items.
Workflow 2: Vulnerability Remediation
- Review scan results and identify critical/high severity vulnerabilities
- For each vulnerability:
- Check if fixed version is available
- Review breaking changes in upgrade path
- Consult
references/remediation_strategies.mdfor vulnerability-specific guidance
- Apply dependency updates using package manager
- Re-scan to validate fixes
- Document any vulnerabilities accepted as risk with justification
Workflow 3: License Compliance Analysis
- Run Black Duck scan with license risk detection enabled
- Review components flagged with license compliance issues
- Categorize by risk level:
- High Risk: GPL, AGPL (copyleft licenses)
- Medium Risk: LGPL, MPL (weak copyleft)
- Low Risk: Apache, MIT, BSD (permissive)
- Consult legal team for high-risk license violations
- Document license decisions and create policy exceptions if approved
Workflow 4: CI/CD Integration
- Add Black Duck Detect to CI/CD pipeline using
assets/ci_integration/ - Configure environment variables for Black Duck URL and API token
- Set policy thresholds (fail on CRITICAL/HIGH vulnerabilities)
- Enable SBOM generation for supply chain transparency
- Configure alerts for new vulnerabilities in production dependencies
Workflow 5: Supply Chain Risk Assessment
- Identify direct and transitive dependencies
- Analyze component quality metrics:
- Maintenance activity (last update, commit frequency)
- Community health (contributors, issue resolution)
- Security track record (historical CVEs)
- Flag high-risk components (unmaintained, few maintainers, security issues)
- Review alternative components with better security posture
- Document supply chain risks and mitigation strategies
Security Considerations
-
Sensitive Data Handling: Black Duck scans require API tokens with read/write access. Store credentials securely in secrets management (Vault, AWS Secrets Manager). Never commit tokens to version control.
-
Access Control: Limit Black Duck access to authorized security and development teams. Use role-based access control (RBAC) for scan result visibility and policy management.
-
Audit Logging: Log all scan executions with timestamps, user, project version, and findings count for compliance auditing. Enable Black Duck's built-in audit trail.
-
Compliance: SCA scanning supports SOC2, PCI-DSS, GDPR, and HIPAA compliance by tracking third-party component risks. Generate SBOM for regulatory requirements.
-
Safe Defaults: Configure policies to fail builds on CRITICAL and HIGH severity vulnerabilities. Use allowlists sparingly with documented business justification.
Supported Package Managers
Black Duck Detect automatically identifies and scans:
- JavaScript/Node: npm, yarn, pnpm
- Python: pip, pipenv, poetry
- Java: Maven, Gradle
- Ruby: Bundler, gem
- .NET: NuGet
- Go: go modules
- PHP: Composer
- Rust: Cargo
- C/C++: Conan, vcpkg
- Docker: Container image layers
Bundled Resources
Scripts
scripts/blackduck_scan.py- Full-featured scanning with CVE/CWE mapping and reportingscripts/analyze_results.py- Parse Black Duck results and generate remediation reportscripts/sbom_generator.sh- Generate SBOM (CycloneDX/SPDX) from scan resultsscripts/policy_checker.py- Validate compliance with organizational security policies
References
references/cve_cwe_owasp_mapping.md- CVE to CWE and OWASP Top 10 mappingreferences/remediation_strategies.md- Vulnerability remediation patterns and upgrade strategiesreferences/license_risk_guide.md- License compliance risk assessment and legal guidancereferences/supply_chain_threats.md- Common supply chain attack patterns and mitigations
Assets
assets/ci_integration/github_actions.yml- GitHub Actions workflow for Black Duck scanningassets/ci_integration/gitlab_ci.yml- GitLab CI configuration for SCAassets/ci_integration/jenkins_pipeline.groovy- Jenkins pipeline with Black Duck integrationassets/policy_templates/- Pre-configured security and compliance policiesassets/blackduck_config.yml- Recommended Black Duck Detect configuration
Common Patterns
Pattern 1: Daily Dependency Security Baseline
# Run comprehensive scan and generate SBOM
scripts/blackduck_scan.py \
--project "MyApp" \
--version "1.0.0" \
--output results.json \
--generate-sbom \
--severity CRITICAL HIGH
Pattern 2: Pull Request Dependency Gate
# Scan PR changes, fail on new high-severity vulnerabilities
bash <(curl -s -L https://detect.synopsys.com/detect.sh) \
--blackduck.url=$BLACKDUCK_URL \
--blackduck.api.token=$BLACKDUCK_TOKEN \
--detect.policy.check.fail.on.severities=CRITICAL,HIGH \
--detect.wait.for.results=true
Pattern 3: License Compliance Audit
# Generate license compliance report
scripts/blackduck_scan.py \
--project "MyApp" \
--version "1.0.0" \
--report-type license \
--output license-report.pdf
Pattern 4: Vulnerability Research and Triage
# Extract CVE details and remediation guidance
scripts/analyze_results.py \
--input scan-results.json \
--filter-severity CRITICAL HIGH \
--include-remediation \
--output vulnerability-report.md
Pattern 5: SBOM Generation for Compliance
# Generate Software Bill of Materials (CycloneDX format)
scripts/sbom_generator.sh \
--project "MyApp" \
--version "1.0.0" \
--format cyclonedx \
--output sbom.json
Integration Points
CI/CD Integration
- GitHub Actions: Use
synopsys-sig/detect-action@v1with policy enforcement - GitLab CI: Run as security scanning job with dependency scanning template
- Jenkins: Execute Detect as pipeline step with quality gates
- Azure DevOps: Integrate using Black Duck extension from marketplace
See assets/ci_integration/ for ready-to-use pipeline configurations.
Security Tool Integration
- SIEM/SOAR: Export findings in JSON/CSV for ingestion into Splunk, ELK
- Vulnerability Management: Integrate with Jira, ServiceNow, DefectDojo
- Secret Scanning: Combine with Gitleaks, TruffleHog for comprehensive security
- SAST Tools: Use alongside Semgrep, Bandit for defense-in-depth
SDLC Integration
- Requirements Phase: Define acceptable license and vulnerability policies
- Development: IDE plugins provide real-time dependency security feedback
- Code Review: Automated dependency review in PR workflow
- Testing: Validate security of third-party components
- Deployment: Final dependency gate before production release
- Operations: Continuous monitoring for new vulnerabilities in production
Severity Classification
Black Duck classifies vulnerabilities by CVSS score and severity:
- CRITICAL (CVSS 9.0-10.0): Remotely exploitable with severe impact (RCE, SQLi)
- HIGH (CVSS 7.0-8.9): Significant security risks requiring immediate attention
- MEDIUM (CVSS 4.0-6.9): Moderate security weaknesses needing remediation
- LOW (CVSS 0.1-3.9): Minor security issues or defense-in-depth improvements
- NONE (CVSS 0.0): Informational findings
Policy Management
Creating Security Policies
- Define organizational risk thresholds (e.g., fail on CVSS >= 7.0)
- Configure license compliance rules using
assets/policy_templates/ - Set component usage policies (blocklists for known malicious packages)
- Enable operational risk policies (unmaintained dependencies, age thresholds)
- Document policy exceptions with business justification and expiration dates
Policy Enforcement
# Enforce custom policy during scan
bash <(curl -s -L https://detect.synopsys.com/detect.sh) \
--blackduck.url=$BLACKDUCK_URL \
--blackduck.api.token=$BLACKDUCK_TOKEN \
--detect.policy.check.fail.on.severities=BLOCKER,CRITICAL \
--detect.wait.for.results=true
Performance Optimization
For large projects with many dependencies:
# Use intelligent scan mode (incremental)
bash <(curl -s -L https://detect.synopsys.com/detect.sh) \
--detect.detector.search.depth=3 \
--detect.blackduck.signature.scanner.snippet.matching=SNIPPET_MATCHING \
--detect.parallel.processors=4
# Exclude test and development dependencies
bash <(curl -s -L https://detect.synopsys.com/detect.sh) \
--detect.excluded.detector.types=PIP,NPM_PACKAGE_LOCK \
--detect.npm.include.dev.dependencies=false
Troubleshooting
Issue: Too Many False Positives
Solution:
- Review vulnerability applicability (is vulnerable code path used?)
- Use vulnerability suppression with documented justification
- Configure component matching precision in Black Duck settings
- Verify component identification accuracy (check for misidentified packages)
Issue: License Compliance Violations
Solution:
- Review component licenses in Black Duck dashboard
- Consult
references/license_risk_guide.mdfor risk assessment - Replace high-risk licensed components with permissive alternatives
- Obtain legal approval and document policy exceptions
Issue: Scan Not Detecting Dependencies
Solution:
- Verify package manager files are present (package.json, requirements.txt, pom.xml)
- Check Black Duck Detect logs for detector failures
- Ensure dependencies are installed before scanning (run npm install, pip install)
- Use
--detect.detector.search.depthto increase search depth
Issue: Slow Scan Performance
Solution:
- Use snippet matching instead of full file matching
- Increase
--detect.parallel.processorsfor multi-core systems - Exclude test directories and development dependencies
- Use intelligent/rapid scan mode for faster feedback
Advanced Usage
Vulnerability Analysis
For detailed vulnerability research, consult references/remediation_strategies.md.
Key remediation strategies:
- Upgrade: Update to fixed version (preferred)
- Patch: Apply security patch if upgrade not feasible
- Replace: Switch to alternative component without vulnerability
- Mitigate: Implement workarounds or compensating controls
- Accept: Document risk acceptance with business justification
Supply Chain Security
See references/supply_chain_threats.md for comprehensive coverage of:
- Dependency confusion attacks
- Typosquatting and malicious packages
- Compromised maintainer accounts
- Backdoored dependencies
- Unmaintained and abandoned projects
SBOM Generation and Management
Black Duck supports standard SBOM formats:
- CycloneDX: Modern, machine-readable format for vulnerability management
- SPDX: ISO/IEC standard for software package data exchange
Use SBOMs for:
- Supply chain transparency
- Regulatory compliance (Executive Order 14028)
- Incident response (rapid vulnerability identification)
- M&A due diligence
Best Practices
- Shift Left: Integrate SCA early in development lifecycle
- Policy-Driven: Define clear policies for vulnerabilities and licenses
- Continuous Monitoring: Run scans on every commit and nightly for production
- Remediation Prioritization: Focus on exploitable vulnerabilities first
- SBOM Management: Maintain up-to-date SBOM for all production applications
- Supply Chain Hygiene: Regularly review dependency health and maintainability
- License Compliance: Establish license approval process before adoption
- Defense in Depth: Combine SCA with SAST, DAST, and security testing
References
- Black Duck Documentation
- Black Duck Detect
- OWASP Dependency-Check
- National Vulnerability Database
- SBOM Standards (CISA)
- CycloneDX SBOM Standard
- SPDX License List
Related Skills
agentsecops/privesc-linpeas
testing
VerifiedTrustedCommunity
Linux privilege escalation enumeration and attack surface analysis using LinPEAS (Linux Privilege Escalation Awesome Script). Automates post-exploitation discovery of escalation vectors, misconfigurations, and credential exposure on Linux targets. Use when: (1) Enumerating privilege escalation vectors after initial access on a Linux system, (2) Identifying SUID/SGID binaries, sudo misconfigurations, and capability abuses, (3) Hunting for credentials in config files, history, and logs, (4) Detecting container breakout opportunities and writable service files, (5) Mapping kernel exploits and CVE exposure for a target system, (6) Conducting authorized CTF, red team, or penetration test post-exploitation phases.
110SKILL.mdUpdated Apr 16, 2026
agentsecops/ot-security-assessment
development
VerifiedTrustedCommunity
Operational Technology (OT) security assessment using a two-stage methodology: (1) Identification/Discovery of OT devices and protocols, and (2) Vulnerability Assessment using online sources and Metasploit. Use when: (1) Conducting authorized OT/ICS security assessments, (2) Identifying and enumerating OT protocols (Modbus, S7, IEC 104, DNP3, BACnet, EtherNet/IP), (3) Discovering industrial control devices and PLCs, (4) Assessing OT protocol vulnerabilities and security weaknesses, (5) Performing compliance scanning aligned with IEC 62443 standards, (6) Validating network segmentation and access controls in OT environments.
110SKILL.mdUpdated Apr 16, 2026
agentsecops/vuln-defectdojo
tools
VerifiedTrustedCommunity
Vulnerability management and findings aggregation using DefectDojo. Centralizes security findings from all SecOpsAgentKit scanners (Semgrep, Bandit, ZAP, Trivy, Grype, Gitleaks, Nuclei, Checkov, Horusec) into a unified platform with automatic deduplication, SLA tracking, risk-based prioritization, and compliance reporting. Use when: (1) Aggregating findings from multiple scanners across products and pipelines, (2) Tracking remediation status and SLA compliance against policy thresholds, (3) Deduplicating overlapping findings across security tools, (4) Generating vulnerability reports for compliance audits (SOC2, PCI-DSS, GDPR), (5) Managing security debt and vulnerability backlog across teams and applications.
110SKILL.mdUpdated Apr 16, 2026
agentsecops/pytm
tools
VerifiedTrustedCommunity
Python-based threat modeling using pytm library for programmatic STRIDE analysis, data flow diagram generation, and automated security threat identification. Use when: (1) Creating threat models programmatically using Python code, (2) Generating data flow diagrams (DFDs) with automatic STRIDE threat identification, (3) Integrating threat modeling into CI/CD pipelines and shift-left security practices, (4) Analyzing system architecture for security threats across trust boundaries, (5) Producing threat reports with STRIDE categories and mitigation recommendations, (6) Maintaining threat models as code for version control and automation.
82SKILL.mdUpdated Mar 27, 2026