latestaiagents/dependency-vulnerability
plugins/security-guardian/skills/common/dependency-vulnerability/SKILL.md
OWASP A09 - Using Components with Known Vulnerabilities. Use this skill when auditing dependencies, updating packages, or reviewing security advisories. Activate when: npm audit, dependency check, vulnerable package, CVE, security advisory, outdated packages, supply chain, package vulnerability, Dependabot, Snyk.
$ install --global
skillsauthnpx skillsauth add latestaiagents/agent-skills dependency-vulnerabilityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 24, 2026, 2:55 AM8.1s1 file scanned
SKILL.md
- name:
- dependency-vulnerability
- description:
- |
Dependency Vulnerability Management (OWASP A09)
Identify and remediate known vulnerabilities in third-party dependencies.
When to Use
- Running security audits on projects
- Updating dependencies
- Reviewing Dependabot/Snyk alerts
- Setting up CI/CD security checks
- Evaluating new packages
- Responding to CVE announcements
Vulnerability Sources
| Source | Coverage | Updates | |--------|----------|---------| | NPM Advisory Database | JavaScript | Real-time | | GitHub Advisory Database | Multi-language | Real-time | | NVD (NIST) | All | Daily | | Snyk Vulnerability DB | Multi-language | Real-time | | OSV (Open Source Vulnerabilities) | Multi-language | Real-time |
Audit Commands by Ecosystem
Node.js / npm
# Run security audit
npm audit
# Get JSON output for CI
npm audit --json
# Auto-fix where possible
npm audit fix
# Force fixes (may include breaking changes)
npm audit fix --force
# Check specific severity
npm audit --audit-level=high
Node.js / Yarn
# Yarn v1
yarn audit
# Yarn v2+
yarn npm audit
# With specific severity
yarn audit --level high
Python / pip
# Using pip-audit (recommended)
pip install pip-audit
pip-audit
# Using safety
pip install safety
safety check
# Check requirements file
safety check -r requirements.txt
pip-audit -r requirements.txt
Ruby / Bundler
# Using bundler-audit
gem install bundler-audit
bundle-audit check --update
# Using bundler
bundle audit
Java / Maven
# OWASP Dependency-Check plugin
mvn org.owasp:dependency-check-maven:check
# Or add to pom.xml
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>8.4.0</version>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
Go
# Using govulncheck (official)
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
# Using nancy
go list -json -deps ./... | nancy sleuth
PHP / Composer
# Local Checker
composer audit
# Using Symfony CLI
symfony check:security
# Using Roave Security Advisories
composer require --dev roave/security-advisories:dev-latest
.NET
# Using dotnet CLI
dotnet list package --vulnerable
# Include transitive dependencies
dotnet list package --vulnerable --include-transitive
CI/CD Integration
GitHub Actions
name: Security Audit
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '0 0 * * *' # Daily
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install dependencies
run: npm ci
- name: Run security audit
run: npm audit --audit-level=high
- name: Run Snyk
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
GitLab CI
security_audit:
stage: test
script:
- npm ci
- npm audit --audit-level=high
allow_failure: false
only:
- merge_requests
- main
Dependabot Configuration
# .github/dependabot.yml
version: 2
updates:
# JavaScript dependencies
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
groups:
production-dependencies:
dependency-type: "production"
development-dependencies:
dependency-type: "development"
update-types:
- "minor"
- "patch"
# Python dependencies
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
# Docker base images
- package-ecosystem: "docker"
directory: "/"
schedule:
interval: "weekly"
# GitHub Actions
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
Snyk Integration
# Install Snyk CLI
npm install -g snyk
# Authenticate
snyk auth
# Test project
snyk test
# Monitor project (for continuous monitoring)
snyk monitor
# Test with severity threshold
snyk test --severity-threshold=high
# Generate SBOM
snyk sbom --format=cyclonedx1.4+json
Lock File Best Practices
package-lock.json / yarn.lock
# Always commit lock files
git add package-lock.json
# Use ci instead of install in CI
npm ci # Respects lock file exactly
# Verify integrity
npm ci --ignore-scripts # Safer for initial audit
Requirements.txt with hashes
# Generate with hashes
pip-compile --generate-hashes requirements.in
# Or use pip-tools
pip install pip-tools
pip-compile --generate-hashes
# requirements.txt with hashes
certifi==2024.2.2 \
--hash=sha256:dc383c07b76109f368f6106eee2b593b04a011ea4d55f652c6ca24a754d1cdd1
Vulnerability Response Workflow
// 1. Assess the vulnerability
const assessVulnerability = {
severity: 'HIGH', // From CVE
exploitability: 'PROOF_OF_CONCEPT',
affectedVersions: '<1.2.3',
currentVersion: '1.2.0',
// Is it exploitable in your context?
inProductionPath: true,
exposedToUntrustedInput: true,
// Priority calculation
priority: 'P1' // Fix immediately
};
// 2. Determine fix approach
const fixApproaches = [
'Upgrade to patched version',
'Apply security patch',
'Use alternative package',
'Implement workaround',
'Accept risk (document)'
];
// 3. Test the fix
// 4. Deploy to production
// 5. Document the remediation
Package Evaluation Checklist
Before adding a new dependency:
# Check download stats and maintenance
npm view <package>
# Check for known vulnerabilities
npm audit <package>
snyk test <package>
# Review on npm/GitHub
# - Last publish date
# - Number of maintainers
# - Open issues/PRs
# - Security policy
# - License
// Evaluation criteria
const packageEvaluation = {
// Maintenance
lastPublish: '< 6 months ago',
maintainers: '>= 2',
openIssues: 'reasonable response time',
// Popularity (indicates community review)
weeklyDownloads: '> 10,000',
dependents: '> 100',
// Security
knownVulnerabilities: 0,
securityPolicy: true,
// Quality
tests: true,
typeDefinitions: true,
documentation: true
};
Software Bill of Materials (SBOM)
# Generate SBOM with CycloneDX
npm install -g @cyclonedx/cyclonedx-npm
cyclonedx-npm --output-file sbom.json
# Generate with Syft
syft . -o cyclonedx-json > sbom.json
# Scan SBOM for vulnerabilities
grype sbom:./sbom.json
Code Review Checklist
- [ ] npm/yarn audit passes with no high/critical issues
- [ ] Dependabot or similar enabled
- [ ] Lock files committed and up to date
- [ ] No packages with known vulnerabilities
- [ ] Security audit runs in CI/CD
- [ ] New dependencies evaluated before adding
- [ ] Unused dependencies removed
- [ ] SBOM generated for releases
Best Practices
- Automate Scanning: Run audits in CI/CD pipeline
- Update Regularly: Schedule dependency updates
- Monitor Continuously: Use Snyk/Dependabot alerts
- Minimize Dependencies: Fewer deps = smaller attack surface
- Review New Packages: Evaluate before adding
- Use Lock Files: Pin exact versions
- Generate SBOMs: Track what you ship
- Have a Response Plan: Know how to respond to CVEs
Related Skills
latestaiagents/skill-testing
development
VerifiedTrustedCommunity
Test skills for correct activation, content quality, and regression — both automated checks (frontmatter validity, lint) and manual verification (query-suite activation testing). Covers CI integration and how to catch skill regressions before users do. Use this skill when adding skills to a repo, setting up CI for a skill library, or debugging "the skill exists but doesn't work". Activate when: test skills, validate skills, skill CI, skill linting, skill activation test, skill regression.
2SKILL.mdUpdated Apr 23, 2026
latestaiagents/skill-frontmatter
documentation
VerifiedTrustedCommunity
Write the YAML frontmatter for a SKILL.md file so it activates reliably — name, description, and activation keywords that the model matches against. Covers length, tone, and the most common frontmatter mistakes. Use this skill when authoring a new skill, fixing a skill that isn't auto-activating, or reviewing skills for publication. Activate when: SKILL.md frontmatter, skill description, skill activation, skill YAML, write a skill, author a skill.
2SKILL.mdUpdated Apr 23, 2026
latestaiagents/skill-activation-patterns
development
VerifiedTrustedCommunity
Design skills that fire at the right moment — neither over-eager (noise) nor under-eager (silent). Covers activation specificity, trigger phrases, disambiguation between overlapping skills, and debugging activation. Use this skill when multiple skills could fire on the same query, a skill never fires, or a skill fires too often. Activate when: skill won't activate, skill over-activates, overlapping skills, skill triggers, skill selection, skill disambiguation.
2SKILL.mdUpdated Apr 23, 2026
latestaiagents/progressive-disclosure
development
VerifiedTrustedCommunity
Structure SKILL.md content so the model reads just enough — concise summary up front, progressively deeper detail, examples on demand. Covers section ordering, length budgets, when to split into multiple skills. Use this skill when writing or refactoring a skill body, one skill has grown too long, or a skill is wordy but not useful. Activate when: SKILL.md structure, skill content, skill too long, split skill, progressive disclosure, skill body.
2SKILL.mdUpdated Apr 23, 2026