renatocaliari/cali-ops-package-audit
skills/local/cali-ops-package-audit/SKILL.md
Run supply chain security scans before installing packages or before releases. Triggers when: user installs a package (npm, pip, go get, brew), user asks to 'scan dependencies', 'check vulnerabilities', 'supply chain', 'security audit', 'run trivy', 'run socket', or before any release/deployment. Also triggers on mentions of: socket.dev, trivy, OSV-scanner, dotenvx, CVE, dependency audit. Covers all four tools with concrete commands.
$ install --global
skillsauthnpx skillsauth add renatocaliari/agent-sync-public-skills cali-ops-package-auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 30, 2026, 4:45 AM181.4s3 files scanned
SKILL.md
- name:
- cali-ops-package-audit
- description:
- Run supply chain security scans before installing packages or before releases. Triggers when: user installs a package (npm, pip, go get, brew), user asks to 'scan dependencies', 'check vulnerabilities', 'supply chain', 'security audit', 'run trivy', 'run socket', or before any release/deployment. Also triggers on mentions of: socket.dev, trivy, OSV-scanner, dotenvx, CVE, dependency audit. Covers all four tools with concrete commands.
- frequency:
- weekly
- category:
- infra
- context-cost:
- low
Supply Chain Security
Run before installing any package. Run again before every release.
Tool Selection
| Tool | Purpose | When |
|------|---------|------|
| Socket.dev | Behavioral malware scanning | Before npm install, pip install |
| Trivy | CVE + IaC + secrets | Before releases, full audits |
| OSV-Scanner | Precision CVE (commit-hash) | When Trivy has false positives |
| dotenvx | Encrypted env vars | When managing .env files |
1. Socket.dev — Malware Detection
Detects obfuscated code, network access in install scripts, typosquatting.
# Session setup (run once per session)
socket wrapper on
# CI gate — blocks on malicious packages
socket ci
# Manual scan with report
socket scan create --report
When to run:
- Before
npm installorpip installin any project - When adding new dependencies
- In CI pipelines as a gate
2. Trivy — CVE + IaC + Secrets
Scans dependencies, infrastructure-as-code, secrets, containers. No account needed.
# Quick scan — high and critical only
trivy fs --severity HIGH,CRITICAL --exit-code 1 .
# Full scan with all detectors
trivy fs --scanners vuln,secret,config --severity HIGH,CRITICAL .
# Scan specific path
trivy fs --severity HIGH,CRITICAL ./package.json
When to run:
- Before every release
- On CI for every PR
- When user asks "any vulnerabilities?"
3. OSV-Scanner — Precision CVE
Google scanner — commit-hash matching for fewer false positives than Trivy.
# Scan project
osv-scanner scan -r .
# Guided remediation
osv-scanner fix -M package.json -L package-lock.json
When to run:
- When Trivy reports a CVE but you suspect false positive
- When user wants precise commit-level matching
4. dotenvx — Encrypted Environment Variables
# Inject envs from .env into command
dotenvx run -- <command>
# Set a value
dotenvx set KEY value
# Encrypt .env file (for safe commit)
dotenvx encrypt
# Decrypt .env file
dotenvx decrypt
When to run:
- When project has
.envwith secrets - Before committing code that references env vars
Workflow
- Identify context: What is the user doing? Installing? Releasing? Auditing?
- Select tool(s): Match tool to context using table above
- Run with user confirmation: Show command before executing
- Report results: Summarize findings, suggest fixes
Examples
Example 1: Scan before npm install
Input: "I'm about to install stripe as a dependency"
Steps:
- Run:
socket wrapper on - Run:
npm install stripe - Socket automatically blocks malicious packages
Output: "Socket scanned stripe — 0 issues found. Safe to use."
Example 2: Pre-release audit
Input: "We're about to release v0.3.0, run security checks"
Steps:
- Run:
trivy fs --severity HIGH,CRITICAL --exit-code 1 . - If CVEs found:
osv-scanner scan -r .to verify - Report results
Output: "Trivy found 0 HIGH/CRITICAL CVEs. Release is safe."
Example 3: False positive investigation
Input: "Trivy flagged a CVE in lodash but I think it's a false positive"
Steps:
- Run:
osv-scanner scan -r .for commit-hash precision - Compare results
Output: "OSV-Scanner confirms false positive — your lodash version is not affected."
Edge Cases
Tool not installed
- Check:
which socket/which trivy/which osv-scanner - If missing: offer to install via
brew install <tool>or skip with user consent - Never silently skip a scan
Multiple tools report different results
- Trivy says vulnerable, OSV-Scanner says safe → trust OSV-Scanner (commit-hash precision)
- Socket says malicious, but you're sure it's safe → document accepted risk, add to
.socketrc.jsonignore list
No lock file present
- Trivy/OSV need lock files to scan accurately
- If no lock file: run
npm install(or equivalent) first, then scan - Warn user that scanning without lock file may miss transitive dependencies
Test Cases
Should activate
- "Scan my dependencies before install"
- "Run trivy on the project"
- "Check for vulnerabilities"
- "We're about to release, run security audit"
- "Install socket and scan"
Should NOT activate
- "Install lodash" (just installing, no security request)
- "What is trivy?" (general question, not a scan request)
- "Fix the failing test" (unrelated task)
References
references/socket-setup.md— Socket.dev detailed setup and CI integrationreferences/trivy-recipes.md— Trivy scan recipes for different stacks
Related Skills
renatocaliari/cali-lat-md-seed
tools
VerifiedTrustedCommunity
Auto-initialize structured documentation for any project using lat.md (knowledge graph of markdown files with [[wiki links]], // @lat: code refs, and semantic search). Detects cali-product-workflow artifacts (spec-product.md, spec-tech.md, critiques) and uses them as seed material. Falls back to extracting business rules, architecture, and design decisions directly from the codebase. Use when a project lacks structured documentation or when lat.md/ is missing. After seeding, lat.md extension hooks keep documentation alive automatically.
1SKILL.mdUpdated Jun 2, 2026
renatocaliari/cali-ops-server-security
testing
VerifiedTrustedCommunity
[Cali] Server security audit and hardening for private servers behind Tailscale. Use when: auditing server security, hardening SSH/firewall/Docker, checking for vulnerabilities, setting up fail2ban, reviewing port exposure, or responding to security alerts. Covers 6 layers: CloudFlare, UFW, Tailscale, SSH, Docker, Application. Triggers: "server security", "security audit", "harden server", "SSH hardening", "firewall rules", "UFW config", "fail2ban", "port security", "Docker security", "vulnerability check", "security review".
1SKILL.mdUpdated May 30, 2026
renatocaliari/cali-ops-github-releases
tools
VerifiedTrustedCommunity
Create GitHub releases following project conventions. Triggers when: user says 'release', 'create release', 'push release', 'deploy to main', 'merge to main', user merges a PR to main, or when git push to main is detected. Also triggers on mentions of: gh release, semver, version bump, changelog, release-please. Covers: config-driven (read .release.yml and execute) and fallback (gh CLI) release flows, versioning rules, tag management, and the mandatory release-on-merge convention.
1SKILL.mdUpdated May 30, 2026
renatocaliari/cali-ops-docker-server-dashboard
tools
VerifiedTrustedCommunity
[Cali] - INTERACTIVE SKILL: Discover servers from ~/.ssh/config, auto-detect hosts (filtering out non-server entries like github.com), prompt user to pick one via question tool, then SSH into the chosen server and render a real-time ASCII dashboard with Docker containers, images, volumes, routes, cron, orphaned resources, and cleanup suggestions. REQUIRES question tool, SSH config parsing, and shell execution.
1SKILL.mdUpdated May 30, 2026