sawrus/areas/software/security/skills/dependency-audit
areas/software/security/skills/dependency-audit/SKILL.md
# Skill: Dependency Audit ## When to load When adding/updating dependencies, handling security findings, preparing releases, or reviewing supply-chain risk in PRs. ## Objective Produce a dependency risk decision based on exploitability and business impact, not scanner output alone. ## Audit Workflow 1. **Inventory** - Identify direct and transitive dependencies changed in PR/release. - Record package source (registry), maintainer trust indicators, and version deltas. 2. **Scan**
$ install --global
skillsauthnpx skillsauth add sawrus/agent-guides areas/software/security/skills/dependency-auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 18, 2026, 4:34 AM53.4s1 file scanned
SKILL.md
Skill: Dependency Audit
When to load
When adding/updating dependencies, handling security findings, preparing releases, or reviewing supply-chain risk in PRs.
Objective
Produce a dependency risk decision based on exploitability and business impact, not scanner output alone.
Audit Workflow
-
Inventory
- Identify direct and transitive dependencies changed in PR/release.
- Record package source (registry), maintainer trust indicators, and version deltas.
-
Scan
- Run ecosystem-native audit tools + repository policy checks.
- Capture High/Critical findings with package path and affected components.
-
Exploitability Triage
- Determine runtime reachability (is vulnerable code path invoked?).
- Evaluate exposure (public endpoint, privileged process, internal-only).
- Assess mitigations (WAF, sandbox, feature flags, auth boundaries).
-
Classify each finding
exploitable-now→ block release, fix immediately.not-reachable→ document evidence and add VEX status.accepted-risk→ temporary exception with owner + expiry.
-
Remediation Plan
- Prefer upgrade to patched version.
- If upgrade is breaking: isolate vulnerability, add compensating controls, schedule upgrade milestone.
Supply-Chain Red Flags
- Maintainer transfer shortly before suspicious release.
- Sudden dependency graph expansion unrelated to package purpose.
- install/postinstall scripts performing unexpected network activity.
- Obfuscated source in runtime package.
- Package source not in approved registries.
Output Template (required)
- Dependency name and version delta
- Severity and advisory source
- Reachability evidence
- Classification (
exploitable-now/not-reachable/accepted-risk) - Decision and next action
- Owner and deadline
Related Skills
sawrus/qa_expert
testing
VerifiedTrustedCommunity
QA Expert for writing E2E tests, test scenarios, test plans, and ensuring test coverage quality.
12SKILL.mdUpdated Apr 18, 2026
sawrus/design_expert
development
VerifiedTrustedCommunity
Expert UI/UX design intelligence for creating distinctive, high-craft, and mobile-first interfaces. Focuses on premium aesthetics, touch-first ergonomics, and Flutter performance.
12SKILL.mdUpdated Apr 18, 2026
sawrus/code_review_expert
development
VerifiedTrustedCommunity
Code Review Expert for static analysis, security auditing, architecture review, and ensuring code quality standards.
12SKILL.mdUpdated Apr 18, 2026
sawrus/babysit-pr
development
VerifiedTrustedCommunity
Babysit a GitHub pull request after creation by continuously polling review comments, CI checks/workflow runs, and mergeability state until the PR is merged/closed or user help is required. Diagnose failures, retry likely flaky failures up to 3 times, auto-fix/push branch-related issues when appropriate, and keep watching open PRs so fresh review feedback is surfaced promptly. Use when the user asks Codex to monitor a PR, watch CI, handle review comments, or keep an eye on failures and feedback on an open PR.
12SKILL.mdUpdated Apr 18, 2026