/dependency-audit Command
Execute comprehensive dependency vulnerability auditing with CVE reporting, upgrade paths, and license compliance analysis across all package managers.
System Prompt
⚠️ EXECUTION DIRECTIVE: When the user invokes this command, you MUST:
- IMMEDIATELY execute - no questions, no explanations first
- ALWAYS show full output from script/tool execution
- ALWAYS provide summary after execution completes
DO NOT:
- Say "I don't need to take action" - you ALWAYS execute when invoked
- Ask for confirmation unless
requires_confirmation: truein frontmatter - Skip execution even if it seems redundant - run it anyway
The user invoking the command IS the confirmation.
Usage
/dependency-audit [options]
Options:
--scope <path> Path to audit (default: current directory)
--type <managers> Package managers: npm,pip,cargo,go (default: auto-detect)
--severity <level> Minimum severity: critical,high,medium,low (default: medium)
--output <format> Output: terminal,json,markdown,sarif (default: terminal)
--fix Apply safe automatic fixes
--licenses Include license compliance check
--outdated Include outdated (non-vulnerable) packages
--ci CI-friendly output with exit codes
Package Manager Support
npm/yarn/pnpm
/dependency-audit --type npm
# Uses: npm audit, yarn audit
# Checks: package.json, package-lock.json, yarn.lock
# CVE sources: GitHub Advisory Database, npm Security Advisories
pip/poetry/pipenv
/dependency-audit --type pip
# Uses: pip-audit, safety
# Checks: requirements.txt, Pipfile, pyproject.toml
# CVE sources: PyPI Advisory Database, OSV
cargo (Rust)
/dependency-audit --type cargo
# Uses: cargo-audit
# Checks: Cargo.toml, Cargo.lock
# CVE sources: RustSec Advisory Database
go modules
/dependency-audit --type go
# Uses: govulncheck
# Checks: go.mod, go.sum
# CVE sources: Go Vulnerability Database
Examples
Full Audit
# Audit all detected package managers
/dependency-audit
# Audit with all severities
/dependency-audit --severity low
# Audit with license check
/dependency-audit --licenses
Targeted Audits
# Python project only
/dependency-audit --type pip --scope ./backend
# Node.js with fix
/dependency-audit --type npm --fix
# Rust with JSON output
/dependency-audit --type cargo --output json > audit.json
CI Integration
# Fail on high+ severity vulnerabilities
/dependency-audit --ci --severity high
# Generate SARIF for GitHub Security
/dependency-audit --output sarif > dependencies.sarif
Output Format
Terminal Output
Dependency Audit Results
========================
Scanned: npm (245 packages) | pip (67 packages) | cargo (34 packages)
CRITICAL: 1 | HIGH: 3 | MEDIUM: 8 | LOW: 12
[CRITICAL] lodash < 4.17.21
CVE: CVE-2021-23337
Severity: Critical (CVSS 9.8)
Description: Prototype pollution in lodash
Installed: 4.17.19
Fixed: 4.17.21
Path: express > body-parser > lodash
Fix: npm update lodash
[HIGH] axios < 0.21.2
CVE: CVE-2021-3749
Severity: High (CVSS 7.5)
Description: SSRF vulnerability
Installed: 0.21.0
Fixed: 0.21.2
Path: direct dependency
Fix: npm update axios
Upgrade Recommendations:
- lodash: 4.17.19 → 4.17.21 (security fix)
- axios: 0.21.0 → 1.6.0 (security fix + features)
- express: 4.17.1 → 4.18.2 (security + performance)
JSON Output
{
"scan_date": "2025-12-08T10:30:00Z",
"summary": {
"critical": 1,
"high": 3,
"medium": 8,
"low": 12
},
"vulnerabilities": [
{
"package": "lodash",
"version": "4.17.19",
"cve": "CVE-2021-23337",
"severity": "critical",
"cvss": 9.8,
"fixed_version": "4.17.21",
"path": ["express", "body-parser", "lodash"]
}
],
"recommendations": [...]
}
Markdown Report
/dependency-audit --output markdown > SECURITY-DEPENDENCIES.md
# Generates formatted report with:
# - Executive summary
# - Vulnerability details
# - Upgrade paths
# - License compliance (if --licenses)
License Compliance
/dependency-audit --licenses
# Checks:
# - GPL compatibility with your license
# - AGPL restrictions
# - Commercial license requirements
# - License attribution requirements
License Output
License Compliance Report
=========================
Allowed: MIT, Apache-2.0, BSD-3-Clause, ISC
Warning: GPL-3.0, LGPL-3.0
Blocked: AGPL-3.0
[WARNING] readline (GPL-3.0)
Impact: Copyleft license may require source disclosure
Path: inquirer > readline
[BLOCKED] mongodb-memory-server (AGPL-3.0)
Impact: AGPL requires source disclosure for network services
Path: direct dev dependency
Action: Replace with alternative or move to dev-only
Auto-Fix
/dependency-audit --fix
# Safe fixes applied:
# - Patch version updates (1.2.3 → 1.2.4)
# - Minor updates when semver-safe (1.2.3 → 1.3.0)
# Manual review needed:
# - Major version updates
# - Breaking change dependencies
# - License changes
Remediation Workflow
- Initial Audit:
/dependency-audit --output markdown > AUDIT.md - Apply Safe Fixes:
/dependency-audit --fix - Review Manual Fixes: Check major version updates
- Test: Run test suite after updates
- Re-Audit: Verify vulnerabilities resolved
- Document: Update SECURITY.md with audit date
Integration
GitHub Actions
name: Dependency Audit
on:
schedule:
- cron: '0 0 * * *' # Daily
pull_request:
paths:
- '**/package*.json'
- '**/requirements*.txt'
- '**/Cargo.*'
- '**/go.*'
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Dependency Audit
run: /dependency-audit --ci --severity high --output sarif > audit.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: audit.sarif
Pre-Commit Hook
- repo: local
hooks:
- id: dependency-audit
name: Dependency audit
entry: /dependency-audit --ci --severity critical
language: system
files: (package.*\.json|requirements.*\.txt|Cargo\.(toml|lock)|go\.(mod|sum))$
pass_filenames: false
Renovate/Dependabot Integration
# Generate config from audit
/dependency-audit --output renovate > renovate.json
Related Components
- dependency-security-skill - Detailed dependency security patterns
- security-audit-skill - Comprehensive security analysis
- /security-scan - Full security scanning (includes deps)
- compliance-checker-agent - License and compliance analysis
Success Output
When audit completes:
✅ COMMAND COMPLETE: /dependency-audit
Packages: N scanned
Vulnerabilities: Critical: X, High: Y
Licenses: <compliant|N issues>
Fixes: M applied (if --fix)
Completion Checklist
Before marking complete:
- All package managers scanned
- CVEs identified with severity
- Upgrade paths provided
- Report generated
- Licenses checked (if --licenses)
Failure Indicators
This command has FAILED if:
- ❌ No package files found
- ❌ Audit tool unavailable
- ❌ CVE database unreachable
- ❌ No report generated
When NOT to Use
Do NOT use when:
- No dependencies exist
- Need full security scan (use /security-scan)
- Just checking one package (use package manager)
Anti-Patterns (Avoid)
| Anti-Pattern | Problem | Solution |
|---|---|---|
| Ignore critical CVEs | Security breach | Fix immediately |
| Skip license check | Legal risk | Include --licenses |
| No CI integration | Continuous risk | Add to pipeline |
Principles
This command embodies:
- #3 Complete Execution - All package managers
- #9 Based on Facts - CVE-based findings
- #4 Separation of Concerns - Categorized by severity
Full Standard: CODITECT-STANDARD-AUTOMATION.md