Dependency Security Skill

Dependency Security Skill

How to Use This Skill

1. Review the patterns and examples below
2. Apply the relevant patterns to your implementation
3. Follow the best practices outlined in this skill

Production-ready dependency vulnerability scanning skill for identifying and remediating vulnerable packages across multiple ecosystems. Generates Software Bill of Materials (SBOM) for compliance and supply chain security.

When to Use This Skill

Use dependency-security when:

• Auditing project dependencies before release
• Setting up automated vulnerability scanning in CI/CD
• Responding to new CVE announcements
• Generating SBOM for compliance (Executive Order 14028)
• Evaluating third-party libraries for adoption
• Performing supply chain security assessments

Don't use dependency-security when:

• Scanning source code for vulnerabilities (use security-audit skill)
• Detecting hardcoded secrets (use secrets-detection skill)
• License compliance only (use dedicated license scanner)
• Runtime dependency analysis (use runtime SCA tools)

Vulnerability Database Coverage

Database	Coverage	Update Frequency
NVD (National Vulnerability Database)	All ecosystems	Daily
GitHub Advisory Database	npm, PyPI, RubyGems, Go	Real-time
OSV (Open Source Vulnerabilities)	Multi-ecosystem	Real-time
RustSec Advisory Database	crates.io	Daily
Snyk Vulnerability DB	All major ecosystems	Hourly

Instructions

Phase 1: Environment Analysis

Objective: Identify package managers and dependency files.

1. Scan for dependency manifests:

   # Find all dependency files
   find . -name "package.json" -o -name "package-lock.json" \
          -o -name "requirements.txt" -o -name "Pipfile.lock" \
          -o -name "Cargo.lock" -o -name "go.sum" \
          -o -name "pom.xml" -o -name "build.gradle" \
          2>/dev/null | grep -v node_modules

2. Identify ecosystems:

   • Node.js: package.json, package-lock.json, yarn.lock
   • Python: requirements.txt, Pipfile.lock, poetry.lock
   • Rust: Cargo.lock
   • Go: go.sum
   • Java: pom.xml, build.gradle

3. Check tool availability:

   # Verify scanning tools
   npm audit --version 2>/dev/null && echo "npm audit: available"
   pip-audit --version 2>/dev/null && echo "pip-audit: available"
   cargo audit --version 2>/dev/null && echo "cargo audit: available"
   trivy --version 2>/dev/null && echo "trivy: available"

Phase 2: Vulnerability Scanning

Objective: Run ecosystem-specific vulnerability scans.

1. Node.js (npm/yarn):

   # npm audit
   npm audit --json > npm-audit.json
   
   # npm audit with severity filter
   npm audit --audit-level=high
   
   # yarn audit
   yarn audit --json > yarn-audit.json

2. Python (pip):

   # Install pip-audit
   pip install pip-audit
   
   # Scan requirements.txt
   pip-audit -r requirements.txt --format json > pip-audit.json
   
   # Scan installed packages
   pip-audit --format json > pip-audit.json

3. Rust (Cargo):

   # Install cargo-audit
   cargo install cargo-audit
   
   # Run audit
   cargo audit --json > cargo-audit.json
   
   # With fix suggestions
   cargo audit fix --dry-run

4. Multi-ecosystem (Trivy):

   # Scan filesystem
   trivy fs --format json --output trivy-report.json .
   
   # Scan specific lockfile
   trivy fs --scanners vuln package-lock.json
   
   # Scan container image
   trivy image --format json myapp:latest

Phase 3: Vulnerability Analysis

Objective: Prioritize and classify findings.

1. Severity classification:

   Severity	CVSS Score	Action
   Critical	9.0 - 10.0	Immediate fix, block deployment
   High	7.0 - 8.9	Fix within 24 hours
   Medium	4.0 - 6.9	Fix within sprint
   Low	0.1 - 3.9	Track in backlog

2. Exploitability assessment:

   Key Questions:
   - Is the vulnerable function actually used in our code?
   - Is the vulnerability reachable from user input?
   - Are there existing mitigations (WAF, input validation)?
   - Is there a known exploit in the wild?

3. Generate vulnerability report:

   # Aggregate all findings
   cat npm-audit.json pip-audit.json cargo-audit.json | \
     jq -s 'flatten | group_by(.severity) |
            map({severity: .[0].severity, count: length,
                 packages: [.[].package] | unique})'

Phase 4: Remediation

Objective: Upgrade vulnerable packages safely.

1. Automated fixes (when safe):

   # npm - auto-fix compatible updates
   npm audit fix
   
   # npm - force major version updates (review breaking changes!)
   npm audit fix --force
   
   # pip - upgrade specific package
   pip install --upgrade vulnerable-package
   
   # cargo - update with audit fix
   cargo audit fix

2. Manual remediation process:

   ## Remediation Checklist
   
   ### Package: lodash (npm)
   - [ ] Current version: 4.17.15
   - [ ] Fixed version: 4.17.21
   - [ ] Breaking changes: None
   - [ ] Test suite passes: ✓
   - [ ] PR created: #123
   
   ### Package: requests (Python)
   - [ ] Current version: 2.25.0
   - [ ] Fixed version: 2.31.0
   - [ ] Breaking changes: Dropped Python 3.6 support
   - [ ] Test suite passes: ✓
   - [ ] PR created: #124

3. Dependency pinning strategy:

   // package.json - Recommended
   {
     "dependencies": {
       "express": "^4.18.2",  // Allow patch updates
       "lodash": "4.17.21"    // Pin critical packages
     }
   }

Phase 5: SBOM Generation

Objective: Generate Software Bill of Materials for compliance.

1. CycloneDX format:

   # Node.js
   npx @cyclonedx/cyclonedx-npm --output-format json > sbom-npm.json
   
   # Python
   pip install cyclonedx-bom
   cyclonedx-py --format json --output sbom-python.json
   
   # Rust
   cargo install cargo-cyclonedx
   cargo cyclonedx --format json > sbom-rust.json
   
   # Multi-ecosystem (Trivy)
   trivy fs --format cyclonedx --output sbom.json .

2. SPDX format:

   # Using Syft
   syft . -o spdx-json > sbom-spdx.json
   
   # Validate SBOM
   spdx-sbom-generator validate sbom-spdx.json

Examples

Example 1: Critical npm Vulnerability

Context: Express.js application with vulnerable dependency

Scan Output:

{
  "vulnerabilities": {
    "qs": {
      "severity": "critical",
      "via": ["prototype pollution"],
      "range": "<6.9.7",
      "nodes": ["node_modules/express/node_modules/qs"],
      "fixAvailable": {
        "name": "qs",
        "version": "6.11.2"
      }
    }
  },
  "metadata": {
    "vulnerabilities": {
      "critical": 1,
      "high": 0,
      "moderate": 0,
      "low": 0
    }
  }
}

Remediation:

# Option 1: Auto-fix (if compatible)
npm audit fix

# Option 2: Override nested dependency
# package.json
{
  "overrides": {
    "qs": "6.11.2"
  }
}

# Option 3: Update parent package
npm update express

# Verify fix
npm audit

Example 2: Python Supply Chain Attack Detection

Context: Typosquatting package detection

Scan Command:

pip-audit -r requirements.txt --desc

Finding:

Found 1 known vulnerability in 1 package

Name    Version  ID             Fix Available  Description
------  -------  -------------  -------------  -----------
python-dateutil  2.8.1  PYSEC-2021-123  2.8.2  ...

Additional Checks:

# Check package integrity
pip hash --algorithm sha256 python-dateutil

# Verify package source
pip show python-dateutil | grep -E "Home-page|Author"

# Compare with PyPI metadata
curl https://pypi.org/pypi/python-dateutil/json | jq '.info.author'

Example 3: Rust Advisory with No Fix Available

Context: Cargo dependency with known vulnerability but no patch

Scan Output:

Crate:     chrono
Version:   0.4.19
Title:     Potential segfault in localtime_r invocations
Date:      2022-06-17
ID:        RUSTSEC-2020-0159
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0159
Severity:  medium

Advisory has no fix available!

Recommendation: Consider using `time` crate as alternative

Remediation Options:

# Option 1: Accept risk with documentation
# Cargo.toml
[dependencies]
chrono = "0.4.19"  # RUSTSEC-2020-0159: Accepted - not using affected function

# Option 2: Use alternative crate
# Cargo.toml
[dependencies]
time = "0.3"

# Option 3: Fork and patch (last resort)
[dependencies]
chrono = { git = "https://github.com/your-org/chrono-patched" }

CI/CD Integration

GitHub Actions

name: Dependency Security Scan

on:
  push:
    branches: [main]
  pull_request:
  schedule:
    - cron: '0 6 * * *'  # Daily at 6 AM

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: npm audit
        run: npm audit --audit-level=high
        continue-on-error: true

      - name: pip-audit
        run: |
          pip install pip-audit
          pip-audit -r requirements.txt
        continue-on-error: true

      - name: Trivy scan
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          severity: 'CRITICAL,HIGH'
          format: 'sarif'
          output: 'trivy-results.sarif'

      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'

Dependabot Configuration

# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 10
    groups:
      development-dependencies:
        dependency-type: "development"

  - package-ecosystem: "pip"
    directory: "/"
    schedule:
      interval: "weekly"

  - package-ecosystem: "cargo"
    directory: "/"
    schedule:
      interval: "weekly"

Integration

Related Components

• Skill: security-audit - Source code vulnerability scanning
• Skill: secrets-detection - Credential exposure prevention
• Hook: pre-push-hook - Block pushes with critical vulnerabilities
• Agent: security-specialist - Security review orchestration

Vulnerability Management Workflow

1. Scan → Identify vulnerable dependencies
2. Triage → Classify by severity and exploitability
3. Remediate → Upgrade, patch, or accept risk
4. Verify → Confirm fix, run tests
5. Document → Update SBOM, create audit trail
6. Monitor → Continuous scanning for new CVEs

Troubleshooting

Issue	Solution
npm audit hangs	Use --json flag, increase timeout
pip-audit no output	Ensure virtual environment activated
cargo audit fails	Run cargo generate-lockfile first
Trivy slow scan	Use --skip-dirs node_modules
False positives	Configure ignore rules in tool config

Performance Guidelines

• Scan time: < 60 seconds for typical project
• Memory usage: < 1GB for large monorepos
• Network: Caches vulnerability databases locally
• CI impact: Add 1-2 minutes to pipeline

Compliance Mapping

Requirement	Control
EO 14028	SBOM generation with CycloneDX/SPDX
SOC 2 CC7.1	Automated vulnerability scanning
PCI-DSS 6.2	Security patch management
NIST 800-53	Software composition analysis
FedRAMP	Continuous monitoring of dependencies

Success Output

When successful, this skill MUST output:

✅ SKILL COMPLETE: dependency-security

Completed:
- [x] Vulnerability scans completed across all ecosystems (npm, pip, cargo)
- [x] Findings classified by severity (Critical: 0, High: 2, Medium: 5, Low: 3)
- [x] High/Critical vulnerabilities remediated or accepted with justification
- [x] SBOM generated in CycloneDX 1.4 format
- [x] CI/CD integration configured with security gates

Outputs:
- security/npm-audit.json (Node.js vulnerability report)
- security/pip-audit.json (Python vulnerability report)
- security/cargo-audit.json (Rust vulnerability report)
- security/trivy-report.json (multi-ecosystem scan results)
- security/sbom-cyclonedx.json (Software Bill of Materials)
- security/remediation-plan.md (prioritized fix roadmap)
- .github/workflows/dependency-scan.yml (CI/CD automation)

Metrics:
- Total dependencies scanned: 247
- Vulnerabilities found: 10 (0 critical, 2 high, 5 medium, 3 low)
- Vulnerabilities fixed: 7 (all high + 5 medium)
- Accepted risks: 3 (documented in remediation-plan.md)
- SBOM components: 247 packages with licenses and versions

Completion Checklist

Before marking this skill as complete, verify:

• All package managers scanned (npm, pip, cargo, or applicable subset)
• No critical vulnerabilities remaining unfixed
• High-severity vulnerabilities fixed or documented as accepted risk
• SBOM generated and validates against CycloneDX schema
• Dependency pinning strategy documented in README
• CI/CD workflow triggers on dependency changes
• Dependabot configured for automated updates
• Security policy documented (SECURITY.md)
• Remediation plan includes timelines and owners

Failure Indicators

This skill has FAILED if:

• ❌ Critical vulnerabilities remain unfixed without documented exception
• ❌ Scan tools not installed or fail to execute
• ❌ SBOM generation fails or produces invalid format
• ❌ CI/CD pipeline doesn't block on high/critical findings
• ❌ Vulnerabilities found but no remediation plan created
• ❌ Dependency lock files (package-lock.json, Pipfile.lock) not committed
• ❌ False positives not documented in exclusion list
• ❌ Scan results not archived for compliance audit trail

When NOT to Use

Do NOT use dependency-security when:

• Scanning application source code for vulnerabilities (use security-audit skill)
• Detecting hardcoded secrets in code (use secrets-detection skill)
• License compliance primary concern without security focus (use license scanners)
• Runtime dependency analysis needed (use runtime SCA tools like Snyk Monitor)
• Only checking single dependency manually (use package registry web UI)
• Infrastructure-as-Code scanning (use terraform-security or cloudformation-security)
• Container image scanning without dependency context (use container-specific tools)

Anti-Patterns (Avoid)

Anti-Pattern	Problem	Solution
Ignoring low-severity findings	Accumulate to create attack surface	Triage all findings, batch-fix lows quarterly
Auto-updating without testing	Breaking changes, production incidents	Test updates in staging, use semantic versioning
No dependency pinning	Unreproducible builds, surprise breakage	Pin dependencies, use lock files
Dismissing false positives without docs	Noise, repeated triage effort	Document exclusions in tool config files
Running scans only pre-release	Miss newly disclosed CVEs	Implement continuous scanning (daily/weekly)
Not updating scan databases	Miss latest vulnerabilities	Ensure tools auto-update databases (npm audit, trivy)
Treating all severities equally	Misallocate remediation effort	Prioritize by CVSS + exploitability + reachability

Principles

This skill embodies:

• #5 Eliminate Ambiguity - Clear severity classification and remediation requirements
• #6 Clear, Understandable, Explainable - SBOM provides transparency into all dependencies
• #8 No Assumptions - Verify vulnerability reachability before accepting risk
• #9 Quality Over Speed - Proper remediation testing prevents introducing new issues
• #14 Trust & Transparency - Document accepted risks and rationale for audit trail

Full Principles: CODITECT-STANDARD-AUTOMATION.md

References

• npm audit Documentation
• pip-audit Documentation
• cargo-audit Documentation
• Trivy Documentation
• CycloneDX Specification
• SPDX Specification

---

Status: Production-ready Ecosystem Coverage: npm, PyPI, crates.io, Go, Maven SBOM Compliance: EO 14028, CycloneDX 1.4, SPDX 2.3 Integration: CI/CD pipelines, Dependabot, security-specialist agent