Agent skill
dependency-security-check-razmik-kutinava-test-admin-logistic-
Stars
163
Forks
31
Install this agent skill to your Project
npx add-skill https://github.com/majiayu000/claude-skill-registry/tree/main/skills/development/dependency-security-check-razmik-kutinava-test-admin-logistic-
SKILL.md
Dependency Security Check Expert
You are an expert in dependency security analysis, vulnerability assessment, and supply chain security. You specialize in identifying security risks in project dependencies, implementing automated security scanning, and establishing secure dependency management practices across multiple programming languages and package managers.
Core Security Assessment Principles
Vulnerability Classification
- Critical: Remote code execution, privilege escalation, data exposure
- High: Authentication bypass, injection flaws, cryptographic issues
- Medium: Information disclosure, denial of service, input validation
- Low: Configuration issues, deprecated functions, minor exposures
Risk Evaluation Framework
- Assess exploitability and attack complexity
- Evaluate impact on confidentiality, integrity, availability
- Consider dependency depth and transitive risk propagation
- Analyze usage context and exposure surface
Multi-Language Security Scanning
Node.js/npm Security
bash
# Built-in npm audit
npm audit --audit-level=moderate
npm audit fix --force
# Advanced scanning with yarn
yarn audit --level moderate
yarn audit --json | jq '.advisories'
# Snyk integration
npx snyk test
npx snyk monitor
Python Security Analysis
bash
# Safety for known vulnerabilities
safety check --json
safety check --requirements requirements.txt
# Bandit for code analysis
bandit -r . -f json -o security-report.json
# pip-audit (official tool)
pip-audit --format=json --output=audit.json
Java/Maven Security
xml
<!-- Maven OWASP dependency check -->
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>8.4.0</version>
<configuration>
<failBuildOnCVSS>7</failBuildOnCVSS>
<suppressionFile>suppression.xml</suppressionFile>
</configuration>
</plugin>
Go Security Scanning
bash
# Go vulnerability database
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
# Nancy for dependency scanning
nancy sleuth --path go.sum
Automated Security Pipeline Integration
GitHub Actions Security Workflow
yaml
name: Dependency Security Scan
on: [push, pull_request]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Snyk Security Scan
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high
- name: OWASP Dependency Check
uses: dependency-check/Dependency-Check_Action@main
with:
project: 'security-scan'
path: '.'
format: 'ALL'
- name: Upload Security Results
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: reports/dependency-check-report.sarif
Jenkins Security Pipeline
groovy
pipeline {
agent any
stages {
stage('Dependency Security Scan') {
parallel {
stage('OWASP Check') {
steps {
sh 'mvn org.owasp:dependency-check-maven:check'
publishHTML([
allowMissing: false,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: 'target',
reportFiles: 'dependency-check-report.html'
])
}
}
stage('Snyk Scan') {
steps {
sh 'snyk test --json > snyk-results.json || true'
archiveArtifacts 'snyk-results.json'
}
}
}
}
}
post {
always {
script {
def vulnerabilities = readJSON file: 'snyk-results.json'
if (vulnerabilities.vulnerabilities.size() > 0) {
currentBuild.result = 'UNSTABLE'
}
}
}
}
}
Security Policy Configuration
Dependabot Security Updates
yaml
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
reviewers:
- "security-team"
assignees:
- "lead-developer"
commit-message:
prefix: "security"
include: "scope"
OWASP Suppression Configuration
xml
<!-- suppression.xml -->
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes>False positive - library not used in production</notes>
<cve>CVE-2023-1234</cve>
<filePath regex="true">.*test.*\.jar</filePath>
</suppress>
<suppress>
<notes>Risk accepted - upgrade planned for next quarter</notes>
<cve>CVE-2023-5678</cve>
<until>2024-03-31</until>
</suppress>
</suppressions>
Advanced Security Analysis
License Compliance Scanning
bash
# License checker for Node.js
npx license-checker --onlyAllow 'MIT;Apache-2.0;BSD-3-Clause'
# FOSSA CLI for comprehensive license analysis
fossa analyze
fossa test --timeout 600
Container Security Analysis
dockerfile
# Multi-stage build for security
FROM node:18-alpine AS deps
RUN apk add --no-cache dumb-init
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production && npm cache clean --force
FROM node:18-alpine AS runner
RUN addgroup -g 1001 -S nodejs && adduser -S nextjs -u 1001
USER nextjs
COPY --from=deps --chown=nextjs:nodejs /app/node_modules ./node_modules
Security Monitoring and Alerting
Vulnerability Database Integration
python
# Custom vulnerability checker
import requests
import json
def check_cve_database(package, version):
url = f"https://services.nvd.nist.gov/rest/json/cves/1.0"
params = {
'keyword': package,
'resultsPerPage': 20
}
response = requests.get(url, params=params)
cves = response.json().get('result', {}).get('CVE_Items', [])
vulnerabilities = []
for cve in cves:
cve_id = cve['cve']['CVE_data_meta']['ID']
description = cve['cve']['description']['description_data'][0]['value']
if 'baseMetricV3' in cve['impact']:
severity = cve['impact']['baseMetricV3']['cvssV3']['baseSeverity']
score = cve['impact']['baseMetricV3']['cvssV3']['baseScore']
else:
severity = 'UNKNOWN'
score = 0
vulnerabilities.append({
'cve_id': cve_id,
'severity': severity,
'score': score,
'description': description
})
return vulnerabilities
Best Practices and Recommendations
Security-First Dependency Management
- Implement automated daily vulnerability scanning
- Establish severity-based SLA for patching (Critical: 24h, High: 72h)
- Use dependency pinning with automated security updates
- Maintain software bill of materials (SBOM) for compliance
- Regular security audits of direct and transitive dependencies
Risk Mitigation Strategies
- Implement defense-in-depth with multiple scanning tools
- Use private package registries for vetted dependencies
- Establish dependency approval workflows for new packages
- Monitor for typosquatting and malicious packages
- Implement runtime application self-protection (RASP) where applicable
Compliance and Reporting
- Generate security reports for stakeholders and auditors
- Track mean time to remediation (MTTR) for vulnerabilities
- Maintain historical vulnerability data for trend analysis
- Document security exceptions with business justification
- Regular third-party security assessments and penetration testing
Didn't find tool you were looking for?