playbooks

home / skills / a5c-ai / babysitter / vulnerability-scanner

vulnerability-scanner skill

/plugins/babysitter/skills/babysit/process/specializations/code-migration-modernization/skills/vulnerability-scanner

This skill analyzes dependencies and code to detect vulnerabilities, prioritize risks, and guide remediation using CVE data and best-practice scoring.

npx playbooks add skill a5c-ai/babysitter --skill vulnerability-scanner

Review the files below or copy the command above to add this skill to your agents.

Files (2)
SKILL.md
9.1 KB
---
name: vulnerability-scanner
description: Security vulnerability scanning for dependencies and code, with CVE database checking and risk assessment
allowed-tools: ["Bash", "Read", "Write", "Grep", "Glob", "Edit"]
---

# Vulnerability Scanner Skill

Performs comprehensive security vulnerability scanning for dependencies and code, integrating with CVE databases and security platforms to identify, assess, and prioritize security risks for migration planning.

## Purpose

Enable comprehensive security vulnerability detection for:
- CVE database checking for known vulnerabilities
- Severity assessment and prioritization
- Exploitability analysis
- Patch availability checking
- Transitive vulnerability chain mapping
- Risk scoring and remediation guidance

## Capabilities

### 1. CVE Database Checking
- Query NVD (National Vulnerability Database)
- Check GitHub Advisory Database
- Query vendor-specific advisory databases
- Cross-reference multiple CVE sources
- Track CVE publication dates and updates

### 2. Severity Assessment
- CVSS (Common Vulnerability Scoring System) scoring
- Severity categorization (Critical, High, Medium, Low)
- Environmental score adjustments
- Temporal score analysis
- Impact assessment

### 3. Exploitability Analysis
- Check for known exploits in the wild
- Assess attack vector complexity
- Evaluate privileges required
- Analyze user interaction requirements
- Track exploit maturity level

### 4. Patch Availability Checking
- Identify available patches and fixes
- Check for security advisories
- Find upgrade paths to secure versions
- Track vendor patch timelines
- Monitor backport availability

### 5. Transitive Vulnerability Chain Mapping
- Map vulnerability paths through dependency trees
- Identify all affected dependency chains
- Calculate exposure scope
- Prioritize based on path depth
- Recommend targeted remediations

### 6. Risk Scoring
- Calculate composite risk scores
- Factor in business context
- Assess exposure likelihood
- Evaluate potential impact
- Generate prioritized remediation lists

## Tool Integrations

This skill can leverage the following external tools when available:

| Tool | Purpose | Integration Method |
|------|---------|-------------------|
| Snyk | Comprehensive vulnerability scanning | CLI / API |
| npm audit | Node.js vulnerability scanning | CLI |
| OWASP Dependency-Check | Cross-platform scanning | CLI |
| Trivy | Container and filesystem scanning | MCP Server / CLI |
| Grype | Vulnerability scanner | CLI |
| GitHub Dependabot | Advisory checking | API |
| OSV Scanner | Google's vulnerability scanner | CLI |
| Semgrep | SAST with security rules | CLI |
| MCP-Scan | MCP server security | Tool |

## Usage

### Basic Scanning

```bash
# Invoke skill for vulnerability scanning
# The skill will scan dependencies and optionally code

# Expected inputs:
# - targetPath: Path to project root
# - scanScope: 'dependencies' | 'code' | 'full'
# - severityThreshold: 'critical' | 'high' | 'medium' | 'low'
# - outputFormat: 'json' | 'sarif' | 'markdown'
```

### Scanning Workflow

1. **Discovery Phase**
   - Identify package managers and dependency files
   - Detect codebase languages
   - Check for existing security configurations

2. **Dependency Scanning**
   - Extract dependency information
   - Query vulnerability databases
   - Map vulnerabilities to dependencies

3. **Code Scanning (Optional)**
   - Run SAST analysis
   - Check for security anti-patterns
   - Identify hardcoded secrets

4. **Analysis Phase**
   - Calculate severity scores
   - Assess exploitability
   - Check patch availability
   - Map transitive chains

5. **Report Generation**
   - Generate prioritized vulnerability list
   - Provide remediation guidance
   - Create compliance reports

## Output Schema

```json
{
  "scanId": "string",
  "timestamp": "ISO8601",
  "target": {
    "path": "string",
    "packageManagers": ["string"],
    "languages": ["string"]
  },
  "summary": {
    "totalVulnerabilities": "number",
    "critical": "number",
    "high": "number",
    "medium": "number",
    "low": "number",
    "fixable": "number",
    "riskScore": "number (0-100)"
  },
  "vulnerabilities": [
    {
      "id": "string (CVE-XXXX-XXXXX)",
      "title": "string",
      "description": "string",
      "severity": "critical|high|medium|low",
      "cvss": {
        "score": "number",
        "vector": "string",
        "version": "string"
      },
      "package": {
        "name": "string",
        "version": "string",
        "ecosystem": "string"
      },
      "affectedVersions": "string",
      "fixedVersions": "string",
      "patchAvailable": "boolean",
      "exploitability": {
        "hasKnownExploit": "boolean",
        "exploitMaturity": "string",
        "attackVector": "string"
      },
      "dependencyPath": ["string"],
      "references": ["string"],
      "remediation": {
        "recommendation": "string",
        "upgradeTarget": "string",
        "alternativePackages": ["string"]
      }
    }
  ],
  "securityIssues": [
    {
      "type": "string",
      "severity": "string",
      "file": "string",
      "line": "number",
      "description": "string",
      "cwe": "string",
      "recommendation": "string"
    }
  ],
  "compliance": {
    "passesPolicy": "boolean",
    "violations": ["string"],
    "waivers": ["string"]
  }
}
```

## Integration with Migration Processes

This skill integrates with the following Code Migration/Modernization processes:

- **dependency-analysis-updates**: Security assessment of dependencies
- **security-remediation-migration**: Primary tool for security fixes
- **cloud-migration**: Security compliance for cloud deployment
- **legacy-codebase-assessment**: Security posture evaluation

## Configuration

### Skill Configuration File

Create `.vulnerability-scanner.json` in the project root:

```json
{
  "scanScope": "full",
  "severityThreshold": "medium",
  "failOnSeverity": "critical",
  "databases": ["nvd", "ghsa", "osv"],
  "excludeVulnerabilities": [],
  "waivers": [
    {
      "id": "CVE-2021-12345",
      "reason": "Not exploitable in our context",
      "expiresAt": "2026-06-01"
    }
  ],
  "policy": {
    "maxCritical": 0,
    "maxHigh": 5,
    "requirePatchWithin": {
      "critical": "7d",
      "high": "30d",
      "medium": "90d"
    }
  },
  "reporting": {
    "formats": ["json", "sarif", "markdown"],
    "outputDir": "./security-report"
  }
}
```

## MCP Server Integration

When MCP-Scan is available:

```javascript
// Example MCP security scan
{
  "tool": "mcp_scan_security",
  "arguments": {
    "target": "./",
    "checks": ["toolPoisoning", "piiDetection", "promptInjection"]
  }
}
```

When Trivy is available:

```javascript
// Example Trivy vulnerability scan
{
  "tool": "trivy_scan",
  "arguments": {
    "target": "./",
    "scanners": ["vuln", "secret"],
    "severity": "CRITICAL,HIGH"
  }
}
```

## Vulnerability Databases

### Supported Databases

| Database | Coverage | Update Frequency |
|----------|----------|------------------|
| NVD | All CVEs | Hourly |
| GitHub Advisory | Open source packages | Real-time |
| OSV | Multi-ecosystem | Real-time |
| Snyk DB | Proprietary enrichment | Real-time |
| npm Advisory | Node.js packages | Real-time |
| RustSec | Rust packages | Real-time |

### Database Priority

1. GitHub Advisory Database (most accurate for open source)
2. NVD (comprehensive, standardized)
3. OSV (aggregated, multi-ecosystem)
4. Vendor-specific (ecosystem-specific details)

## Severity Classification

### CVSS v3.x Mapping

| CVSS Score | Severity | Action Required |
|------------|----------|-----------------|
| 9.0 - 10.0 | Critical | Immediate remediation |
| 7.0 - 8.9 | High | Priority remediation |
| 4.0 - 6.9 | Medium | Scheduled remediation |
| 0.1 - 3.9 | Low | Monitor and plan |

### Risk Prioritization Factors

1. **Severity Score**: Base CVSS score
2. **Exploitability**: Known exploits in the wild
3. **Exposure**: Internet-facing vs internal
4. **Dependency Depth**: Direct vs transitive
5. **Fix Availability**: Patch/upgrade available

## Best Practices

1. **Regular Scanning**: Integrate into CI/CD pipelines
2. **Policy Enforcement**: Define and enforce security policies
3. **Waiver Management**: Document and review waivers regularly
4. **Prioritization**: Focus on critical and exploitable vulnerabilities
5. **Monitoring**: Set up alerts for new vulnerabilities
6. **Remediation Tracking**: Track remediation progress over time

## Related Skills

- `dependency-scanner`: Dependency inventory and SBOM generation
- `static-code-analyzer`: Code-level security analysis
- `compliance-validator`: Compliance checking

## Related Agents

- `security-vulnerability-assessor`: Uses this skill for security assessment
- `dependency-modernization-agent`: Uses this skill for security updates
- `migration-readiness-assessor`: Uses this skill for security evaluation

## References

- [MCP-Scan](https://github.com/invariantlabs-ai/mcp-scan)
- [Trivy](https://aquasecurity.github.io/trivy/)
- [Snyk](https://snyk.io/)
- [OWASP Dependency-Check](https://owasp.org/www-project-dependency-check/)
- [OSV Scanner](https://google.github.io/osv-scanner/)
- [NVD](https://nvd.nist.gov/)
- [GitHub Advisory Database](https://github.com/advisories)

Overview

This skill performs comprehensive security vulnerability scanning for project code and dependencies, integrating CVE databases and multiple scanners to identify and prioritize risks. It produces actionable, prioritized reports with fix recommendations, transitive dependency mapping, and risk scoring to guide remediation and migration planning. The skill is optimized for integration into CI/CD pipelines and migration workflows.

How this skill works

It discovers package managers and language files, extracts dependency graphs, and queries NVD, GitHub Advisory, OSV and vendor databases to cross-reference CVEs. It runs optional SAST checks (e.g., Semgrep) and CLI-based scanners (Trivy, Grype, Snyk) when available, calculates CVSS-based severity and exploitability, maps transitive vulnerability chains, and outputs structured reports (JSON, SARIF, Markdown). Configuration files allow policy enforcement, waiver handling, and reporting options.

When to use it

  • Before or during migration to assess dependency risk and cloud readiness
  • Integrate into CI/CD to catch regressions and new vulnerabilities early
  • Perform periodic audits of legacy codebases to prioritize modernization work
  • Validate security posture before major releases or container builds
  • Generate compliance evidence for audits and security reviews

Best practices

  • Run scans regularly and gate critical findings in CI/CD
  • Prioritize remediation by composite risk score (severity, exploitability, exposure)
  • Maintain and review waivers with expiration metadata
  • Cross-reference multiple databases (GitHub, NVD, OSV) for accuracy
  • Track remediation progress and enforce policy thresholds via configuration

Example use cases

  • Scan a Node.js monorepo to map transitive vulnerabilities and recommend upgrade targets
  • Run full project scans during migration to cloud to ensure no high-risk internet-facing dependencies
  • Combine SAST and dependency scans to detect both code issues and vulnerable packages
  • Generate SARIF output for developer toolchains and IDE integration
  • Automate periodic scans and alerting for new CVE publications affecting your stack

FAQ

What outputs does the skill produce?

It produces structured reports including JSON, SARIF, and Markdown summarizing vulnerabilities, risk scores, remediation recommendations, and compliance status.

Which vulnerability databases and tools are used?

It cross-references GitHub Advisory, NVD, OSV and can integrate tools like Snyk, Trivy, Grype, npm audit, Semgrep, and MCP-Scan when available.

How are transitive vulnerabilities handled?

The skill maps dependency paths, calculates exposure scope and path depth, and prioritizes fixes for direct and high-impact transitive chains.