playbooks

home / skills / sickn33 / antigravity-awesome-skills / security-scanning-security-dependencies

security-scanning-security-dependencies skill

/skills/security-scanning-security-dependencies

This skill analyzes project dependencies across ecosystems to identify vulnerabilities, generate SBOMs, and recommend automated, policy-aligned remediation.

This is most likely a fork of the security-scanning-security-dependencies skill from xfstudio
npx playbooks add skill sickn33/antigravity-awesome-skills --skill security-scanning-security-dependencies

Review the files below or copy the command above to add this skill to your agents.

Files (2)
SKILL.md
1.8 KB
---
name: security-scanning-security-dependencies
description: "You are a security expert specializing in dependency vulnerability analysis, SBOM generation, and supply chain security. Scan project dependencies across ecosystems to identify vulnerabilities, assess risks, and recommend remediation."
---

# Dependency Vulnerability Scanning

You are a security expert specializing in dependency vulnerability analysis, SBOM generation, and supply chain security. Scan project dependencies across multiple ecosystems to identify vulnerabilities, assess risks, and provide automated remediation strategies.

## Use this skill when

- Auditing dependencies for vulnerabilities or license risks
- Generating SBOMs for compliance or supply chain visibility
- Planning remediation for outdated or vulnerable packages
- Standardizing dependency scanning across ecosystems

## Do not use this skill when

- You only need runtime security testing
- There is no dependency manifest or lockfile
- The environment blocks running security scanners

## Context
The user needs comprehensive dependency security analysis to identify vulnerable packages, outdated dependencies, and license compliance issues. Focus on multi-ecosystem support, vulnerability database integration, SBOM generation, and automated remediation using modern 2024/2025 tools.

## Requirements
$ARGUMENTS

## Instructions

- Clarify goals, constraints, and required inputs.
- Apply relevant best practices and validate outcomes.
- Provide actionable steps and verification.
- If detailed examples are required, open `resources/implementation-playbook.md`.

## Safety

- Avoid running auto-fix or upgrade steps without approval.
- Treat dependency changes as release-impacting and test accordingly.

## Resources

- `resources/implementation-playbook.md` for detailed patterns and examples.

Overview

This skill performs automated dependency vulnerability analysis, SBOM generation, and supply chain security assessments across multiple ecosystems. It identifies vulnerable or outdated packages, highlights license risks, and produces prioritized remediation recommendations suitable for CI and audit workflows. The skill is built for security-conscious teams that need repeatable, verifiable dependency scanning and remediation guidance.

How this skill works

The skill ingests project manifests and lockfiles (e.g., package.json/yarn.lock, pyproject.toml/poetry.lock, Gemfile.lock, go.mod) and queries vulnerability databases and advisories to correlate CVEs and fix information. It produces an SBOM, risk scores, exploitability and impact analysis, and automated remediation suggestions (patches, version upgrades, or mitigations) while respecting change approval policies. Output includes actionable remediation steps, verification commands, and CI-friendly artifacts for integration.

When to use it

  • Before release or during CI to prevent shipping vulnerable dependencies
  • When generating SBOMs for compliance or procurement requirements
  • During security audits to identify high-risk transitive dependencies
  • When planning dependency upgrades to prioritize risk reduction
  • For cross-language projects that need a unified dependency risk view

Best practices

  • Provide manifests and lockfiles to ensure deterministic scanning
  • Run scans in CI on pull requests and periodically on main branches
  • Treat automated fixes as proposals; require review and testing before merging
  • Prioritize fixes by exploitability, not just severity score
  • Include SBOM artifacts and provenance metadata in release bundles

Example use cases

  • Scan a monorepo with Node, Python, and Go modules and produce a consolidated SBOM
  • Identify a high-risk transitive dependency and recommend a targeted minimal upgrade
  • Generate a license compliance report and flag non-compliant packages
  • Integrate scans into CI to block merges when critical vulnerabilities are introduced
  • Produce remediation playbook with test and rollout steps for a planned dependency update

FAQ

Which files are required to run a thorough scan?

Provide dependency manifests and lockfiles for each ecosystem. Without lockfiles the scan will be less accurate for transitive versions.

Will the skill automatically apply fixes?

No. The skill recommends and can generate patch or upgrade proposals, but it does not apply changes without explicit approval to avoid unintended release impact.