1
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill xfstudio/skills --skill security-scanning-security-dependencies- SKILL.md1.8 KB
Overview
This skill performs dependency vulnerability analysis, SBOM generation, and supply chain security reviews across multiple ecosystems. It identifies vulnerable packages, assesses risk, and produces prioritized remediation guidance while preserving change control and testing requirements.
How this skill works
The skill parses dependency manifests and lockfiles for supported ecosystems, queries vulnerability databases and advisory feeds, and correlates results to produce risk-scored findings and an SBOM. It annotates each issue with exploitability, fix availability, and recommended remediation steps while avoiding automatic changes unless explicitly approved.
When to use it
- Before a release to validate that dependencies have no high-risk vulnerabilities
- When generating SBOMs for compliance, procurement, or third-party risk management
- During security audits or red-team exercises to surface supply chain risks
- When onboarding a new project or integrating cross-repo dependency policies
- To plan coordinated upgrades for transitive dependencies across ecosystems
Best practices
- Provide manifests and lockfiles for all ecosystems and the CI environment to reproduce scans
- Treat recommendations as release-impacting: schedule, test, and peer-review fixes
- Prioritize fixes by exploitability and business impact, not only CVSS score
- Keep vulnerability feeds and SBOM schema versions up to date for accurate results
- Avoid automatic in-place upgrades without approval; use PRs and CI validation
Example use cases
- Scan a Node/Python/Java repo to produce a consolidated vulnerability report and SBOM for compliance
- Assess transitive dependency risk when adding a new third-party library
- Generate an SBOM for a release candidate and attach it to the release pipeline
- Create a prioritized backlog of dependency upgrades for the next sprint
- Validate license compatibility across dependencies before a commercial distribution
FAQ
Common ecosystems like npm, PyPI, Maven, and others are supported when manifests or lockfiles are provided; coverage depends on available scanners and feeds.
Will the skill automatically upgrade vulnerable packages?
No. The skill recommends fixes and creates patch or upgrade guidance. Automatic changes are avoided unless you explicitly approve them.