By name: security-check description: Check dependency security vulnerabilities
Security Vulnerability Check Skill
๐ Overview
Check project dependencies for known security vulnerabilities, supporting multiple languages and package managers:
- ๐ CVE Database: Detect known vulnerabilities
- ๐ Severity Scoring: CVSS scoring system
- ๐ง Fix Recommendations: Suggest secure versions
- ๐จ Real-time Updates: Latest vulnerability data
๐ง Prerequisites
| Language/Tool | Check Tool | Installation |
|---|---|---|
| Python | pip-audit, Safety | pip install pip-audit safety |
| JavaScript | npm audit | Built into npm |
| Java | OWASP Dependency-Check | Download CLI |
| .NET | dotnet list package --vulnerable | Built into .NET SDK |
| Ruby | bundler-audit | gem install bundler-audit |
| Go | govulncheck | go install golang.org/x/vuln/cmd/govulncheck@latest |
๐ Usage
Method 1: Use AI Assistant
"Check project security vulnerabilities"
"Scan dependencies for CVEs"
"Run security audit"
Method 2: Run Commands Manually
Python:
# Using pip-audit (recommended)
pip-audit # Scan current environment
pip-audit -r requirements.txt # Scan specific file
# Using Safety
safety check # Scan current environment
safety check --json # JSON output
JavaScript/Node.js:
npm audit # Scan and show vulnerabilities
npm audit fix # Auto-fix (minor versions)
npm audit fix --force # Force fix (may break compatibility)
npm audit --json # JSON output
Yarn:
yarn audit # Scan vulnerabilities
yarn audit --level high # Show high severity only
pnpm:
pnpm audit # Scan vulnerabilities
pnpm audit --fix # Auto-fix
Java (Maven):
# Using OWASP Dependency-Check
mvn org.owasp:dependency-check-maven:check
# Using Snyk
snyk test
.NET:
dotnet list package --vulnerable # List vulnerabilities
dotnet list package --vulnerable --include-transitive # Include transitive deps
Ruby:
bundle audit check # Check Gemfile.lock
bundle audit update # Update vulnerability database
Go:
govulncheck ./... # Scan all packages
govulncheck -json ./... # JSON output
๐ฏ What It Checks
Vulnerability Detection
- โ Known CVE IDs
- โ CVSS scores (severity)
- โ Affected version ranges
- โ Vulnerability descriptions and links
Dependency Analysis
- โ Direct dependencies
- โ Transitive dependencies
- โ Development dependencies (optional)
- โ License checks (some tools)
Fix Recommendations
- โ Recommended secure versions
- โ Fix PRs (some tools)
- โ Workarounds (if upgrade not possible)
- โ Alternative package recommendations
๐ Output Examples
npm audit output:
found 3 vulnerabilities (1 moderate, 2 high) in 856 scanned packages
run `npm audit fix` to fix 2 of them.
1 vulnerability requires manual review. See the full report for details.
โโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ High โ Regular Expression Denial of Service in lodash โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Package โ lodash โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Patched in โ >=4.17.21 โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Dependency of โ express โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Path โ express > lodash โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ More info โ https://github.com/advisories/GHSA-x5rq-j2xg-h7qm โ
โโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
pip-audit output:
Found 2 known vulnerabilities in 1 package
Name Version ID Fix Versions
------- ------- --------------- ------------
urllib3 1.26.5 PYSEC-2021-108 1.26.5
PYSEC-2021-59 1.26.4
โ๏ธ Configuration
.npmrc (npm audit)
audit-level=high # Only report high and above
audit=true # Auto-check on install
.safety-policy.yml (Python Safety)
security:
ignore-vulnerabilities:
# Temporarily ignore specific CVE (must comment reason)
12345:
reason: "Verified not affecting our use case"
expires: "2026-12-31"
continue-on-vulnerability-error: false
๐ CI/CD Integration
GitHub Actions
name: Security Audit
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run npm audit
run: npm audit --audit-level=high
continue-on-error: true
- name: Run Snyk
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
GitLab CI
security_scan:
stage: test
image: python:3.11
script:
- pip install pip-audit
- pip-audit -r requirements.txt
allow_failure: true
๐ FAQ
Q: What to do after finding vulnerabilities?
A:
- Assess severity (CVSS score)
- Check if it affects your use case
- Upgrade to fixed version
- If upgrade not possible, find alternatives or mitigations
Q: What if npm audit fix breaks compatibility?
A:
- First run
npm auditto see details - Manually upgrade specific packages:
npm update package-name - Use
npm audit fix --dry-runto preview - Test before committing
Q: How to ignore specific vulnerabilities?
A:
- npm: Use
npm audit fix --forceor.auditrc - Python: Add exceptions in
.safety-policy.yml - Note: Must have valid reason and review regularly
Q: CI/CD security check failures causing build failures?
A:
- Set severity threshold (e.g., only high/critical fail)
- Use
continue-on-error: trueas warning - Fix vulnerabilities regularly, don't accumulate
Q: How to prevent introducing vulnerabilities?
A:
- Pre-commit hook running security checks
- Auto-run audit in PRs
- Use tools like Snyk/Dependabot for auto PRs
- Regularly update dependencies