vuln-scan

star 27

Multi-language dependency security scan - Use Safety CLI and OSV-Scanner to quickly detect dependency vulnerabilities in Python/JS/Java projects

y1feng200156 By y1feng200156 schedule Updated 2/10/2026
play_arrow Run Skill in Manus View GitHub

name: vuln-scan description: Multi-language dependency security scan - Use Safety CLI and OSV-Scanner to quickly detect dependency vulnerabilities in Python/JS/Java projects

Vulnerability Scanner Skill

๐Ÿ“‹ Overview

Provides two lightweight vulnerability scanning tools:

  • Safety CLI: Python/JS/Java smart scanning (AI enhanced)
  • OSV-Scanner: Google open source, supports multiple ecosystems

๐Ÿ”ง Prerequisites

Tool Installation (All Platforms)
Safety CLI pip install safety
OSV-Scanner Download

๐Ÿš€ Usage

Safety CLI Scan:

# Windows
.\.agent\skills\vuln-scan\scripts\safety-scan.ps1

# Linux/Mac
./.agent/skills/vuln-scan/scripts/safety-scan.sh

OSV-Scanner Scan:

# Windows
.\.agent\skills\vuln-scan\scripts\osv-scan.ps1

# Linux/Mac
./.agent/skills/vuln-scan/scripts/osv-scan.sh

CI/CD Mode:

.\.agent\skills\vuln-scan\scripts\safety-scan.ps1 -CI
# Sets exit code, breaks pipeline on failure

๐ŸŽฏ Scan Coverage

Safety CLI Support

  • โœ… Python (requirements.txt, Pipfile, pyproject.toml)
  • โœ… JavaScript/TypeScript (package.json, package-lock.json)
  • โœ… Java (pom.xml, build.gradle)

OSV-Scanner Support

  • โœ… Python, JavaScript, TypeScript
  • โœ… Java, Go, Rust
  • โœ… Ruby, PHP, C/C++
  • โœ… And 20+ other ecosystems

๐Ÿ“Š Output Example

๐Ÿ” Vulnerability Scan - Safety CLI

โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”
๐Ÿ“ฆ Scanning: requirements.txt (23 dependencies)
โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”

โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚ โŒ VULNERABILITY FOUND                 โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ Package: urllib3                       โ”‚
โ”‚ Installed: 1.26.5                      โ”‚
โ”‚ Affected: <1.26.18                     โ”‚
โ”‚ ID: 51499                              โ”‚
โ”‚                                        โ”‚
โ”‚ OWASP Top 10: A05:2021 - Security      โ”‚
โ”‚ Misconfiguration                       โ”‚
โ”‚                                        โ”‚
โ”‚ Description:                           โ”‚
โ”‚ urllib3's request body can leak from   โ”‚
โ”‚ URLError exceptions                    โ”‚
โ”‚                                        โ”‚
โ”‚ Fix: Upgrade to urllib3>=1.26.18       โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ

โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”
๐Ÿ“Š Scan Results:
   ๐Ÿ”ด Critical: 0
   ๐ŸŸ  High: 1
   ๐ŸŸก Medium: 2
   ๐ŸŸข Low: 0

๐Ÿ’ก Fix Suggestion:
   pip install --upgrade urllib3>=1.26.18

โš™๏ธ Configuration

Safety CLI (.safety-policy.yml)

# Security policy config
security:
  # Ignore specific vulnerability IDs
  ignore-vulnerabilities:
    51499:
      reason: "False positive - not using affected functionality"
      expires: "2026-12-31"
  
  # Ignore specific packages
  ignore-packages:
    - package: test-utils
      reason: "Dev dependency only"
  
  # Set CVSS threshold
  continue-on-vulnerability-error: false
  fail-security-check-threshold: 7.0

# Monitoring config
alert:
  # Optional: Integrate Slack/Email alerts
  on-vulnerability: slack
  webhook: ${SAFETY_WEBHOOK_URL}

OSV-Scanner (osv-scanner.toml)

[[IgnoredVulns]]
id = "GHSA-xxxx-yyyy-zzzz"
reason = "Not applicable to our use case"

[[PackageOverrides]]
name = "example"
version = "1.0.0"
ecosystem = "npm"
ignore = true

๐Ÿ”„ Auto-fix

Safety CLI Auto-upgrade:

# Generate fix commands
safety check --json | safety generate fixes

# Or apply fixes directly (use with caution)
safety check --apply-fixes

Manual Fix Examples:

# Python
pip install --upgrade package-name>=safe-version

# JavaScript
npm update package-name@safe-version

# Java (Maven)
# Modify version in pom.xml

๐Ÿ”— CI/CD Integration

GitHub Actions (Safety CLI)

name: Security Scan
on: [push, pull_request]

jobs:
  safety-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.11'
      
      - name: Install Safety
        run: pip install safety
      
      - name: Run Safety Check
        run: safety check --json
        env:
          SAFETY_API_KEY: ${{ secrets.SAFETY_API_KEY }}

GitLab CI (OSV-Scanner)

osv-scan:
  image: golang:latest
  script:
    - go install github.com/google/osv-scanner/cmd/osv-scanner@latest
    - osv-scanner --lockfile=package-lock.json

๐Ÿ†˜ FAQ

Q: Does Safety CLI require an API Key?
A: Free version has limits, recommend applying for free API Key: safety.com

Q: OSV-Scanner vs Safety CLI?
A:

  • OSV-Scanner: Wider language support, community-driven
  • Safety CLI: Stronger Python ecosystem, AI-enhanced detection

Q: How to use in offline environments?
A: Safety CLI can download offline database; OSV-Scanner supports local caching

Q: Too many false positives?
A: Use config files to suppress known false positives, keep reason notes

๐Ÿ”— Related Resources

Install via CLI
npx skills add https://github.com/y1feng200156/ham-study --skill vuln-scan
Repository Details
star Stars 27
call_split Forks 5
navigation Branch main
article Path SKILL.md
More from Creator
y1feng200156
y1feng200156 Explore all skills →