dependency-scanning

📁 bagelhole/devops-security-agent-skills 📅 9 days ago

总安装量

周安装量

#54653

全站排名

安装命令

npx skills add https://github.com/bagelhole/devops-security-agent-skills --skill dependency-scanning

Agent 安装分布

opencode 1

codex 1

claude-code 1

Skill 文档

Dependency Scanning

Identify vulnerabilities in third-party dependencies and libraries.

When to Use This Skill

Use this skill when:

Managing third-party dependencies
Implementing software composition analysis
Meeting compliance requirements
Securing the software supply chain
Automating vulnerability detection

Prerequisites

Package manifest files (package.json, requirements.txt, etc.)
CI/CD pipeline access
Dependency scanning tool

Tool Comparison

Tool	Type	Languages	Best For
Snyk	Commercial/Free	Many	Comprehensive SCA
Dependabot	Free (GitHub)	Many	Automated PRs
OWASP Dep-Check	OSS	Many	Free scanning
npm audit	Built-in	Node.js	Quick checks
pip-audit	OSS	Python	Python projects
Trivy	OSS	Many	Container deps

Snyk

CLI Usage

# Install
npm install -g snyk

# Authenticate
snyk auth

# Test project
snyk test

# Monitor project (track over time)
snyk monitor

# Test specific manifest
snyk test --file=package.json
snyk test --file=requirements.txt

# Output formats
snyk test --json > snyk-results.json
snyk test --sarif > snyk-results.sarif

# Fix vulnerabilities
snyk fix

# Ignore vulnerability
snyk ignore --id=SNYK-JS-LODASH-567746 --expiry=2024-12-31 --reason="No exploit path"

CI Integration

# .github/workflows/snyk.yml
name: Snyk Security

on:
  push:
    branches: [main]
  pull_request:

jobs:
  snyk:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --severity-threshold=high

      - name: Upload results to GitHub
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: snyk.sarif

Policy File

# .snyk
version: v1.25.0
ignore:
  SNYK-JS-LODASH-567746:
    - '*':
        reason: No user input reaches this function
        expires: 2024-12-31
        created: 2024-01-15

  'snyk:lic:npm:gpl-3.0':
    - '*':
        reason: Internal use only
        
patch: {}

GitHub Dependabot

Configuration

# .github/dependabot.yml
version: 2
updates:
  # JavaScript/Node.js
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "monday"
    open-pull-requests-limit: 10
    reviewers:
      - "security-team"
    labels:
      - "dependencies"
      - "security"
    ignore:
      - dependency-name: "aws-sdk"
        update-types: ["version-update:semver-major"]
    groups:
      development-dependencies:
        dependency-type: "development"
        update-types:
          - "minor"
          - "patch"

  # Python
  - package-ecosystem: "pip"
    directory: "/"
    schedule:
      interval: "daily"
    
  # Docker
  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "weekly"
    
  # GitHub Actions
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"

Security Alerts

# Automated security updates
# Enable in repository Settings > Security > Dependabot

# Dependabot will automatically:
# - Create PRs for vulnerable dependencies
# - Update to patched versions
# - Provide CVE details in PR description

OWASP Dependency-Check

Installation

# Download
wget https://github.com/jeremylong/DependencyCheck/releases/download/v9.0.0/dependency-check-9.0.0-release.zip
unzip dependency-check-9.0.0-release.zip

# Or via Homebrew
brew install dependency-check

Usage

# Scan project
dependency-check --project "MyProject" \
  --scan /path/to/project \
  --out /path/to/reports \
  --format HTML \
  --format JSON

# With specific analyzers
dependency-check --project "MyProject" \
  --scan . \
  --enableExperimental \
  --disableRetireJS

# CI configuration
dependency-check --project "MyProject" \
  --scan . \
  --format JSON \
  --failOnCVSS 7 \
  --suppression suppression.xml

Suppression File

<!-- suppression.xml -->
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
  <suppress>
    <notes>False positive - not using vulnerable function</notes>
    <packageUrl regex="true">^pkg:npm/lodash@.*$</packageUrl>
    <cve>CVE-2021-23337</cve>
  </suppress>
  
  <suppress until="2024-12-31">
    <notes>Risk accepted - mitigated by WAF</notes>
    <cpe>cpe:/a:apache:struts:2.5.0</cpe>
    <vulnerabilityName>CVE-2023-12345</vulnerabilityName>
  </suppress>
</suppressions>

Maven Integration

<!-- pom.xml -->
<plugin>
  <groupId>org.owasp</groupId>
  <artifactId>dependency-check-maven</artifactId>
  <version>9.0.0</version>
  <configuration>
    <failBuildOnCVSS>7</failBuildOnCVSS>
    <suppressionFiles>
      <suppressionFile>suppression.xml</suppressionFile>
    </suppressionFiles>
  </configuration>
  <executions>
    <execution>
      <goals>
        <goal>check</goal>
      </goals>
    </execution>
  </executions>
</plugin>

Language-Specific Tools

Node.js (npm audit)

# Run audit
npm audit

# JSON output
npm audit --json

# Fix automatically
npm audit fix

# Fix with breaking changes
npm audit fix --force

# Production only
npm audit --production

Python (pip-audit)

# Install
pip install pip-audit

# Scan installed packages
pip-audit

# Scan requirements file
pip-audit -r requirements.txt

# Output formats
pip-audit --format json
pip-audit --format cyclonedx-json

# Fix vulnerabilities
pip-audit --fix

Go (govulncheck)

# Install
go install golang.org/x/vuln/cmd/govulncheck@latest

# Scan project
govulncheck ./...

# JSON output
govulncheck -json ./...

Ruby (bundler-audit)

# Install
gem install bundler-audit

# Update database
bundle-audit update

# Run audit
bundle-audit check

# Output format
bundle-audit check --format json

SBOM Generation

CycloneDX

# Node.js
npx @cyclonedx/cyclonedx-npm --output-file sbom.json

# Python
pip install cyclonedx-bom
cyclonedx-py -o sbom.json

# Go
go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@latest
cyclonedx-gomod mod -json > sbom.json

Syft

# Install
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s

# Generate SBOM
syft dir:/path/to/project -o cyclonedx-json > sbom.json
syft dir:/path/to/project -o spdx-json > sbom-spdx.json

# From container
syft myimage:latest -o cyclonedx-json > sbom.json

CI/CD Pipeline

# Comprehensive dependency scanning
name: Dependency Security

on:
  push:
    branches: [main]
  pull_request:
  schedule:
    - cron: '0 8 * * *'

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: npm audit
        run: npm audit --audit-level=high

      - name: Snyk scan
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --severity-threshold=high
          
      - name: Generate SBOM
        run: npx @cyclonedx/cyclonedx-npm --output-file sbom.json

      - name: Upload SBOM
        uses: actions/upload-artifact@v4
        with:
          name: sbom
          path: sbom.json

Common Issues

Issue: Too Many Alerts

Problem: Overwhelmed by vulnerability count Solution: Prioritize by exploitability, filter by severity

Issue: No Fix Available

Problem: Vulnerable dependency has no patch Solution: Consider alternatives, implement compensating controls

Issue: Breaking Updates

Problem: Security fix breaks functionality Solution: Review changelogs, test thoroughly, use lockfiles

Best Practices

Scan on every build
Use lockfiles for reproducibility
Set severity thresholds
Generate and track SBOMs
Document exceptions properly
Update dependencies regularly
Monitor for new vulnerabilities
Automate PR creation for updates

Related Skills

sast-scanning – Code vulnerabilities
container-scanning – Container dependencies
github-actions – CI integration

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台