Add dependency-scanning skill to advanced-security plugin#33
Open
MabCloud wants to merge 2 commits intogithub:mainfrom
Open
Add dependency-scanning skill to advanced-security plugin#33MabCloud wants to merge 2 commits intogithub:mainfrom
MabCloud wants to merge 2 commits intogithub:mainfrom
Conversation
MabCloud
force-pushed
the
feature/dependency-scanning-skill
branch
from
1db9331 to
558d976
Compare
Add a new skill under plugins/advanced-security/skills/dependency-scanning/ that guides agents through scanning project dependencies for known CVEs and security vulnerabilities using ecosystem-native audit tools. Supported ecosystems: - JavaScript: npm audit, yarn audit (v1 and Berry v2+), pnpm audit - Python: pip-audit - Rust: cargo audit - Ruby: bundler-audit - Go: govulncheck - .NET: dotnet list package --vulnerable The skill covers auto-detection of ecosystems via lock files, running the appropriate audit command with JSON output, presenting findings grouped by severity (critical -> high -> moderate -> low), and providing per-ecosystem remediation commands. Also fixes marketplace.json: spark plugin was referencing ./skills/spark which does not exist; the correct path is ./skills/spark-app-template. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
MabCloud
force-pushed
the
feature/dependency-scanning-skill
branch
from
558d976 to
8bd1179
Compare
Introduce a new skill that scans project dependencies for known CVEs and security vulnerabilities using the native audit tool for each detected package manager. Supported ecosystems: - JavaScript: npm audit, yarn audit (v1 and Berry v2+), pnpm audit - Python: pip-audit - Rust: cargo audit - Ruby: bundler-audit - Go: govulncheck - .NET: dotnet list package --vulnerable The skill auto-detects ecosystems from lock files, runs the audit with JSON output, reports findings by severity (critical, high, moderate, low) with CVE IDs and fix commands, and optionally cross-references open Dependabot alerts via gh api or the REST API. Also registers the skill in marketplace.json and updates the advanced-security plugin README. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
MabCloud
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What's this?
A new dependency-scanning skill for the advanced-security plugin. Think of it as the sibling of the existing secret-scanning skill, but instead of looking for leaked credentials, it looks for known CVEs and security vulnerabilities in your project's dependencies.
How it works
When you ask something like "are there any vulnerabilities in my dependencies?" or "check my packages for CVEs", the agent will:
Supported ecosystems
Files changed