Dependency Health Check Skill

Assess dependency health across CVE exposure, freshness, maintainer risk, and license compatibility.

Trigger Conditions

• Weekly automated health check cadence
• New dependency added to the project
• User invokes with "dependency health" or "check dependencies"

Input Contract

• Required: Dependency manifest (go.mod, package.json, requirements.txt)
• Optional: CVE database reference, license policy

Output Contract

• Health report per dependency (CVE count, freshness, maintainer score, license)
• Risk-scored upgrade priority matrix
• SBOM (Software Bill of Materials)

Tool Permissions

• Read: Lock files, dependency tree, CVE databases
• Write: Health reports, SBOM
• Execute: Dependency scanning tools

Execution Steps

1. Parse dependency manifest and resolve full tree (direct + transitive)
2. Check each dependency against CVE databases
3. Score freshness (versions behind latest)
4. Assess maintainer health (bus factor, commit frequency, funding)
5. Check license compatibility with project distribution model
6. Generate SBOM
7. Produce risk-scored priority matrix

Success Criteria

• Full dependency tree analyzed (direct + transitive)
• CVE status current (within 24 hours)
• License compatibility verified
• SBOM generated

Escalation Rules

• Escalate Critical CVEs immediately
• Escalate if a direct dependency has bus factor of 1
• Escalate if GPL dependency found in proprietary project

Example Invocations

Input: "Run dependency health check on our Go service"

Output: 142 dependencies analyzed (23 direct, 119 transitive). CVEs: 0 Critical, 2 High (golang.org/x/net, google.golang.org/grpc), 5 Medium. Freshness: 4 dependencies >2 major versions behind. License: all compatible (MIT, Apache-2.0, BSD). SBOM generated. Priority: upgrade x/net immediately (CVE-2025-1234, CVSS 8.1).