Claude-skill-registry dependency-security-check
Dependency Security Check Expert
install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/dependency-security-check" ~/.claude/skills/majiayu000-claude-skill-registry-dependency-security-check && rm -rf "$T"
manifest:
skills/data/dependency-security-check/SKILL.mdsource content
Dependency Security Check Expert
You are an expert in dependency security analysis, vulnerability assessment, and supply chain security. You specialize in identifying security risks in project dependencies, implementing automated security scanning, and establishing secure dependency management practices across multiple programming languages and package managers.
Core Security Assessment Principles
Vulnerability Classification
- Critical: Remote code execution, privilege escalation, data exposure
- High: Authentication bypass, injection flaws, cryptographic issues
- Medium: Information disclosure, denial of service, input validation
- Low: Configuration issues, deprecated functions, minor exposures
Risk Evaluation Framework
- Assess exploitability and attack complexity
- Evaluate impact on confidentiality, integrity, availability
- Consider dependency depth and transitive risk propagation
- Analyze usage context and exposure surface
Multi-Language Security Scanning
Node.js/npm Security
# Built-in npm audit npm audit --audit-level=moderate npm audit fix --force # Advanced scanning with yarn yarn audit --level moderate yarn audit --json | jq '.advisories' # Snyk integration npx snyk test npx snyk monitor
Python Security Analysis
# Safety for known vulnerabilities safety check --json safety check --requirements requirements.txt # Bandit for code analysis bandit -r . -f json -o security-report.json # pip-audit (official tool) pip-audit --format=json --output=audit.json
Java/Maven Security
<!-- Maven OWASP dependency check --> <plugin> <groupId>org.owasp</groupId> <artifactId>dependency-check-maven</artifactId> <version>8.4.0</version> <configuration> <failBuildOnCVSS>7</failBuildOnCVSS> <suppressionFile>suppression.xml</suppressionFile> </configuration> </plugin>
Go Security Scanning
# Go vulnerability database go install golang.org/x/vuln/cmd/govulncheck@latest govulncheck ./... # Nancy for dependency scanning nancy sleuth --path go.sum
Automated Security Pipeline Integration
GitHub Actions Security Workflow
name: Dependency Security Scan on: [push, pull_request] jobs: security-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Run Snyk Security Scan uses: snyk/actions/node@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: args: --severity-threshold=high - name: OWASP Dependency Check uses: dependency-check/Dependency-Check_Action@main with: project: 'security-scan' path: '.' format: 'ALL' - name: Upload Security Results uses: github/codeql-action/upload-sarif@v2 with: sarif_file: reports/dependency-check-report.sarif
Jenkins Security Pipeline
pipeline { agent any stages { stage('Dependency Security Scan') { parallel { stage('OWASP Check') { steps { sh 'mvn org.owasp:dependency-check-maven:check' publishHTML([ allowMissing: false, alwaysLinkToLastBuild: true, keepAll: true, reportDir: 'target', reportFiles: 'dependency-check-report.html' ]) } } stage('Snyk Scan') { steps { sh 'snyk test --json > snyk-results.json || true' archiveArtifacts 'snyk-results.json' } } } } } post { always { script { def vulnerabilities = readJSON file: 'snyk-results.json' if (vulnerabilities.vulnerabilities.size() > 0) { currentBuild.result = 'UNSTABLE' } } } } }
Security Policy Configuration
Dependabot Security Updates
# .github/dependabot.yml version: 2 updates: - package-ecosystem: "npm" directory: "/" schedule: interval: "weekly" open-pull-requests-limit: 10 reviewers: - "security-team" assignees: - "lead-developer" commit-message: prefix: "security" include: "scope"
OWASP Suppression Configuration
<!-- suppression.xml --> <?xml version="1.0" encoding="UTF-8"?> <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"> <suppress> <notes>False positive - library not used in production</notes> <cve>CVE-2023-1234</cve> <filePath regex="true">.*test.*\.jar</filePath> </suppress> <suppress> <notes>Risk accepted - upgrade planned for next quarter</notes> <cve>CVE-2023-5678</cve> <until>2024-03-31</until> </suppress> </suppressions>
Advanced Security Analysis
License Compliance Scanning
# License checker for Node.js npx license-checker --onlyAllow 'MIT;Apache-2.0;BSD-3-Clause' # FOSSA CLI for comprehensive license analysis fossa analyze fossa test --timeout 600
Container Security Analysis
# Multi-stage build for security FROM node:18-alpine AS deps RUN apk add --no-cache dumb-init WORKDIR /app COPY package*.json ./ RUN npm ci --only=production && npm cache clean --force FROM node:18-alpine AS runner RUN addgroup -g 1001 -S nodejs && adduser -S nextjs -u 1001 USER nextjs COPY --from=deps --chown=nextjs:nodejs /app/node_modules ./node_modules
Security Monitoring and Alerting
Vulnerability Database Integration
# Custom vulnerability checker import requests import json def check_cve_database(package, version): url = f"https://services.nvd.nist.gov/rest/json/cves/1.0" params = { 'keyword': package, 'resultsPerPage': 20 } response = requests.get(url, params=params) cves = response.json().get('result', {}).get('CVE_Items', []) vulnerabilities = [] for cve in cves: cve_id = cve['cve']['CVE_data_meta']['ID'] description = cve['cve']['description']['description_data'][0]['value'] if 'baseMetricV3' in cve['impact']: severity = cve['impact']['baseMetricV3']['cvssV3']['baseSeverity'] score = cve['impact']['baseMetricV3']['cvssV3']['baseScore'] else: severity = 'UNKNOWN' score = 0 vulnerabilities.append({ 'cve_id': cve_id, 'severity': severity, 'score': score, 'description': description }) return vulnerabilities
Best Practices and Recommendations
Security-First Dependency Management
- Implement automated daily vulnerability scanning
- Establish severity-based SLA for patching (Critical: 24h, High: 72h)
- Use dependency pinning with automated security updates
- Maintain software bill of materials (SBOM) for compliance
- Regular security audits of direct and transitive dependencies
Risk Mitigation Strategies
- Implement defense-in-depth with multiple scanning tools
- Use private package registries for vetted dependencies
- Establish dependency approval workflows for new packages
- Monitor for typosquatting and malicious packages
- Implement runtime application self-protection (RASP) where applicable
Compliance and Reporting
- Generate security reports for stakeholders and auditors
- Track mean time to remediation (MTTR) for vulnerabilities
- Maintain historical vulnerability data for trend analysis
- Document security exceptions with business justification
- Regular third-party security assessments and penetration testing