vuln-scan
Multi-language dependency security scan - Use Safety CLI and OSV-Scanner to quickly detect dependency vulnerabilities in Python/JS/Java projects
Best use case
vuln-scan is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Multi-language dependency security scan - Use Safety CLI and OSV-Scanner to quickly detect dependency vulnerabilities in Python/JS/Java projects
Teams using vuln-scan should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/vuln-scan/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How vuln-scan Compares
| Feature / Agent | vuln-scan | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Multi-language dependency security scan - Use Safety CLI and OSV-Scanner to quickly detect dependency vulnerabilities in Python/JS/Java projects
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Vulnerability Scanner Skill
## 📋 Overview
Provides two lightweight vulnerability scanning tools:
- **Safety CLI**: Python/JS/Java smart scanning (AI enhanced)
- **OSV-Scanner**: Google open source, supports multiple ecosystems
## 🔧 Prerequisites
| Tool | Installation (All Platforms) |
|------|------------------------------|
| Safety CLI | `pip install safety` |
| OSV-Scanner | [Download](https://github.com/google/osv-scanner/releases) |
## 🚀 Usage
**Safety CLI Scan:**
```bash
# Windows
.\.agents\skills\vuln-scan\scripts\safety-scan.ps1
# Linux/Mac
./.agents/skills/vuln-scan/scripts/safety-scan.sh
```
**OSV-Scanner Scan:**
```bash
# Windows
.\.agents\skills\vuln-scan\scripts\osv-scan.ps1
# Linux/Mac
./.agents/skills/vuln-scan/scripts/osv-scan.sh
```
**CI/CD Mode:**
```bash
.\.agents\skills\vuln-scan\scripts\safety-scan.ps1 -CI
# Sets exit code, breaks pipeline on failure
```
## 🎯 Scan Coverage
### Safety CLI Support
- ✅ Python (requirements.txt, Pipfile, pyproject.toml)
- ✅ JavaScript/TypeScript (package.json, package-lock.json)
- ✅ Java (pom.xml, build.gradle)
### OSV-Scanner Support
- ✅ Python, JavaScript, TypeScript
- ✅ Java, Go, Rust
- ✅ Ruby, PHP, C/C++
- ✅ And 20+ other ecosystems
## 📊 Output Example
```
🔍 Vulnerability Scan - Safety CLI
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📦 Scanning: requirements.txt (23 dependencies)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
╭────────────────────────────────────────╮
│ ❌ VULNERABILITY FOUND │
├────────────────────────────────────────┤
│ Package: urllib3 │
│ Installed: 1.26.5 │
│ Affected: <1.26.18 │
│ ID: 51499 │
│ │
│ OWASP Top 10: A05:2021 - Security │
│ Misconfiguration │
│ │
│ Description: │
│ urllib3's request body can leak from │
│ URLError exceptions │
│ │
│ Fix: Upgrade to urllib3>=1.26.18 │
╰────────────────────────────────────────╯
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📊 Scan Results:
🔴 Critical: 0
🟠 High: 1
🟡 Medium: 2
🟢 Low: 0
💡 Fix Suggestion:
pip install --upgrade urllib3>=1.26.18
```
## ⚙️ Configuration
### Safety CLI (`.safety-policy.yml`)
```yaml
# Security policy config
security:
# Ignore specific vulnerability IDs
ignore-vulnerabilities:
51499:
reason: "False positive - not using affected functionality"
expires: "2026-12-31"
# Ignore specific packages
ignore-packages:
- package: test-utils
reason: "Dev dependency only"
# Set CVSS threshold
continue-on-vulnerability-error: false
fail-security-check-threshold: 7.0
# Monitoring config
alert:
# Optional: Integrate Slack/Email alerts
on-vulnerability: slack
webhook: ${SAFETY_WEBHOOK_URL}
```
### OSV-Scanner (osv-scanner.toml)
```toml
[[IgnoredVulns]]
id = "GHSA-xxxx-yyyy-zzzz"
reason = "Not applicable to our use case"
[[PackageOverrides]]
name = "example"
version = "1.0.0"
ecosystem = "npm"
ignore = true
```
## 🔄 Auto-fix
**Safety CLI Auto-upgrade:**
```bash
# Generate fix commands
safety check --json | safety generate fixes
# Or apply fixes directly (use with caution)
safety check --apply-fixes
```
**Manual Fix Examples:**
```bash
# Python
pip install --upgrade package-name>=safe-version
# JavaScript
npm update package-name@safe-version
# Java (Maven)
# Modify version in pom.xml
```
## 🔗 CI/CD Integration
### GitHub Actions (Safety CLI)
```yaml
name: Security Scan
on: [push, pull_request]
jobs:
safety-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install Safety
run: pip install safety
- name: Run Safety Check
run: safety check --json
env:
SAFETY_API_KEY: ${{ secrets.SAFETY_API_KEY }}
```
### GitLab CI (OSV-Scanner)
```yaml
osv-scan:
image: golang:latest
script:
- go install github.com/google/osv-scanner/cmd/osv-scanner@latest
- osv-scanner --lockfile=package-lock.json
```
## 🆘 FAQ
**Q: Does Safety CLI require an API Key?**
A: Free version has limits, recommend applying for free API Key: [safety.com](https://safetycli.com/)
**Q: OSV-Scanner vs Safety CLI?**
A:
- **OSV-Scanner**: Wider language support, community-driven
- **Safety CLI**: Stronger Python ecosystem, AI-enhanced detection
**Q: How to use in offline environments?**
A: Safety CLI can download offline database; OSV-Scanner supports local caching
**Q: Too many false positives?**
A: Use config files to suppress known false positives, keep reason notes
## 🔗 Related Resources
- [Safety CLI Documentation](https://docs.safetycli.com/)
- [OSV-Scanner GitHub](https://github.com/google/osv-scanner)
- [OSV Vulnerability Database](https://osv.dev/)Related Skills
owasp-scan
OWASP dependency vulnerability scan - Use OWASP Dependency-Check to detect known CVE vulnerabilities in project dependencies
SKILL_ONBOARDING.md
> **Purpose**: Conduct a one-time "Handshake Interview" with the user to establish their Developer Persona.
usb-debug
No description provided.
sql-lint
SQL code style check - Use SQLFluff to check SQL statement style and syntax (supports PostgreSQL, MySQL, SQLite, etc.)
serial-debug
No description provided.
security-check
Check dependency security vulnerabilities
rust-lint
Rust code quality check - Use Clippy and Rustfmt to ensure Rust code standards and performance optimization
run-tests
Run project test suite
register-debug
No description provided.
memory-guardian
Cross-platform memory monitoring and cleanup skill for AI development environments
Skill: Model Context Protocol (MCP)
## Purpose
lora-debug
No description provided.