How are security vulnerabilities classified?

Vulnerabilities are mapped to the Common Vulnerability Scoring System (CVSS): Critical (9.0-10.0), High (7.0-8.9), Medium (4.0-6.9), and Low (0.1-3.9).

Does it automatically apply fixes to my project?

It provides specific fix recommendations and commands. While it identifies safe patches, it strictly follows a rule to never auto-fix major versions to prevent breaking changes in your code.

Which programming ecosystems are supported?

This skill supports a wide range of ecosystems including Node.js (npm), .NET (NuGet), Python (pip, Pipfile, pyproject.toml), Go modules, Ruby (Bundler), Rust (Cargo), and PHP (Composer).

What happens if an audit tool is missing on my system?

The skill performs an availability check for each ecosystem. If a specific tool is missing, it logs a warning and skips that ecosystem rather than failing the entire process.

Can this skill be used for CI/CD automation?

Yes, it is designed to work within delivery workflows and can be integrated into CI/CD pipelines to serve as a quality gate for security compliance.

Dependency Security Audit

Name: Dependency Security Audit
Author: levnikolaevich

bylevnikolaevich

•

보안 및 테스팅

Audits project dependencies for security vulnerabilities across multiple programming ecosystems using CVSS-based classification.

소개

The Dependency Security Audit skill is a comprehensive security tool for Claude Code that automatically identifies vulnerabilities in third-party libraries across npm, NuGet, pip, Go, and more. It goes beyond simple scanning by normalizing findings into a CVSS-based severity report, recommending safe patches, and distinguishing between minor updates and potentially breaking major version changes. This skill is essential for project bootstrapping, pre-release validation, and maintaining a secure software supply chain through automated, actionable intelligence.

주요 기능

Multi-ecosystem support including npm, .NET, Python, Go, Ruby, and Rust
Automated fix recommendations with safe vs. manual update labeling
Integrity verification for project lock files
38 GitHub stars
Normalized reporting compatible with parent orchestrators
Standardized CVSS-based severity classification from Low to Critical

사용 사례

Pre-release security validation to identify and fix vulnerabilities before shipping
Initial project security setup to establish a clean dependency baseline
Automated security auditing during CI/CD pipeline execution

소개

주요 기능

Multi-ecosystem support including npm, .NET, Python, Go, Ruby, and Rust
Automated fix recommendations with safe vs. manual update labeling
Integrity verification for project lock files
38 GitHub stars
Normalized reporting compatible with parent orchestrators
Standardized CVSS-based severity classification from Low to Critical

사용 사례

Pre-release security validation to identify and fix vulnerabilities before shipping
Initial project security setup to establish a clean dependency baseline
Automated security auditing during CI/CD pipeline execution