Dependency Security Scan FAQs

Question 1

Where does the vulnerability data come from?

Accepted Answer

The skill consults multiple authoritative sources including the National Vulnerability Database (NVD), GitHub Advisory Database, OSV, and ecosystem-specific databases like RustSec and PyPI.

Question 2

Does it detect outdated but non-vulnerable packages?

Accepted Answer

Yes, the --health flag generates a report identifying outdated, deprecated, and unmaintained packages, even if they don't have an active CVE.

Question 3

Can I use this in my CI/CD pipeline?

Accepted Answer

Absolutely. It is designed to work with GitHub Actions and pre-commit hooks, allowing you to fail builds based on specific severity thresholds like 'critical' or 'high'.

Question 4

Can this skill automatically fix security vulnerabilities?

Accepted Answer

Yes, by using the /dependency-scan --fix command, the skill attempts to update vulnerable packages to the nearest patched version while respecting semver-compatible ranges.

Question 5

Which programming languages and package managers are supported?

Accepted Answer

The skill supports a wide range of ecosystems including Node.js (npm), Python (pip/safety), Ruby (bundler), Java (Maven/Gradle), Go (govulncheck), Rust (cargo), PHP (composer), and .NET.

Dependency Security Scan

Key Features

Use Cases

Dependency Security Scan

Key Features

Use Cases