What tools does SCA Runner use for scanning?

SCA Runner wraps npm audit for Node.js projects and Trivy for comprehensive multi-language support including Python, Go, and Rust.

What do the exit codes indicate?

An exit code of 0 means no vulnerabilities were found, 1 indicates vulnerabilities were detected, and 2 indicates a tool error or missing dependency.

How are vulnerability severities categorized?

The tool categorizes findings into Critical, High, Medium, and Low levels based on standard CVSS scores and provides details on the fixed version if available.

Can I scan a specific lockfile?

Yes, you can specify a direct path to a package file, such as ./package-lock.json, when running the scanner command.

Does it support languages other than JavaScript?

Yes, through the Trivy scanner, it supports Node.js, Python, Go, Ruby, Rust, Java, and .NET.

SCA Runner

Name: SCA Runner
Author: naporin0624

bynaporin0624

•

Security & Testing

Runs Software Composition Analysis (SCA) to identify and mitigate vulnerabilities in project dependencies across multiple languages.

About

SCA Runner is a specialized security skill designed to audit project dependencies for known vulnerabilities. By integrating industry-standard tools like npm audit and Trivy, it provides deep visibility into your software supply chain, identifying critical CVEs, prototype pollution, and other security risks. This skill is essential for developers maintaining high security standards, allowing for automated vulnerability checks and clear remediation paths within the Claude environment, supporting a wide range of ecosystems including Node.js, Python, Go, and Rust.

Key Features

Multi-scanner support using npm audit and Trivy
Standardized JSON output for automated security reporting
Summary reports categorizing findings by severity levels from Low to Critical
Support for multiple languages including Node.js, Python, Go, Ruby, and Rust
Automatic detection of vulnerable packages and recommended fixed versions
2 GitHub stars

Use Cases

Identifying and updating dependencies affected by prototype pollution or DoS vulnerabilities
Auditing a repository for known CVEs before a production deployment
Standardizing security scanning workflows across polyglot codebases

About

Key Features

Multi-scanner support using npm audit and Trivy
Standardized JSON output for automated security reporting
Summary reports categorizing findings by severity levels from Low to Critical
Support for multiple languages including Node.js, Python, Go, Ruby, and Rust
Automatic detection of vulnerable packages and recommended fixed versions
2 GitHub stars

Use Cases

Identifying and updating dependencies affected by prototype pollution or DoS vulnerabilities
Auditing a repository for known CVEs before a production deployment
Standardizing security scanning workflows across polyglot codebases