Dependency Scanning
Identify vulnerabilities in third-party dependencies and libraries.
When to Use This Skill
Use this skill when:
-
Managing third-party dependencies
-
Implementing software composition analysis
-
Meeting compliance requirements
-
Securing the software supply chain
-
Automating vulnerability detection
Prerequisites
-
Package manifest files (package.json, requirements.txt, etc.)
-
CI/CD pipeline access
-
Dependency scanning tool
Tool Comparison
Tool Type Languages Best For
Snyk Commercial/Free Many Comprehensive SCA
Dependabot Free (GitHub) Many Automated PRs
OWASP Dep-Check OSS Many Free scanning
npm audit Built-in Node.js Quick checks
pip-audit OSS Python Python projects
Trivy OSS Many Container deps
Snyk
CLI Usage
Install
npm install -g snyk
Authenticate
snyk auth
Test project
snyk test
Monitor project (track over time)
snyk monitor
Test specific manifest
snyk test --file=package.json snyk test --file=requirements.txt
Output formats
snyk test --json > snyk-results.json snyk test --sarif > snyk-results.sarif
Fix vulnerabilities
snyk fix
Ignore vulnerability
snyk ignore --id=SNYK-JS-LODASH-567746 --expiry=2024-12-31 --reason="No exploit path"
CI Integration
.github/workflows/snyk.yml
name: Snyk Security
on: push: branches: [main] pull_request:
jobs: snyk: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high
- name: Upload results to GitHub
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk.sarif
Policy File
.snyk
version: v1.25.0 ignore: SNYK-JS-LODASH-567746: - '*': reason: No user input reaches this function expires: 2024-12-31 created: 2024-01-15
'snyk:lic:npm:gpl-3.0': - '*': reason: Internal use only
patch: {}
GitHub Dependabot
Configuration
.github/dependabot.yml
version: 2 updates:
JavaScript/Node.js
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
open-pull-requests-limit: 10
reviewers:
- "security-team" labels:
- "dependencies"
- "security" ignore:
- dependency-name: "aws-sdk"
update-types: ["version-update:semver-major"]
groups:
development-dependencies:
dependency-type: "development"
update-types:
- "minor"
- "patch"
Python
- package-ecosystem: "pip" directory: "/" schedule: interval: "daily"
Docker
- package-ecosystem: "docker" directory: "/" schedule: interval: "weekly"
GitHub Actions
- package-ecosystem: "github-actions" directory: "/" schedule: interval: "weekly"
Security Alerts
Automated security updates
Enable in repository Settings > Security > Dependabot
Dependabot will automatically:
- Create PRs for vulnerable dependencies
- Update to patched versions
- Provide CVE details in PR description
OWASP Dependency-Check
Installation
Download
wget https://github.com/jeremylong/DependencyCheck/releases/download/v9.0.0/dependency-check-9.0.0-release.zip unzip dependency-check-9.0.0-release.zip
Or via Homebrew
brew install dependency-check
Usage
Scan project
dependency-check --project "MyProject"
--scan /path/to/project
--out /path/to/reports
--format HTML
--format JSON
With specific analyzers
dependency-check --project "MyProject"
--scan .
--enableExperimental
--disableRetireJS
CI configuration
dependency-check --project "MyProject"
--scan .
--format JSON
--failOnCVSS 7
--suppression suppression.xml
Suppression File
<!-- suppression.xml --> <?xml version="1.0" encoding="UTF-8"?> <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"> <suppress> <notes>False positive - not using vulnerable function</notes> <packageUrl regex="true">^pkg:npm/lodash@.*$</packageUrl> <cve>CVE-2021-23337</cve> </suppress>
<suppress until="2024-12-31"> <notes>Risk accepted - mitigated by WAF</notes> <cpe>cpe:/a:apache:struts:2.5.0</cpe> <vulnerabilityName>CVE-2023-12345</vulnerabilityName> </suppress> </suppressions>
Maven Integration
<!-- pom.xml --> <plugin> <groupId>org.owasp</groupId> <artifactId>dependency-check-maven</artifactId> <version>9.0.0</version> <configuration> <failBuildOnCVSS>7</failBuildOnCVSS> <suppressionFiles> <suppressionFile>suppression.xml</suppressionFile> </suppressionFiles> </configuration> <executions> <execution> <goals> <goal>check</goal> </goals> </execution> </executions> </plugin>
Language-Specific Tools
Node.js (npm audit)
Run audit
npm audit
JSON output
npm audit --json
Fix automatically
npm audit fix
Fix with breaking changes
npm audit fix --force
Production only
npm audit --production
Python (pip-audit)
Install
pip install pip-audit
Scan installed packages
pip-audit
Scan requirements file
pip-audit -r requirements.txt
Output formats
pip-audit --format json pip-audit --format cyclonedx-json
Fix vulnerabilities
pip-audit --fix
Go (govulncheck)
Install
go install golang.org/x/vuln/cmd/govulncheck@latest
Scan project
govulncheck ./...
JSON output
govulncheck -json ./...
Ruby (bundler-audit)
Install
gem install bundler-audit
Update database
bundle-audit update
Run audit
bundle-audit check
Output format
bundle-audit check --format json
SBOM Generation
CycloneDX
Node.js
npx @cyclonedx/cyclonedx-npm --output-file sbom.json
Python
pip install cyclonedx-bom cyclonedx-py -o sbom.json
Go
go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@latest cyclonedx-gomod mod -json > sbom.json
Syft
Install
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s
Generate SBOM
syft dir:/path/to/project -o cyclonedx-json > sbom.json syft dir:/path/to/project -o spdx-json > sbom-spdx.json
From container
syft myimage:latest -o cyclonedx-json > sbom.json
CI/CD Pipeline
Comprehensive dependency scanning
name: Dependency Security
on: push: branches: [main] pull_request: schedule: - cron: '0 8 * * *'
jobs: scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4
- name: npm audit
run: npm audit --audit-level=high
- name: Snyk scan
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high
- name: Generate SBOM
run: npx @cyclonedx/cyclonedx-npm --output-file sbom.json
- name: Upload SBOM
uses: actions/upload-artifact@v4
with:
name: sbom
path: sbom.json
Common Issues
Issue: Too Many Alerts
Problem: Overwhelmed by vulnerability count Solution: Prioritize by exploitability, filter by severity
Issue: No Fix Available
Problem: Vulnerable dependency has no patch Solution: Consider alternatives, implement compensating controls
Issue: Breaking Updates
Problem: Security fix breaks functionality Solution: Review changelogs, test thoroughly, use lockfiles
Best Practices
-
Scan on every build
-
Use lockfiles for reproducibility
-
Set severity thresholds
-
Generate and track SBOMs
-
Document exceptions properly
-
Update dependencies regularly
-
Monitor for new vulnerabilities
-
Automate PR creation for updates
Related Skills
-
sast-scanning - Code vulnerabilities
-
container-scanning - Container dependencies
-
github-actions - CI integration