ワンクリックで
sc-dependency-audit
Supply chain and dependency security analysis across all package ecosystems
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
Supply chain and dependency security analysis across all package ecosystems
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
Comprehensive AI-powered security scanning suite with 48 skills covering OWASP Top 10, 7 language-specific deep scanners (Go, TypeScript, Python, PHP, Rust, Java, C#), supply chain analysis, infrastructure-as-code scanning, and 3000+ checklist items. Use when you need to run a security audit, find vulnerabilities, scan a PR for security issues, or perform a penetration test on a codebase.
C#/.NET-specific security deep scan
Go-specific security deep scan
Java/Kotlin-specific security deep scan
PHP-specific security deep scan
Python-specific security deep scan
| name | sc-dependency-audit |
| description | Supply chain and dependency security analysis across all package ecosystems |
| license | MIT |
| metadata | {"author":"ersinkoc","category":"security","version":"1.0.0"} |
Analyzes all project dependencies for known vulnerabilities, supply chain risks, typosquatting attempts, and dangerous build-time behaviors. Covers all major package ecosystems: npm, PyPI, crates.io, Maven Central, NuGet, Packagist, and Go modules.
Runs as part of Phase 1 (Reconnaissance), immediately after sc-recon.
File: security-report/dependency-audit.md
Search for dependency manifest and lock files:
| Ecosystem | Manifest | Lock File |
|---|---|---|
| Node.js | package.json | package-lock.json, yarn.lock, pnpm-lock.yaml |
| Python | requirements.txt, pyproject.toml, Pipfile, setup.py, setup.cfg | Pipfile.lock, poetry.lock |
| Go | go.mod | go.sum |
| Rust | Cargo.toml | Cargo.lock |
| Java | pom.xml, build.gradle, build.gradle.kts | gradle.lockfile |
| C# | *.csproj, packages.config | packages.lock.json |
| PHP | composer.json | composer.lock |
| Ruby | Gemfile | Gemfile.lock |
For each detected ecosystem:
For each dependency, check for known vulnerabilities by analyzing:
Common vulnerable dependency patterns to flag:
Node.js:
lodash < 4.17.21 (prototype pollution)minimist < 1.2.6 (prototype pollution)json5 < 2.2.2 (prototype pollution)node-fetch < 2.6.7 (SSRF via redirect)express < 4.19.2 (open redirect)jsonwebtoken < 9.0.0 (algorithm confusion)eval or Function() in sourcePython:
pyyaml < 6.0 with yaml.load() usagerequests < 2.31.0 (various)urllib3 < 2.0.6 (header injection)cryptography < 41.0.0 (multiple CVEs)django version-specific CVEsflask with debug=True patternsGo:
go.sum for integrityreplace directives pointing to local paths or non-standard URLsRust:
unsafe crates with high usagebuild.rs presence in dependenciesJava:
log4j < 2.17.1 (Log4Shell — CVE-2021-44228)jackson-databind polymorphic typing versionsspring-framework < 5.3.18 (Spring4Shell)commons-collections deserialization gadgetsfastjson < 1.2.83 (deserialization RCE)C#:
System.Text.Json < 6.0.0 (various)Newtonsoft.Json TypeNameHandling patternsMicrosoft.AspNetCore version-specific CVEsFor each dependency, check for typosquatting indicators:
Common typosquatting patterns:
lodash → lodassh, 1odash@types/react → types-reactnode-fetch → node_fetchCheck for dependency confusion attack vectors:
.npmrc, pip.conf, settings.xml point to correct registriesInspect build-time scripts that execute during installation:
npm:
postinstall, preinstall, prepare scripts in package.jsonPython:
setup.py with os.system(), subprocess, or network callspyproject.toml build backend custom scriptsRust:
build.rs files in dependenciesproc-macro crates that generate code at compile timeJava:
Go:
//go:generate directivesCheck dependency licenses for:
For each flagged dependency:
The output must include a summary section:
## Dependency Audit Summary
- Total dependencies: {N} (direct: {D}, transitive: {T})
- Ecosystems scanned: {list}
- Known vulnerabilities found: {N} (Critical: {C}, High: {H}, Medium: {M}, Low: {L})
- Typosquatting risks: {N}
- Dependency confusion risks: {N}
- License concerns: {N}
- Outdated dependencies: {N}