원클릭으로
sc-dependency-audit
Supply chain and dependency security analysis across all package ecosystems
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Supply chain and dependency security analysis across all package ecosystems
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Comprehensive AI-powered security scanning suite with 48 skills covering OWASP Top 10, 7 language-specific deep scanners (Go, TypeScript, Python, PHP, Rust, Java, C#), supply chain analysis, infrastructure-as-code scanning, and 3000+ checklist items. Use when you need to run a security audit, find vulnerabilities, scan a PR for security issues, or perform a penetration test on a codebase.
C#/.NET-specific security deep scan
Go-specific security deep scan
Java/Kotlin-specific security deep scan
PHP-specific security deep scan
Python-specific security deep scan
| name | sc-dependency-audit |
| description | Supply chain and dependency security analysis across all package ecosystems |
| license | MIT |
| metadata | {"author":"ersinkoc","category":"security","version":"1.0.0"} |
Analyzes all project dependencies for known vulnerabilities, supply chain risks, typosquatting attempts, and dangerous build-time behaviors. Covers all major package ecosystems: npm, PyPI, crates.io, Maven Central, NuGet, Packagist, and Go modules.
Runs as part of Phase 1 (Reconnaissance), immediately after sc-recon.
File: security-report/dependency-audit.md
Search for dependency manifest and lock files:
| Ecosystem | Manifest | Lock File |
|---|---|---|
| Node.js | package.json | package-lock.json, yarn.lock, pnpm-lock.yaml |
| Python | requirements.txt, pyproject.toml, Pipfile, setup.py, setup.cfg | Pipfile.lock, poetry.lock |
| Go | go.mod | go.sum |
| Rust | Cargo.toml | Cargo.lock |
| Java | pom.xml, build.gradle, build.gradle.kts | gradle.lockfile |
| C# | *.csproj, packages.config | packages.lock.json |
| PHP | composer.json | composer.lock |
| Ruby | Gemfile | Gemfile.lock |
For each detected ecosystem:
For each dependency, check for known vulnerabilities by analyzing:
Common vulnerable dependency patterns to flag:
Node.js:
lodash < 4.17.21 (prototype pollution)minimist < 1.2.6 (prototype pollution)json5 < 2.2.2 (prototype pollution)node-fetch < 2.6.7 (SSRF via redirect)express < 4.19.2 (open redirect)jsonwebtoken < 9.0.0 (algorithm confusion)eval or Function() in sourcePython:
pyyaml < 6.0 with yaml.load() usagerequests < 2.31.0 (various)urllib3 < 2.0.6 (header injection)cryptography < 41.0.0 (multiple CVEs)django version-specific CVEsflask with debug=True patternsGo:
go.sum for integrityreplace directives pointing to local paths or non-standard URLsRust:
unsafe crates with high usagebuild.rs presence in dependenciesJava:
log4j < 2.17.1 (Log4Shell — CVE-2021-44228)jackson-databind polymorphic typing versionsspring-framework < 5.3.18 (Spring4Shell)commons-collections deserialization gadgetsfastjson < 1.2.83 (deserialization RCE)C#:
System.Text.Json < 6.0.0 (various)Newtonsoft.Json TypeNameHandling patternsMicrosoft.AspNetCore version-specific CVEsFor each dependency, check for typosquatting indicators:
Common typosquatting patterns:
lodash → lodassh, 1odash@types/react → types-reactnode-fetch → node_fetchCheck for dependency confusion attack vectors:
.npmrc, pip.conf, settings.xml point to correct registriesInspect build-time scripts that execute during installation:
npm:
postinstall, preinstall, prepare scripts in package.jsonPython:
setup.py with os.system(), subprocess, or network callspyproject.toml build backend custom scriptsRust:
build.rs files in dependenciesproc-macro crates that generate code at compile timeJava:
Go:
//go:generate directivesCheck dependency licenses for:
For each flagged dependency:
The output must include a summary section:
## Dependency Audit Summary
- Total dependencies: {N} (direct: {D}, transitive: {T})
- Ecosystems scanned: {list}
- Known vulnerabilities found: {N} (Critical: {C}, High: {H}, Medium: {M}, Low: {L})
- Typosquatting risks: {N}
- Dependency confusion risks: {N}
- License concerns: {N}
- Outdated dependencies: {N}