Run any Skill in Manus with one click

auditing-python-dependencies

Audit a Python project's installed dependencies for known CVEs by wrapping pip-audit (PyPA's official vulnerability auditor) and emitting findings in the canonical penetration-tester schema. Detects vulnerable direct AND transitive packages, normalizes pip-audit's severity output via OSV severity bands, falls back to pip list --outdated when pip-audit isn't installed, and supports requirements.txt, pyproject.toml (PEP 621), Pipfile.lock, and poetry.lock as input sources. Use when: pre-merge gate on a Python project, post-incident sweep after a PyPI compromise (e.g. ctx, request-toolbelt typosquats, ultralytics 8.3.42 compromise), SOC2 evidence collection, or inheriting an unfamiliar Python codebase. Threshold: any HIGH or CRITICAL CVE in the resolved dependency tree. MODERATE / LOW reported informationally. Trigger with: "audit python deps", "pip vulnerability scan", "check pypi packages for CVEs", "pip-audit run".

Run Skill in Manus

Stars2,344

Forks332

UpdatedJune 8, 2026 at 01:18

Source

jeremylongshore

jeremylongshore/claude-code-plugins-plus-skills

View GitHub Repository View Creator Repositories

Install command

Download

Run Skill in Manus

File Explorer

4 files

SKILL.md

readonly

More from this repository

same repository

auditing-npm-dependencies

jeremylongshore/claude-code-plugins-plus-skills

Audit a Node.js project's installed npm dependency tree for known CVEs by wrapping the npm audit JSON output and emitting findings in the canonical penetration-tester schema. Detects direct AND transitive vulnerabilities, normalizes npm's severity scale (info/low/moderate/ high/critical) to the shared Severity enum, and parses both v1 and v2 audit output formats so the skill works against npm 6 and npm 7+ lockfiles. Use when: pre-merge gate on a Node project, post-incident sweep after a transitive package compromise (e.g. event-stream, ua-parser, node-ipc, color.js), SOC2 vendor-management evidence collection, or auditing an inherited or acquired Node codebase. Threshold: any HIGH or CRITICAL CVE in the resolved dependency tree. MODERATE / LOW reported informationally. Trigger with: "audit npm deps", "npm vulnerability scan", "check node packages for CVEs", "npm audit".

2026-06-082.3k

checking-license-compliance

jeremylongshore/claude-code-plugins-plus-skills

Audit a project's dependency licenses against an explicit policy (allow-list / deny-list / review-required) and flag incompatibilities before they ship to production. Reads SPDX license identifiers from npm package manifests, Python METADATA / PKG-INFO files, and pyproject.toml; classifies each license by family (permissive, weak-copyleft, strong-copyleft, proprietary, unknown); detects copyleft contamination and SPDX-incompatible license combinations. Use when: pre-release legal review, M&A code-audit due diligence, preparing an OSS attribution NOTICE file, or switching a project's own license. Threshold: any GPL-family license in a project declaring MIT or Apache-2.0; any UNKNOWN-license package; any metadata-vs-source license mismatch. Trigger with: "check licenses", "license compliance audit", "SPDX scan", "GPL contamination check".

2026-06-082.3k

composing-vulnerability-report

jeremylongshore/claude-code-plugins-plus-skills

Read findings JSONL files from cluster 1-4 skills, deduplicate by fingerprint, group by severity, and compose a deliverable- grade markdown vulnerability report with per-finding sections (title, severity, target, detail, remediation, evidence) and a top-level summary table. The canonical written artifact a customer receives at engagement close; precise, reproducible, machine- checkable against source findings. Use when: closing an engagement, generating an interim report, regenerating after CVE or OWASP enrichment, or producing the input for generating-executive-summary. Threshold: findings missing required fields are dropped. HIGH and CRITICAL findings highlighted in the summary section. Trigger with: "compose vuln report", "write pentest report", "generate vulnerability deliverable", "render findings to report".

2026-06-082.3k

confirming-pentest-authorization

jeremylongshore/claude-code-plugins-plus-skills

Verify that a penetration test has explicit, written, signed authorization before any scanning begins. Reads a Rules-of- Engagement (ROE) attestation file, validates required fields (authorizer, in-scope targets, time window, emergency contact, signature), checks the signer against an allowlist, and emits a CRITICAL finding if anything is missing. Designed as the first skill the orchestrator routes to. Use when: starting a new engagement, after a scope change, or before any cluster 1-4 scan skill runs. Threshold: any missing or unsigned ROE field; any time-window expiry; any in-scope target outside the authorized list. Trigger with: "confirm authorization", "verify ROE", "check pentest authz", "pre-flight authorization".

2026-06-082.3k

defining-pentest-scope

jeremylongshore/claude-code-plugins-plus-skills

Parse the ROE scope definition, enumerate every in-scope target (hostnames, IPs, CIDRs, URLs, cloud accounts, SaaS tenants), validate syntax, detect overlap with out-of-scope or known third-party SaaS ranges, and emit a normalized target list plus IP allowlist for scanning tools. Runs after confirming-pentest- authorization and before any cluster 1-4 scan. Use when: starting an engagement, expanding scope mid-engagement, validating that a target list matches the ROE, or generating an allowlist for an external scanner. Threshold: malformed syntax, in-scope overlap with out-of-scope, reserved or third-party SaaS ranges without acknowledgement. Trigger with: "define scope", "enumerate targets", "validate target list", "generate IP allowlist".

2026-06-082.3k

generating-executive-summary

jeremylongshore/claude-code-plugins-plus-skills

Compose an exec-readable summary from a unified findings JSONL plus the OWASP coverage report. Computes a single engagement risk score (0-100, severity-weighted with OWASP-breadth and governance terms), rolls up findings into headline counts, names the top-3 remediation priorities with effort + impact estimates, and produces a 1-2 page markdown document for a C-level or board audience. Elides technical detail; the vulnerability report is the deep document. Use when: closing an engagement, preparing the exec-readout meeting, packaging for board review, or producing a one-page narrative for auditor / insurer / board. Threshold: input findings missing produces CRITICAL operational finding; otherwise the deliverable is the document itself. Trigger with: "generate exec summary", "executive summary", "C-level readout", "board pentest summary".

2026-06-082.3k

name	auditing-python-dependencies
description	Audit a Python project's installed dependencies for known CVEs by wrapping pip-audit (PyPA's official vulnerability auditor) and emitting findings in the canonical penetration-tester schema. Detects vulnerable direct AND transitive packages, normalizes pip-audit's severity output via OSV severity bands, falls back to pip list --outdated when pip-audit isn't installed, and supports requirements.txt, pyproject.toml (PEP 621), Pipfile.lock, and poetry.lock as input sources. Use when: pre-merge gate on a Python project, post-incident sweep after a PyPI compromise (e.g. ctx, request-toolbelt typosquats, ultralytics 8.3.42 compromise), SOC2 evidence collection, or inheriting an unfamiliar Python codebase. Threshold: any HIGH or CRITICAL CVE in the resolved dependency tree. MODERATE / LOW reported informationally. Trigger with: "audit python deps", "pip vulnerability scan", "check pypi packages for CVEs", "pip-audit run".
allowed-tools	["Read","Bash(pip:)","Bash(pip-audit:)","Bash(python3:*)","Glob"]
disallowed-tools	["Bash(rm:)","Bash(curl:)","Bash(wget:)","Write(.env)","Edit(.env)","Bash(pip install:)","Bash(pip uninstall:*)"]
version	3.0.0-dev
author	Jeremy Longshore <jeremy@intentsolutions.io>
license	MIT
compatibility	Designed for Claude Code
tags	["security","dependency-audit","python","pypi","cve","pentest"]

Auditing Python Dependencies

Overview

PyPI hosts north of 500,000 packages, with several thousand new releases every day. The package-install model is identical to npm in the relevant ways: a pip install resolves a transitive graph, runs each package's setup.py (which executes arbitrary Python at install time), and writes the result to your site-packages. The CVE attack surface is therefore the same shape: known vulnerabilities, maintainer-account takeovers, typosquats, and protestware.

The PyPA-blessed auditor is pip-audit. It queries the Open Source Vulnerabilities (OSV) database (which mirrors PyPA's advisory feed plus aggregated CVE / GHSA records) and reports per-package vulnerable versions. pip-audit integrates with requirements.txt, pyproject.toml, Pipfile.lock, and poetry.lock, so most Python project layouts are first-class.

This skill wraps pip-audit, normalizes its severity vocabulary to the shared Severity enum, and emits Findings in the canonical penetration-tester schema. If pip-audit isn't installed on the host, the skill falls back to pip list --outdated and emits INFO-level findings recommending the operator install pip-audit for accurate vulnerability detection.

When the skill produces findings

Finding	Severity	Threshold	Affected control
Critical CVE in installed package	CRITICAL	OSV severity band corresponds to CVSS ≥ 9.0	CWE-1104
High CVE in installed package	HIGH	OSV severity band corresponds to CVSS 7.0–8.9	CWE-1104
Medium CVE in installed package	MEDIUM	OSV severity band corresponds to CVSS 4.0–6.9	CWE-1104
Low CVE in installed package	LOW	OSV severity band corresponds to CVSS 0.1–3.9	CWE-1104
Vulnerable package with no patch	HIGH	finding has no `fix_versions` and severity ≥ medium	CWE-1395
Outdated package (no CVE)	INFO	pip list --outdated reports a newer version	(operational)
pip-audit not installed	INFO	binary not on PATH; scanner fell back to pip list	(operational)
Audit DB unreachable	INFO	pip-audit network error reaching OSV	(operational)

OSV is the upstream of record. pip-audit also consults the PyPA advisory database for Python-specific records that may not yet have a CVE assigned.

Prerequisites

Python 3.9+
pip-audit installed (pip install pip-audit); skill falls back to pip list --outdated if absent
Target project containing at minimum one of: requirements.txt, pyproject.toml, Pipfile.lock, poetry.lock
Network access to OSV (api.osv.dev) and PyPI (pypi.org)

Instructions

Step 1 — Identify the scan target

Locate the project directory. The scanner auto-detects requirement files in order of preference:

poetry.lock (most precise — exact resolved tree)
Pipfile.lock
requirements.txt (and requirements-*.txt siblings)
pyproject.toml (PEP 621 dependencies)
Installed environment via pip list (last resort)

Step 2 — Run the audit

python3 ./scripts/audit_python.py /path/to/python-project

Options:

Usage: audit_python.py PATH [OPTIONS]

Options:
  --output FILE      Write findings to FILE (default: stdout)
  --format FMT       json | jsonl | markdown (default: markdown)
  --min-severity SEV (default: info)
  --requirement FILE Override auto-detection; specify a particular
                     requirements file (repeatable)
  --include-dev      Include development dependencies (default: prod
                     only when project layout allows the distinction)
  --strict           Treat pip-audit warnings as errors

Step 3 — Interpret findings

CRITICAL / HIGH = block release.

MEDIUM / LOW = track but don't block; many Python advisories report edge-case theoretical issues that don't apply to your usage.

INFO = log only; e.g. "outdated but no known CVE" is information for your release cadence, not a security action.

Step 4 — Remediation

For a vulnerable package with fix_versions:

Bump the version pin in your requirements file:
```
- requests==2.20.0
+ requests==2.31.0
```
Run pip install -r requirements.txt --upgrade (or poetry lock --no-update && poetry update <pkg>).
Run the test suite. CVE fixes occasionally include behavioral changes you didn't expect.
Commit the lock file diff alongside the requirements bump.

For a vulnerable transitive dep (one you didn't declare directly):

Find the parent: pip show <vulnerable-package> lists the parents in its "Required-by" line.
Check whether bumping the parent picks up the fix. pip index versions <parent> lists available versions.
If parent doesn't have a newer release that floors the vulnerable dep above the fix version, pin the transitive dep yourself in your requirements file. pip will use the more specific pin.

For a vulnerable package with NO fix available:

Subscribe to PyPA advisory notifications for that package.
If the vulnerability is exploitable in your usage, either replace the package or vendor + patch locally.
Document the exception in your security register with a re-evaluation date.

Examples

Example 1 — Pre-merge gate

python3 ./scripts/audit_python.py . --min-severity high --format json --output audit.json
jq -e '. == []' audit.json || { echo "High/critical Python CVE — fix before merge"; exit 1; }

Example 2 — CI scan on every push

- name: pip-audit
  run: pip install pip-audit
- name: Run audit
  run: |
    python3 plugins/security/penetration-tester/skills/auditing-python-dependencies/scripts/audit_python.py \
        . --min-severity high --format markdown --output py-audit.md

Example 3 — SOC2 evidence collection

mkdir -p evidence/CC7/
python3 ./scripts/audit_python.py . --include-dev --format json \
    --output evidence/CC7/py-audit-$(date +%Y%m%d).json

--include-dev for SOC2: include dev/test deps so auditors see the full surface, not just production.

Output

JSON / JSONL / Markdown per lib/report.py. Exit codes: 0 clean, 1 high/critical, 2 error.

Each Finding includes:

id — synthesized as pypi-audit::<cve-id> (or pypi-audit::<ghsa> / pypi-audit::<pypa-id> when no CVE)
severity — CRITICAL / HIGH / MEDIUM / LOW / INFO
category — dependency-vulnerability
summary — short CVE / GHSA title
evidence — affected package, affected version, fix versions, advisory ID
references — OSV URL, CVE URL, PyPA advisory URL

Error Handling

pip-audit not installed → falls back to pip list --outdated, emits an INFO Finding flagging the degraded scan, and proceeds.
No requirement file found → emits an INFO Finding "no Python project structure recognized" and exits 2.
OSV API unreachable → emits an INFO Finding documenting the outage and exits 0 (no actionable security finding).
pip-audit returns malformed JSON → emits an INFO Finding with the raw output truncated to 500 chars and exits 2.

Resources

references/THEORY.md — PyPI supply-chain history, OSV vs NVD vs PyPA advisory scopes, why ecosystem-specific severity matters, Python-specific install-time risks (setup.py execution, eager dependency resolution), pip-audit vs Safety vs Snyk trade-offs
references/PLAYBOOK.md — Per-toolchain remediation patterns (pip + requirements.txt, poetry, pipenv, uv, conda), monorepo / workspace scanning, override-equivalent patterns in Python ecosystem, GitHub Dependabot ecosystem mapping, SOC2 evidence retention