// Scans deps for known CVEs via native audit (npm, pip, composer, cargo, go, bundler, dart). Triggers: CVE scan, vulnerability scan, npm audit, pip audit.
[HINT] Download the complete skill directory including SKILL.md and all related files
| name | cve-scan |
| description | Scans deps for known CVEs via native audit (npm, pip, composer, cargo, go, bundler, dart). Triggers: CVE scan, vulnerability scan, npm audit, pip audit. |
| user-invocable | true |
| effort | medium |
| argument-hint | [--ecosystem npm|pip|composer|cargo|go|ruby|dart] [--fix] [--json] |
| allowed-tools | Read, Grep, Glob, Bash |
$ARGUMENTS
Detect project ecosystems and scan dependencies for known vulnerabilities using native audit tools. Zero external dependencies — uses tools already installed in the project environment.
/cve-scan # Auto-detect all ecosystems, scan all
/cve-scan --ecosystem npm # Force specific ecosystem
/cve-scan --fix # Auto-fix where possible (npm audit fix, etc.)
/cve-scan --json # Machine-readable JSON output
--fix is passed (where the tool supports it)| Manifest File | Lock File | Ecosystem | Audit Command | CVE Database |
|---|---|---|---|---|
package.json | package-lock.json / yarn.lock / pnpm-lock.yaml | npm/yarn/pnpm | npm audit --json / yarn audit --json / pnpm audit --json | GitHub Advisory DB |
requirements.txt / pyproject.toml / setup.py | requirements.txt | pip | pip-audit --format=json | OSV / PyPI Advisory |
composer.json | composer.lock | composer | composer audit --format=json | Packagist / FriendsOfPHP |
Cargo.toml | Cargo.lock | cargo | cargo audit --json | RustSec Advisory DB |
go.mod | go.sum | go | govulncheck ./... | Go Vulnerability DB |
Gemfile | Gemfile.lock | bundler | bundle-audit check | Ruby Advisory DB |
pubspec.yaml | pubspec.lock | dart/flutter | dart pub outdated --json | pub.dev |
--fix passed, run npm audit fix, pip-audit --fix, cargo audit fix etc.Run the bundled detection script to quickly identify ecosystems and tool availability:
python3 ${CLAUDE_SKILL_DIR}/scripts/cve_scan.py
Options:
python3 ${CLAUDE_SKILL_DIR}/scripts/cve_scan.py --json # JSON output
python3 ${CLAUDE_SKILL_DIR}/scripts/cve_scan.py --fix # Auto-fix mode
python3 ${CLAUDE_SKILL_DIR}/scripts/cve_scan.py --ecosystem npm # Specific ecosystem
## CVE Scan Report
### Ecosystems Detected
- npm (package-lock.json) — `npm audit` available ✓
- pip (requirements.txt) — `pip-audit` not installed ⚠️
### Summary
| Severity | Count |
|----------|-------|
| CRITICAL | 1 |
| HIGH | 3 |
| MEDIUM | 5 |
| LOW | 2 |
### Findings
#### [CRITICAL] lodash@4.17.20 (npm)
- **CVE**: CVE-2021-23337
- **Title**: Prototype Pollution
- **Fixed in**: 4.17.21
- **Advisory**: https://github.com/advisories/GHSA-35jh-r3h4-6jhm
#### [HIGH] django@3.2.0 (pip)
- **CVE**: CVE-2023-36053
- **Title**: Potential ReDoS in EmailValidator
- **Fixed in**: 3.2.20
- **Advisory**: https://osv.dev/vulnerability/PYSEC-2023-100
### Tool Availability
| Ecosystem | Tool | Status | Install Hint |
|-----------|------|--------|--------------|
| npm | npm audit | ✓ installed | — |
| pip | pip-audit | ✗ missing | `pip install pip-audit` |
| cargo | cargo-audit | ✗ missing | `cargo install cargo-audit` |
When an audit tool is not installed, the skill:
Install hints per ecosystem:
| Tool | Install Command |
|---|---|
pip-audit | pip install pip-audit |
cargo-audit | cargo install cargo-audit |
govulncheck | go install golang.org/x/vuln/cmd/govulncheck@latest |
bundle-audit | gem install bundler-audit |
composer | Built-in since Composer 2.4 |
package-lock.json, Cargo.lock, or other lock files without --fix flag--fix is passed.auditrc, .nsprc, or equivalent ignore files if present