一键导入
dep-audit
Audit dependency security risks
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Audit dependency security risks
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Repository-only probe used to determine whether Codex can keep a skill manually invokable while excluding it from implicit routing.
Create, update, batch-sync, or scan date-prefixed single-task request tickets under docs/features/*/requests/. Use for breaking a tech spec into execution tickets, tracking acceptance-criteria progress, finding incomplete or stale requests, or independently verifying one ticket's acceptance criteria. Do not use for feature-wide requirements, technical design, or implementation.
Implement a non-trivial feature end to end with scoped exploration, explicit acceptance criteria, incremental edits, independent review, and deterministic verification. Use when the user asks to build or extend behavior rather than make a tiny isolated edit.
Review the current dirty worktree with a configured Codex-first or Claude primary subagent plus one independent read-only Codex test perspective, fix actionable findings, and record a fingerprint-bound review gate. Use before finishing code or documentation changes, after fixes invalidate prior review, or when the sd0x stop hook requests review.
Install or refresh sd0x Dev Flow project guidance and custom reviewer agents in the current repository. Use when configuring this Codex plugin for a repo, onboarding a project, or repairing missing sd0x AGENTS.md and .codex/agents files.
Create or update GitHub PR with gh CLI. Auto-extracts ticket ID from branch name, generates title/summary from commits. Auto-detects existing PR and switches to update mode. Default: --dry-run (show command, don't execute). Use when: user asks to open/create/update a PR, says /create-pr, wants to refresh PR description after new commits, or says 'update pr', 'update PR title', 'refresh PR body'.
| name | dep-audit |
| description | Audit dependency security risks |
| allowed-tools | Bash(yarn audit:*), Bash(npm audit:*), Bash(pnpm audit:*), Bash(npx:*), Bash(bash:*), Read, Glob |
/codex-security)/codex-review-fast)/codex-security)| Step | Goal | Safety |
|---|---|---|
| audit | Scan dependencies for vulnerabilities | read-only |
Failure behavior: report-all
$ARGUMENTS
--level <severity> — Minimum reporting level (low/moderate/high/critical), default: moderate--fix — Attempt automatic fixUse Glob to check if .claude/scripts/dep-audit.sh exists in the project root.
bash .claude/scripts/dep-audit.sh $ARGUMENTS
Detect the project ecosystem and run the audit manually.
Ecosystem detection (check project root for manifest files):
| Manifest | Ecosystem | Audit Command | Fix Command |
|---|---|---|---|
package.json + pnpm-lock.yaml | Node (pnpm) | pnpm audit --audit-level {LEVEL} | pnpm audit --fix |
package.json + yarn.lock | Node (yarn) | yarn audit --level {LEVEL} | yarn audit --fix or npx yarn-audit-fix |
package.json | Node (npm) | npm audit --audit-level={LEVEL} | npm audit fix |
pyproject.toml | Python | pip-audit or safety check | pip-audit --fix |
Cargo.toml | Rust | cargo audit | cargo audit fix |
go.mod | Go | govulncheck ./... | (manual fix) |
build.gradle | Java | ./gradlew dependencyCheckAnalyze | (manual fix) |
Default {LEVEL} is moderate unless --level argument is provided.
If --fix is specified, run the fix command for the detected ecosystem after audit.
If no recognized manifest file exists, report an error.
## Audit Results
| Severity | Count |
|----------|-------|
| Critical | 0 |
| High | 0 |
| Moderate | 0 |
| Low | 0 |
## Vulnerability Details
### [severity] Issue Title
- **Package**: package-name
- **Fix**: Available / Not available
## Gate
✅ **PASS** — No moderate or above vulnerabilities
❌ **FAIL** — Found high severity vulnerabilities
/dep-audit
/dep-audit --level high
/dep-audit --fix