@ruaruababa/vibe-kit 1.0.0

package/skills/security-scanning-security-dependencies/SKILL.md

@@ -0,0 +1,43 @@
+---
+name: security-scanning-security-dependencies
+description: "You are a security expert specializing in dependency vulnerability analysis, SBOM generation, and supply chain security. Scan project dependencies across ecosystems to identify vulnerabilities, assess risks, and recommend remediation."
+---
+
+# Dependency Vulnerability Scanning
+
+You are a security expert specializing in dependency vulnerability analysis, SBOM generation, and supply chain security. Scan project dependencies across multiple ecosystems to identify vulnerabilities, assess risks, and provide automated remediation strategies.
+
+## Use this skill when
+
+- Auditing dependencies for vulnerabilities or license risks
+- Generating SBOMs for compliance or supply chain visibility
+- Planning remediation for outdated or vulnerable packages
+- Standardizing dependency scanning across ecosystems
+
+## Do not use this skill when
+
+- You only need runtime security testing
+- There is no dependency manifest or lockfile
+- The environment blocks running security scanners
+
+## Context
+The user needs comprehensive dependency security analysis to identify vulnerable packages, outdated dependencies, and license compliance issues. Focus on multi-ecosystem support, vulnerability database integration, SBOM generation, and automated remediation using modern 2024/2025 tools.
+
+## Requirements
+$ARGUMENTS
+
+## Instructions
+
+- Clarify goals, constraints, and required inputs.
+- Apply relevant best practices and validate outcomes.
+- Provide actionable steps and verification.
+- If detailed examples are required, open `resources/implementation-playbook.md`.
+
+## Safety
+
+- Avoid running auto-fix or upgrade steps without approval.
+- Treat dependency changes as release-impacting and test accordingly.
+
+## Resources
+
+- `resources/implementation-playbook.md` for detailed patterns and examples.

package/skills/security-scanning-security-dependencies/resources/implementation-playbook.md

@@ -0,0 +1,544 @@
+# Dependency Vulnerability Scanning Implementation Playbook
+
+This file contains detailed patterns, checklists, and code samples referenced by the skill.
+
+# Dependency Vulnerability Scanning
+
+You are a security expert specializing in dependency vulnerability analysis, SBOM generation, and supply chain security. Scan project dependencies across multiple ecosystems to identify vulnerabilities, assess risks, and provide automated remediation strategies.
+
+## Use this skill when
+
+- Auditing dependencies for vulnerabilities or license risks
+- Generating SBOMs for compliance or supply chain visibility
+- Planning remediation for outdated or vulnerable packages
+- Standardizing dependency scanning across ecosystems
+
+## Do not use this skill when
+
+- You only need runtime security testing
+- There is no dependency manifest or lockfile
+- The environment blocks running security scanners
+
+## Safety
+
+- Avoid running auto-fix or upgrade steps without approval.
+- Treat dependency changes as release-impacting and test accordingly.
+
+## Context
+The user needs comprehensive dependency security analysis to identify vulnerable packages, outdated dependencies, and license compliance issues. Focus on multi-ecosystem support, vulnerability database integration, SBOM generation, and automated remediation using modern 2024/2025 tools.
+
+## Requirements
+$ARGUMENTS
+
+## Instructions
+
+### 1. Multi-Ecosystem Dependency Scanner
+
+```python
+import subprocess
+import json
+import requests
+from pathlib import Path
+from typing import Dict, List, Any
+from dataclasses import dataclass
+from datetime import datetime
+
+@dataclass
+class Vulnerability:
+    package: str
+    version: str
+    vulnerability_id: str
+    severity: str
+    cve: List[str]
+    cvss_score: float
+    fixed_versions: List[str]
+    source: str
+
+class DependencyScanner:
+    def __init__(self, project_path: str):
+        self.project_path = Path(project_path)
+        self.ecosystem_scanners = {
+            'npm': self.scan_npm,
+            'pip': self.scan_python,
+            'go': self.scan_go,
+            'cargo': self.scan_rust
+        }
+
+    def detect_ecosystems(self) -> List[str]:
+        ecosystem_files = {
+            'npm': ['package.json', 'package-lock.json'],
+            'pip': ['requirements.txt', 'pyproject.toml'],
+            'go': ['go.mod'],
+            'cargo': ['Cargo.toml']
+        }
+
+        detected = []
+        for ecosystem, patterns in ecosystem_files.items():
+            if any(list(self.project_path.glob(f"**/{p}")) for p in patterns):
+                detected.append(ecosystem)
+        return detected
+
+    def scan_all_dependencies(self) -> Dict[str, Any]:
+        ecosystems = self.detect_ecosystems()
+        results = {
+            'timestamp': datetime.now().isoformat(),
+            'ecosystems': {},
+            'vulnerabilities': [],
+            'summary': {
+                'total_vulnerabilities': 0,
+                'critical': 0,
+                'high': 0,
+                'medium': 0,
+                'low': 0
+            }
+        }
+
+        for ecosystem in ecosystems:
+            scanner = self.ecosystem_scanners.get(ecosystem)
+            if scanner:
+                ecosystem_results = scanner()
+                results['ecosystems'][ecosystem] = ecosystem_results
+                results['vulnerabilities'].extend(ecosystem_results.get('vulnerabilities', []))
+
+        self._update_summary(results)
+        results['remediation_plan'] = self.generate_remediation_plan(results['vulnerabilities'])
+        results['sbom'] = self.generate_sbom(results['ecosystems'])
+
+        return results
+
+    def scan_npm(self) -> Dict[str, Any]:
+        results = {
+            'ecosystem': 'npm',
+            'vulnerabilities': []
+        }
+
+        try:
+            npm_result = subprocess.run(
+                ['npm', 'audit', '--json'],
+                cwd=self.project_path,
+                capture_output=True,
+                text=True,
+                timeout=120
+            )
+
+            if npm_result.stdout:
+                audit_data = json.loads(npm_result.stdout)
+                for vuln_id, vuln in audit_data.get('vulnerabilities', {}).items():
+                    results['vulnerabilities'].append({
+                        'package': vuln.get('name', vuln_id),
+                        'version': vuln.get('range', ''),
+                        'vulnerability_id': vuln_id,
+                        'severity': vuln.get('severity', 'UNKNOWN').upper(),
+                        'cve': vuln.get('cves', []),
+                        'fixed_in': vuln.get('fixAvailable', {}).get('version', 'N/A'),
+                        'source': 'npm_audit'
+                    })
+        except Exception as e:
+            results['error'] = str(e)
+
+        return results
+
+    def scan_python(self) -> Dict[str, Any]:
+        results = {
+            'ecosystem': 'python',
+            'vulnerabilities': []
+        }
+
+        try:
+            safety_result = subprocess.run(
+                ['safety', 'check', '--json'],
+                cwd=self.project_path,
+                capture_output=True,
+                text=True,
+                timeout=120
+            )
+
+            if safety_result.stdout:
+                safety_data = json.loads(safety_result.stdout)
+                for vuln in safety_data:
+                    results['vulnerabilities'].append({
+                        'package': vuln.get('package_name', ''),
+                        'version': vuln.get('analyzed_version', ''),
+                        'vulnerability_id': vuln.get('vulnerability_id', ''),
+                        'severity': 'HIGH',
+                        'fixed_in': vuln.get('fixed_version', ''),
+                        'source': 'safety'
+                    })
+        except Exception as e:
+            results['error'] = str(e)
+
+        return results
+
+    def scan_go(self) -> Dict[str, Any]:
+        results = {
+            'ecosystem': 'go',
+            'vulnerabilities': []
+        }
+
+        try:
+            govuln_result = subprocess.run(
+                ['govulncheck', '-json', './...'],
+                cwd=self.project_path,
+                capture_output=True,
+                text=True,
+                timeout=180
+            )
+
+            if govuln_result.stdout:
+                for line in govuln_result.stdout.strip().split('\n'):
+                    if line:
+                        vuln_data = json.loads(line)
+                        if vuln_data.get('finding'):
+                            finding = vuln_data['finding']
+                            results['vulnerabilities'].append({
+                                'package': finding.get('osv', ''),
+                                'vulnerability_id': finding.get('osv', ''),
+                                'severity': 'HIGH',
+                                'source': 'govulncheck'
+                            })
+        except Exception as e:
+            results['error'] = str(e)
+
+        return results
+
+    def scan_rust(self) -> Dict[str, Any]:
+        results = {
+            'ecosystem': 'rust',
+            'vulnerabilities': []
+        }
+
+        try:
+            audit_result = subprocess.run(
+                ['cargo', 'audit', '--json'],
+                cwd=self.project_path,
+                capture_output=True,
+                text=True,
+                timeout=120
+            )
+
+            if audit_result.stdout:
+                audit_data = json.loads(audit_result.stdout)
+                for vuln in audit_data.get('vulnerabilities', {}).get('list', []):
+                    advisory = vuln.get('advisory', {})
+                    results['vulnerabilities'].append({
+                        'package': vuln.get('package', {}).get('name', ''),
+                        'version': vuln.get('package', {}).get('version', ''),
+                        'vulnerability_id': advisory.get('id', ''),
+                        'severity': 'HIGH',
+                        'source': 'cargo_audit'
+                    })
+        except Exception as e:
+            results['error'] = str(e)
+
+        return results
+
+    def _update_summary(self, results: Dict[str, Any]):
+        vulnerabilities = results['vulnerabilities']
+        results['summary']['total_vulnerabilities'] = len(vulnerabilities)
+
+        for vuln in vulnerabilities:
+            severity = vuln.get('severity', '').upper()
+            if severity == 'CRITICAL':
+                results['summary']['critical'] += 1
+            elif severity == 'HIGH':
+                results['summary']['high'] += 1
+            elif severity == 'MEDIUM':
+                results['summary']['medium'] += 1
+            elif severity == 'LOW':
+                results['summary']['low'] += 1
+
+    def generate_remediation_plan(self, vulnerabilities: List[Dict]) -> Dict[str, Any]:
+        plan = {
+            'immediate_actions': [],
+            'short_term': [],
+            'automation_scripts': {}
+        }
+
+        critical_high = [v for v in vulnerabilities if v.get('severity', '').upper() in ['CRITICAL', 'HIGH']]
+
+        for vuln in critical_high[:20]:
+            plan['immediate_actions'].append({
+                'package': vuln.get('package', ''),
+                'current_version': vuln.get('version', ''),
+                'fixed_version': vuln.get('fixed_in', 'latest'),
+                'severity': vuln.get('severity', ''),
+                'priority': 1
+            })
+
+        plan['automation_scripts'] = {
+            'npm_fix': 'npm audit fix && npm update',
+            'pip_fix': 'pip-audit --fix && safety check',
+            'go_fix': 'go get -u ./... && go mod tidy',
+            'cargo_fix': 'cargo update && cargo audit'
+        }
+
+        return plan
+
+    def generate_sbom(self, ecosystems: Dict[str, Any]) -> Dict[str, Any]:
+        sbom = {
+            'bomFormat': 'CycloneDX',
+            'specVersion': '1.5',
+            'version': 1,
+            'metadata': {
+                'timestamp': datetime.now().isoformat()
+            },
+            'components': []
+        }
+
+        for ecosystem_name, ecosystem_data in ecosystems.items():
+            for vuln in ecosystem_data.get('vulnerabilities', []):
+                sbom['components'].append({
+                    'type': 'library',
+                    'name': vuln.get('package', ''),
+                    'version': vuln.get('version', ''),
+                    'purl': f"pkg:{ecosystem_name}/{vuln.get('package', '')}@{vuln.get('version', '')}"
+                })
+
+        return sbom
+```
+
+### 2. Vulnerability Prioritization
+
+```python
+class VulnerabilityPrioritizer:
+    def calculate_priority_score(self, vulnerability: Dict) -> float:
+        cvss_score = vulnerability.get('cvss_score', 0) or 0
+        exploitability = 1.0 if vulnerability.get('exploit_available') else 0.5
+        fix_available = 1.0 if vulnerability.get('fixed_in') else 0.3
+
+        priority_score = (
+            cvss_score * 0.4 +
+            exploitability * 2.0 +
+            fix_available * 1.0
+        )
+
+        return round(priority_score, 2)
+
+    def prioritize_vulnerabilities(self, vulnerabilities: List[Dict]) -> List[Dict]:
+        for vuln in vulnerabilities:
+            vuln['priority_score'] = self.calculate_priority_score(vuln)
+
+        return sorted(vulnerabilities, key=lambda x: x['priority_score'], reverse=True)
+```
+
+### 3. CI/CD Integration
+
+```yaml
+name: Dependency Security Scan
+
+on:
+  push:
+    branches: [main]
+  schedule:
+    - cron: '0 2 * * *'
+
+jobs:
+  scan-dependencies:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        ecosystem: [npm, python, go]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: NPM Audit
+        if: matrix.ecosystem == 'npm'
+        run: |
+          npm ci
+          npm audit --json > npm-audit.json || true
+          npm audit --audit-level=moderate
+
+      - name: Python Safety
+        if: matrix.ecosystem == 'python'
+        run: |
+          pip install safety pip-audit
+          safety check --json --output safety.json || true
+          pip-audit --format=json --output=pip-audit.json || true
+
+      - name: Go Vulnerability Check
+        if: matrix.ecosystem == 'go'
+        run: |
+          go install golang.org/x/vuln/cmd/govulncheck@latest
+          govulncheck -json ./... > govulncheck.json || true
+
+      - name: Upload Results
+        uses: actions/upload-artifact@v4
+        with:
+          name: scan-${{ matrix.ecosystem }}
+          path: '*.json'
+
+      - name: Check Thresholds
+        run: |
+          CRITICAL=$(grep -o '"severity":"CRITICAL"' *.json 2>/dev/null | wc -l || echo 0)
+          if [ "$CRITICAL" -gt 0 ]; then
+            echo "❌ Found $CRITICAL critical vulnerabilities!"
+            exit 1
+          fi
+```
+
+### 4. Automated Updates
+
+```bash
+#!/bin/bash
+# automated-dependency-update.sh
+
+set -euo pipefail
+
+ECOSYSTEM="$1"
+UPDATE_TYPE="${2:-patch}"
+
+update_npm() {
+    npm audit --audit-level=moderate || true
+
+    if [ "$UPDATE_TYPE" = "patch" ]; then
+        npm update --save
+    elif [ "$UPDATE_TYPE" = "minor" ]; then
+        npx npm-check-updates -u --target minor
+        npm install
+    fi
+
+    npm test
+    npm audit --audit-level=moderate
+}
+
+update_python() {
+    pip install --upgrade pip
+    pip-audit --fix
+    safety check
+    pytest
+}
+
+update_go() {
+    go get -u ./...
+    go mod tidy
+    govulncheck ./...
+    go test ./...
+}
+
+case "$ECOSYSTEM" in
+    npm) update_npm ;;
+    python) update_python ;;
+    go) update_go ;;
+    *)
+        echo "Unknown ecosystem: $ECOSYSTEM"
+        exit 1
+        ;;
+esac
+```
+
+### 5. Reporting
+
+```python
+class VulnerabilityReporter:
+    def generate_markdown_report(self, scan_results: Dict[str, Any]) -> str:
+        report = f"""# Dependency Vulnerability Report
+
+**Generated:** {datetime.now().strftime('%Y-%m-%d %H:%M:%S')}
+
+## Executive Summary
+
+- **Total Vulnerabilities:** {scan_results['summary']['total_vulnerabilities']}
+- **Critical:** {scan_results['summary']['critical']} 🔴
+- **High:** {scan_results['summary']['high']} 🟠
+- **Medium:** {scan_results['summary']['medium']} 🟡
+- **Low:** {scan_results['summary']['low']} 🟢
+
+## Critical & High Severity
+
+"""
+
+        critical_high = [v for v in scan_results['vulnerabilities']
+                        if v.get('severity', '').upper() in ['CRITICAL', 'HIGH']]
+
+        for vuln in critical_high[:20]:
+            report += f"""
+### {vuln.get('package', 'Unknown')} - {vuln.get('vulnerability_id', '')}
+
+- **Severity:** {vuln.get('severity', 'UNKNOWN')}
+- **Current Version:** {vuln.get('version', '')}
+- **Fixed In:** {vuln.get('fixed_in', 'N/A')}
+- **CVE:** {', '.join(vuln.get('cve', []))}
+
+"""
+
+        return report
+
+    def generate_sarif(self, scan_results: Dict[str, Any]) -> Dict[str, Any]:
+        return {
+            "version": "2.1.0",
+            "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+            "runs": [{
+                "tool": {
+                    "driver": {
+                        "name": "Dependency Scanner",
+                        "version": "1.0.0"
+                    }
+                },
+                "results": [
+                    {
+                        "ruleId": vuln.get('vulnerability_id', 'unknown'),
+                        "level": self._map_severity(vuln.get('severity', '')),
+                        "message": {
+                            "text": f"{vuln.get('package', '')} has known vulnerability"
+                        }
+                    }
+                    for vuln in scan_results['vulnerabilities']
+                ]
+            }]
+        }
+
+    def _map_severity(self, severity: str) -> str:
+        mapping = {
+            'CRITICAL': 'error',
+            'HIGH': 'error',
+            'MEDIUM': 'warning',
+            'LOW': 'note'
+        }
+        return mapping.get(severity.upper(), 'warning')
+```
+
+## Best Practices
+
+1. **Regular Scanning**: Run dependency scans daily via scheduled CI/CD
+2. **Prioritize by CVSS**: Focus on high CVSS scores and exploit availability
+3. **Staged Updates**: Auto-update patch versions, manual for major versions
+4. **Test Coverage**: Always run full test suite after updates
+5. **SBOM Generation**: Maintain up-to-date Software Bill of Materials
+6. **License Compliance**: Check for restrictive licenses
+7. **Rollback Strategy**: Create backup branches before major updates
+
+## Tool Installation
+
+```bash
+# Python
+pip install safety pip-audit pipenv pip-licenses
+
+# JavaScript
+npm install -g snyk npm-check-updates
+
+# Go
+go install golang.org/x/vuln/cmd/govulncheck@latest
+
+# Rust
+cargo install cargo-audit
+```
+
+## Usage Examples
+
+```bash
+# Scan all dependencies
+python dependency_scanner.py scan --path .
+
+# Generate SBOM
+python dependency_scanner.py sbom --format cyclonedx
+
+# Auto-fix vulnerabilities
+./automated-dependency-update.sh npm patch
+
+# CI/CD integration
+python dependency_scanner.py scan --fail-on critical,high
+```
+
+Focus on automated vulnerability detection, risk assessment, and remediation across all major package ecosystems.