Security Scan

What it does

This skill helps AI agents resolve npm dependency vulnerabilities detected by Snyk.io security scans. It parses vulnerability reports, categorizes them as direct or transitive dependencies, and guides the agent through a workflow of assessment, exploration, fixing, and verification to address these issues within a project's codebase. The skill provides specific rules for handling both direct and transitive dependencies.

When to use it

• When a user shares Snyk vulnerability reports with the AI agent.
• When a user mentions CVEs (Common Vulnerabilities and Exposures) or CWEs (Common Weakness Enumerations).
• When a user asks the agent to fix security issues found in npm dependencies.

Key capabilities

• Parses Snyk vulnerability reports, extracting information like package name, version, CVE/CWE, severity, and fixed version.
• Categorizes vulnerabilities as either direct (listed in package.json) or transitive (dependencies of other packages).
• Checks the project's package.json and lockfile for current and resolved versions.
• Searches source code for usage of vulnerable packages.
• Consults the npm registry to find available fixed versions using npm view <package> versions --json.
• Provides specific rules (vuln-direct-deps.md, vuln-transitive-deps.md) for fixing vulnerabilities.

Example prompts

• "Can you fix the security vulnerabilities reported by Snyk?"
• "I have a vulnerability report; can you help me address it?"
• "What's the best way to resolve this CVE in my project?"

Tips & gotchas

• When applying fixes, use exact versions for dependencies (avoiding ^ prefixes) to ensure security.
• Prioritize fixing vulnerabilities with Critical or High severity first.
• Consider replacing unmaintained packages instead of relying on patches.