Software Composition Analysis (SCA)

Router skill for dependency security: SBOM generation, multi-source vuln correlation, license compliance, supply chain review, and reachability-driven triage. Optimized for polyglot repositories and PR-time lockfile review. Load the relevant workflow + ecosystem reference on demand — do not read the whole skill up front.

When to Use

• Scanning project dependencies for known vulnerabilities (CVE / GHSA / OSV)
• Generating an SBOM (CycloneDX or SPDX) for a repo, container, or binary
• Reviewing a PR's lockfile delta for new vulns, license changes, malicious packages
• Reachability analysis to prioritize the 5-15% of findings that are actually exploitable
• License compliance against an allow/deny policy
• Supply chain review: typosquatting, dependency confusion, malicious package triage
• Ecosystem-specific audits: npm, yarn, pnpm, pip, poetry, Maven, Gradle, Go, Cargo, Ruby, Composer
• CI/CD integration for continuous dependency scanning

Trigger Phrases

• "scan dependencies", "check package vulnerabilities", "run npm audit"
• "generate SBOM", "CycloneDX", "SPDX"
• "license compliance", "audit licenses"
• "supply chain", "typosquat", "dependency confusion", "malicious package"
• "lockfile diff", "dep review", "PR dependency review"
• "is this CVE reachable", "reachability analysis", "filter false positives"

When NOT to Use This Skill

• First-party source code vulnerabilities (SQLi, XSS, SSRF, etc.) → use sast-orchestration. SCA looks at third-party deps only.
• OS-level packages inside container images (apt, apk, rpm) → use container-security. (Overlap: Syft/Grype handle both; choose based on where the bulk of the work is.)
• Infrastructure-as-Code misconfigurations (Terraform, K8s YAML) → use iac-security.
• Live web-app runtime testing → use dast-automation.
• LLM-specific supply chain (model weights, prompts, tool chains) → use llm-security.
• Mobile app third-party libraries → this skill works, but android-pentest / ios-pentest add platform context (cocoapods, SPM, gradle android).

Decision Tree

Start
 ├── Have a PR that touches a lockfile / manifest?
 │    → workflows/lockfile_diff.md
 │
 ├── Need a baseline for a repo or container?
 │    → workflows/sbom_generation.md  → workflows/vuln_correlation.md (parallel: license_audit.md)
 │
 ├── Got 100+ vuln findings and need to prioritize?
 │    → workflows/reachability_analysis.md  (HIGH-VALUE, use extended thinking)
 │
 ├── New or unfamiliar package just showed up in a dep graph?
 │    → workflows/supply_chain_review.md + references/malicious_package_indicators.md
 │
 ├── License audit only?
 │    → workflows/license_audit.md
 │
 └── Ecosystem-specific question?
      → references/{npm_yarn_pnpm,python_pip_poetry,maven_gradle,go_modules,cargo,ruby_gems,php_composer}.md

Parallelism Hints

Run concurrently (independent):

• SBOM generation is independent of vuln scanning — start SBOM, then fan out to Grype + OSV-Scanner + ecosystem-native tools while license + supply chain checks also run.
• Per-ecosystem scans in polyglot repos are fully parallel (npm audit, pip-audit, cargo audit, etc.).
• License audit and vuln correlation are independent — run concurrently.
• OSV batch API: batch all package versions in one HTTP call; do not loop.
• Registry metadata lookups for supply chain triage: parallel, one per package.

Must be sequential:

• Vuln correlation after SBOM (scanner reads the SBOM).
• Reachability analysis after vuln correlation (it refines findings).
• Call-graph construction before reachability queries.
• Lockfile diff classification before per-delta scans.

Sub-Agent Delegation

• Polyglot monorepos: one sub-agent per ecosystem. Each runs the matching reference + native scanner + adds to a shared finding set.
• PR review: one sub-agent per changed lockfile. Each applies workflows/lockfile_diff.md and reports deltas, then a root agent consolidates.
• Large finding queue: shard by ecosystem or by package-prefix for reachability analysis; each sub-agent handles ~50 findings with the same call graph.
• Supply chain triage at scale: one sub-agent per batch of ~10 new packages for metadata + tarball inspection.

Reasoning Budget

Task	Budget
SBOM generation	minimal — mechanical orchestration
Vuln correlation / dedup	minimal — unless scanners disagree on version ranges
License classification	low — policy lookup
Lockfile diff classification	medium — distinguish regression vs pre-existing
Reachability analysis	extended thinking — combines call graph + vuln metadata + taint + framework semantics
Malicious package triage	extended thinking — weighing many weak signals; high cost of FP/FN
Integrity hash mismatch (no version change)	extended thinking — possible registry compromise
License expression parsing (dual-license, SPDX exprs)	medium

Multimodal Hooks

• Dependency graph visualizations: syft dir:. -o cyclonedx-json | cyclonedx-cli graph produces a graph you can screenshot into a PR comment for humans.
• cargo tree -d, npm ls --all, mvn dependency:tree -Dverbose are better consumed as text — do not screenshot.
• For reachability results, CodeQL's query result JSON is preferred over SARIF HTML render.

Structured Output

All findings MUST conform to schemas/finding.json. Key fields:

• ecosystem, package_name, installed_version
• vulnerable_range, fixed_version
• cve, ghsa, osv_id
• is_transitive, dependency_path[]
• is_reachable (reachable / unreachable / unknown), reachability_evidence
• exploitability_notes
• license, license_risk
• malicious_indicators[], finding_type
• epss_score, kev

Priority rule (applies after correlation + reachability):

Reachable	KEV	EPSS	CVSS	Priority	SLA
yes	yes	any	any	P0	24h
yes	no	>=0.5	any	P1	7d
yes	no	any	>=7	P1	7d
yes	no	<0.5	<7	P2	30d
unknown	yes	any	any	P1	investigate first
unknown	no	any	>=9	P2	investigate first
no (unreachable)	any	any	any	P3	next dep-upgrade cycle

CI/CD Integration

Run at three gates:

• Pre-commit — lightweight ecosystem-native (npm audit --audit-level=high, pip-audit). Fast local feedback.
• PR — workflows/lockfile_diff.md as a required check. Block on new high/critical vulns; comment on license / supply-chain flags.
• Main / nightly — full workflows/sbom_generation.md → vuln_correlation.md → reachability_analysis.md. Publish SBOM as build artifact. Update Dependency-Track / CycloneDX server.

Use --exit-code 1 on the relevant scanner with --severity HIGH,CRITICAL (Trivy) or --fail-on high --only-fixed (Grype) to gate builds. Keep suppressions in tool-native config (.trivyignore, .snyk, deny.toml, suppressions.xml) with reason + expires fields — never suppress silently.

Remediation Strategy

Upgrade paths (see per-ecosystem reference for commands):

1. Patch-level bump if fix is in a patch release → low risk.
2. Minor bump if patch unavailable → test + ship.
3. Major bump or fork → extended thinking; coordinate with owning team.
4. Virtual patch / WAF rule if upgrade blocked → record in finding's exploitability_notes + set an expiry.
5. Accept risk → only for is_reachable: "unreachable" + kev: false + epss < 0.2; document + set review date.

Workflow Index

Workflow	Purpose
sbom_generation.md	Syft + CycloneDX + SPDX generation + validation
vuln_correlation.md	Grype + OSV + ecosystem-native merge + KEV/EPSS enrichment
license_audit.md	SBOM-driven license extraction + policy enforcement
lockfile_diff.md	PR-time delta review across lockfiles (frontier-model favored)
reachability_analysis.md	Call-graph-aware filtering — key workflow for triage
supply_chain_review.md	Typosquatting, dependency confusion, malicious-package detection

References Index

Reference	Content
npm_yarn_pnpm.md	Node.js ecosystem: manifests, scanners, install-script hardening
python_pip_poetry.md	Python: pip/poetry/pdm/uv + hashed lockfiles + sdist risks
maven_gradle.md	Java: Maven + Gradle + Log4Shell-class patterns
go_modules.md	Go: govulncheck (built-in reachability), MVS, binary scanning
cargo.md	Rust: cargo-audit + cargo-deny + geiger
ruby_gems.md	Ruby: bundler-audit + RubySec
php_composer.md	PHP: composer audit + FriendsOfPHP
sbom_formats.md	CycloneDX 1.6 vs SPDX 2.3 field-by-field
vuln_databases.md	NVD, OSV, GHSA, ecosystem DBs — coverage + gaps
malicious_package_indicators.md	Signal catalog + triage matrix
bounty_patterns_2024_2026.md	Post-2023 supply-chain bounty TTPs (Shai-Hulud 2.0 npm worm, tj-actions/changed-files compromise, CVE-2025-48384 git, transitive reachability)

Templates Index

Template	Purpose
sca_report.md	Final report format

Tools

Tool	Purpose	Install
syft	Multi-eco SBOM generator	brew install syft
grype	SBOM + dir vuln scanner	brew install grype
trivy	Multi-eco scanner (also containers/IaC)	brew install trivy
osv-scanner	OSV-backed multi-eco, call analysis	go install github.com/google/osv-scanner/cmd/osv-scanner@latest
govulncheck	Go official, reachability-aware	go install golang.org/x/vuln/cmd/govulncheck@latest
pip-audit	Python, PyPA official	pipx install pip-audit
cargo-audit	Rust, RustSec	cargo install cargo-audit
cargo-deny	Rust, unified advisories + licenses + sources	cargo install cargo-deny
cyclonedx-cli	SBOM convert / merge / validate	brew install cyclonedx-cli
snyk	Commercial, multi-eco	npm install -g snyk
socket	Supply chain risk scoring (npm/PyPI/Go/Rust)	npm install -g @socketsecurity/cli
OWASP Dependency-Check	Java-focused, NVD-backed	https://github.com/jeremylong/DependencyCheck
license-checker	npm license scan	npm install -g license-checker
pip-licenses	Python license scan	pipx install pip-licenses
go-licenses	Go license scan	go install github.com/google/go-licenses@latest

Last Validated

2026-04. Tool minimum versions per ecosystem are listed at the bottom of each references/*.md. Advisory DBs (OSV, GHSA) are rolling — re-check coverage notes in references/vuln_databases.md for NVD backlog status.