pastebin.richardson.dev

dependency-audit skill for GitHub Copilot

Posted Jul 12, 20265.5 KB • Markdown Print Raw

Here is the updated skill, re-architected to utilize a Fleet Mode subagent pattern for distributed manifest scanning, adding support for Rust/Cargo and Go, and strictly enforcing the Azure DevOps CFS proxy feed compliance.


name: dependency-audit
description: Orchestrate a fleet of subagents to concurrently scan repository dependencies across ecosystems (npm, pip, NuGet, Cargo, Go, Maven). Enforces Azure DevOps CFS proxy feed configurations and queries the OSV/CIRCL APIs for vulnerabilities. Use this when asked to audit a large enterprise repo, validate feed compliance, or check lockfiles for security issues.

Dependency Audit Skill

Identify and report vulnerabilities in a large repository using a distributed agent architecture. This skill utilizes Fleet Mode to concurrently process complex repository trees, enforces internal package management policies (Azure DevOps proxy feeds), and queries the OSV API and CVE-Search .

Process

1. Fleet Orchestration (Main Agent)

Instead of processing the repository sequentially, the primary agent operates in Fleet Mode:

  • Scan the root directory and map all project boundaries (e.g., workspaces, submodules, microservices).
  • Dispatch specialized Subagents to handle specific sub-directories or ecosystems concurrently.

2. Subagent Discovery & Parsing

Each subagent is responsible for locating dependency files and extracting exact resolved versions. Prioritize lockfiles over manifests.

  • Node.js (npm/yarn): package.json, package-lock.json, yarn.lock
  • Python (pip): requirements.txt, Pipfile.lock, poetry.lock
  • .NET (NuGet): *.csproj, packages.lock.json, nuget.config
  • Rust (Cargo): Cargo.toml, Cargo.lock, .cargo/config.toml
  • Go: go.mod, go.sum
  • Java (Maven/Gradle): pom.xml, build.gradle
  • Infrastructure: Dockerfile, docker-compose.yml

3. Feed Compliance Validation (Strict Policy)

Before auditing vulnerabilities, subagents must verify that the repository is configured to use internal Azure DevOps CFS package feeds. Direct external feeds are prohibited.

  • Check .npmrc for registry=https://pkgs.dev.azure.com/...
  • Check pip.ini / pip.conf for index-url pointing to ADO.
  • Check nuget.config for internal <add key="..." value="https://pkgs.dev.azure.com/..." />.
  • Check .cargo/config.toml for [source.crates-io] replace-with = "ado-feed".
  • Check GOPROXY environment variables or go.env for the internal proxy.

If external registries (e.g., registry.npmjs.org, crates.io, pypi.org) are detected, flag as a Critical Compliance Violation and halt the audit for that specific package tree.

4. Execute Vulnerability API Calls

Once dependencies are extracted and feed compliance is verified, execute the queries.

A. Application Dependencies (OSV API)

web_fetch (POST): https://api.osv.dev/v1/query
Body: {
  "version": "1.2.3",
  "package": {
    "name": "package-name",
    "ecosystem": "npm|PyPI|NuGet|crates.io|Go|Maven"
  }
}

B. Infrastructure & OS Components (CIRCL API)

web_fetch (GET): https://cve.circl.lu/api/search/{vendor}/{product}

5. Aggregate & Actionable Reporting

  • Main agent collects findings from all subagents.
  • Group by: Feed Violations (Priority 1) and CVE/GHSA Findings (Priority 2).
  • Provide explicit, ecosystem-specific upgrade commands targeting the ADO feeds.

Ecosystem Reference Map

EcosystemOSV EcosystemLockfileADO Config FileUpdate Command
npm / Yarnnpmpackage-lock.json.npmrcnpm update <pkg>
Python / pipPyPIpoetry.lockpip.confpip install --upgrade <pkg>
.NET / NuGetNuGetpackages.lock.jsonnuget.configdotnet add package <pkg>
Rust / Cargocrates.ioCargo.lock.cargo/config.tomlcargo update -p <pkg>
GoGogo.sumgo.env / GOPROXYgo get <pkg>@<version>

Example Workflows

“Audit the microservices monorepo for vulnerabilities”

  1. Main Agent detects three folders: /auth-go, /payment-rust, and /web-react.
  2. Main Agent deploys three Subagents.
  3. Rust Subagent:
    • Scans /payment-rust/.cargo/config.toml. Ensures it points to pkgs.dev.azure.com/.../Cargo/.
    • Parses Cargo.lock and queries OSV API (ecosystem: crates.io).
  4. Go Subagent:
    • Validates GOPROXY is set to the internal ADO proxy.
    • Parses go.sum and queries OSV API (ecosystem: Go).
  5. Main Agent aggregates the results. “Go and Rust services are secure, but /web-react is attempting to pull directly from npmjs.org. Build failed due to Feed Compliance Violation.”

“Check our Rust backend for CVEs”

  1. Subagent reads Cargo.toml and Cargo.lock.
  2. Extracts packages (e.g., tokio==1.8.0, serde==1.0.130).
  3. web_fetch OSV API for tokio under crates.io ecosystem.
  4. Identifies an old advisory, recommends cargo update -p tokio to pull the patched version from the Azure DevOps CFS proxy.