dependency-audit skill for GitHub Copilot
Here is the updated skill, re-architected to utilize a Fleet Mode subagent pattern for distributed manifest scanning, adding support for Rust/Cargo and Go, and strictly enforcing the Azure DevOps CFS proxy feed compliance.
name: dependency-audit
description: Orchestrate a fleet of subagents to concurrently scan repository dependencies across ecosystems (npm, pip, NuGet, Cargo, Go, Maven). Enforces Azure DevOps CFS proxy feed configurations and queries the OSV/CIRCL APIs for vulnerabilities. Use this when asked to audit a large enterprise repo, validate feed compliance, or check lockfiles for security issues.
Dependency Audit Skill
Identify and report vulnerabilities in a large repository using a distributed agent architecture. This skill utilizes Fleet Mode to concurrently process complex repository trees, enforces internal package management policies (Azure DevOps proxy feeds), and queries the OSV API and CVE-Search .
Process
1. Fleet Orchestration (Main Agent)
Instead of processing the repository sequentially, the primary agent operates in Fleet Mode:
- Scan the root directory and map all project boundaries (e.g., workspaces, submodules, microservices).
- Dispatch specialized Subagents to handle specific sub-directories or ecosystems concurrently.
2. Subagent Discovery & Parsing
Each subagent is responsible for locating dependency files and extracting exact resolved versions. Prioritize lockfiles over manifests.
- Node.js (npm/yarn):
package.json,package-lock.json,yarn.lock - Python (pip):
requirements.txt,Pipfile.lock,poetry.lock - .NET (NuGet):
*.csproj,packages.lock.json,nuget.config - Rust (Cargo):
Cargo.toml,Cargo.lock,.cargo/config.toml - Go:
go.mod,go.sum - Java (Maven/Gradle):
pom.xml,build.gradle - Infrastructure:
Dockerfile,docker-compose.yml
3. Feed Compliance Validation (Strict Policy)
Before auditing vulnerabilities, subagents must verify that the repository is configured to use internal Azure DevOps CFS package feeds. Direct external feeds are prohibited.
- Check
.npmrcforregistry=https://pkgs.dev.azure.com/... - Check
pip.ini/pip.confforindex-urlpointing to ADO. - Check
nuget.configfor internal<add key="..." value="https://pkgs.dev.azure.com/..." />. - Check
.cargo/config.tomlfor[source.crates-io] replace-with = "ado-feed". - Check
GOPROXYenvironment variables orgo.envfor the internal proxy.
If external registries (e.g., registry.npmjs.org, crates.io, pypi.org) are detected, flag as a Critical Compliance Violation and halt the audit for that specific package tree.
4. Execute Vulnerability API Calls
Once dependencies are extracted and feed compliance is verified, execute the queries.
A. Application Dependencies (OSV API)
web_fetch (POST): https://api.osv.dev/v1/query
Body: {
"version": "1.2.3",
"package": {
"name": "package-name",
"ecosystem": "npm|PyPI|NuGet|crates.io|Go|Maven"
}
}
B. Infrastructure & OS Components (CIRCL API)
web_fetch (GET): https://cve.circl.lu/api/search/{vendor}/{product}
5. Aggregate & Actionable Reporting
- Main agent collects findings from all subagents.
- Group by: Feed Violations (Priority 1) and CVE/GHSA Findings (Priority 2).
- Provide explicit, ecosystem-specific upgrade commands targeting the ADO feeds.
Ecosystem Reference Map
| Ecosystem | OSV Ecosystem | Lockfile | ADO Config File | Update Command |
|---|---|---|---|---|
| npm / Yarn | npm | package-lock.json | .npmrc | npm update <pkg> |
| Python / pip | PyPI | poetry.lock | pip.conf | pip install --upgrade <pkg> |
| .NET / NuGet | NuGet | packages.lock.json | nuget.config | dotnet add package <pkg> |
| Rust / Cargo | crates.io | Cargo.lock | .cargo/config.toml | cargo update -p <pkg> |
| Go | Go | go.sum | go.env / GOPROXY | go get <pkg>@<version> |
Example Workflows
“Audit the microservices monorepo for vulnerabilities”
- Main Agent detects three folders:
/auth-go,/payment-rust, and/web-react. - Main Agent deploys three Subagents.
- Rust Subagent:
- Scans
/payment-rust/.cargo/config.toml. Ensures it points topkgs.dev.azure.com/.../Cargo/. - Parses
Cargo.lockand queries OSV API (ecosystem: crates.io).
- Scans
- Go Subagent:
- Validates
GOPROXYis set to the internal ADO proxy. - Parses
go.sumand queries OSV API (ecosystem: Go).
- Validates
- Main Agent aggregates the results. “Go and Rust services are secure, but
/web-reactis attempting to pull directly from npmjs.org. Build failed due to Feed Compliance Violation.”
“Check our Rust backend for CVEs”
- Subagent reads
Cargo.tomlandCargo.lock. - Extracts packages (e.g.,
tokio==1.8.0,serde==1.0.130). web_fetchOSV API fortokioundercrates.ioecosystem.- Identifies an old advisory, recommends
cargo update -p tokioto pull the patched version from the Azure DevOps CFS proxy.