dependency-scanner
// Comprehensive dependency scanning, inventory generation, and SBOM creation for migration readiness assessment
$ git log --oneline --stat
stars:384
forks:73
updated:March 4, 2026
SKILL.mdreadonly
SKILL.md Frontmatter
namedependency-scanner
descriptionComprehensive dependency scanning, inventory generation, and SBOM creation for migration readiness assessment
allowed-toolsBash,Read,Write,Grep,Glob,Edit
Dependency Scanner Skill
Performs comprehensive dependency scanning and inventory generation for codebases, supporting migration planning and security assessments through SBOM (Software Bill of Materials) generation.
Purpose
Enable comprehensive dependency management for:
- Direct and transitive dependency extraction
- Dependency tree visualization
- Version conflict detection
- Circular dependency identification
- License extraction and compliance
- SBOM generation (CycloneDX, SPDX formats)
Capabilities
1. Direct/Transitive Dependency Extraction
- Parse package manifests (package.json, pom.xml, requirements.txt, etc.)
- Resolve full dependency trees including transitive dependencies
- Identify version constraints and resolution results
- Track dependency sources and registries
2. Dependency Tree Visualization
- Generate hierarchical dependency graphs
- Export to DOT, JSON, or Mermaid formats
- Highlight problematic paths
- Calculate tree depth and breadth metrics
3. Version Conflict Detection
- Identify version conflicts in dependency trees
- Detect peer dependency violations
- Find incompatible version ranges
- Suggest resolution strategies
4. Circular Dependency Identification
- Detect circular dependency chains
- Map dependency cycles
- Assess impact of circular dependencies
- Recommend breaking strategies
5. License Extraction
- Extract license information from dependencies
- Identify license types (MIT, Apache, GPL, etc.)
- Flag copyleft licenses
- Track dual-licensed packages
6. SBOM Generation
- Generate CycloneDX format SBOMs
- Generate SPDX format SBOMs
- Include vulnerability references
- Support machine-readable and human-readable outputs
Tool Integrations
This skill can leverage the following external tools when available:
| Tool | Purpose | Integration Method |
|---|---|---|
| npm/yarn/pnpm | Node.js dependencies | CLI |
| Maven | Java dependencies | CLI |
| Gradle | Java/Kotlin dependencies | CLI |
| pip/pipenv/poetry | Python dependencies | CLI |
| Bundler | Ruby dependencies | CLI |
| Cargo | Rust dependencies | CLI |
| Go Modules | Go dependencies | CLI |
| Snyk | Security scanning | CLI / API |
| OWASP Dependency-Check | Vulnerability scanning | CLI |
| Trivy | SBOM generation | MCP Server / CLI |
| Syft | SBOM generation | CLI |
Usage
Basic Scanning
# Invoke skill for dependency scanning
# The skill will auto-detect package managers and scan accordingly
# Expected inputs:
# - targetPath: Path to project root
# - scanDepth: 'direct' | 'transitive' | 'full'
# - outputFormat: 'json' | 'tree' | 'sbom-cyclonedx' | 'sbom-spdx'
# - includeLicenses: boolean
Scanning Workflow
-
Detection Phase
- Identify package managers in use
- Locate manifest files
- Check for lock files
-
Extraction Phase
- Parse manifest files
- Resolve dependency trees
- Extract version information
-
Analysis Phase
- Detect conflicts
- Identify circular dependencies
- Extract licenses
-
Output Generation
- Generate inventory reports
- Create SBOMs if requested
- Produce visualization artifacts
Output Schema
{
"scanId": "string",
"timestamp": "ISO8601",
"target": {
"path": "string",
"packageManagers": ["string"],
"manifestFiles": ["string"]
},
"summary": {
"totalDependencies": "number",
"directDependencies": "number",
"transitiveDependencies": "number",
"uniquePackages": "number",
"treeDepth": "number"
},
"dependencies": [
{
"name": "string",
"version": "string",
"type": "direct|transitive",
"parent": "string|null",
"license": "string",
"repository": "string",
"depth": "number"
}
],
"conflicts": [
{
"package": "string",
"versions": ["string"],
"sources": ["string"],
"recommendation": "string"
}
],
"circularDependencies": [
{
"chain": ["string"],
"severity": "high|medium|low"
}
],
"licenses": {
"summary": {
"MIT": "number",
"Apache-2.0": "number",
"GPL-3.0": "number"
},
"copyleft": ["string"],
"unknown": ["string"]
},
"sbom": {
"format": "cyclonedx|spdx",
"version": "string",
"path": "string"
}
}
Integration with Migration Processes
This skill integrates with the following Code Migration/Modernization processes:
- dependency-analysis-updates: Primary tool for dependency assessment
- legacy-codebase-assessment: Dependency inventory for legacy systems
- framework-upgrade: Compatibility analysis for upgrades
- cloud-migration: Dependency portability assessment
Configuration
Skill Configuration File
Create .dependency-scanner.json in the project root:
{
"packageManagers": ["auto"],
"excludePaths": ["node_modules", ".git"],
"scanDepth": "full",
"includeDev": true,
"includeOptional": false,
"licensePolicy": {
"allowed": ["MIT", "Apache-2.0", "BSD-3-Clause", "ISC"],
"flagged": ["GPL-3.0", "AGPL-3.0"],
"blocked": []
},
"sbomConfig": {
"format": "cyclonedx",
"version": "1.5",
"includeVulnerabilities": true
}
}
MCP Server Integration
When Trivy SBOM Generator MCP Server is available:
// Example MCP tool invocation
{
"tool": "trivy_generate_sbom",
"arguments": {
"target": "./",
"format": "cyclonedx",
"output": "./sbom.json"
}
}
When GitHub Dependabot MCP Server is available:
// Example dependency update check
{
"tool": "dependabot_check_updates",
"arguments": {
"repo": "owner/repo",
"ecosystem": "npm"
}
}
Package Manager Support
Node.js (npm/yarn/pnpm)
# Auto-detected files:
# - package.json
# - package-lock.json
# - yarn.lock
# - pnpm-lock.yaml
Java (Maven/Gradle)
# Auto-detected files:
# - pom.xml
# - build.gradle
# - build.gradle.kts
Python (pip/pipenv/poetry)
# Auto-detected files:
# - requirements.txt
# - Pipfile
# - pyproject.toml
# - setup.py
Ruby (Bundler)
# Auto-detected files:
# - Gemfile
# - Gemfile.lock
Go (Modules)
# Auto-detected files:
# - go.mod
# - go.sum
Rust (Cargo)
# Auto-detected files:
# - Cargo.toml
# - Cargo.lock
Best Practices
- Lock File Usage: Always include lock files for reproducible scans
- Regular Scanning: Integrate into CI/CD for continuous monitoring
- SBOM Storage: Store SBOMs alongside releases for compliance
- License Reviews: Review license changes in dependency updates
- Conflict Resolution: Address version conflicts before migration
Related Skills
vulnerability-scanner: Security scanning of dependencieslicense-compliance-checker: Detailed license analysisdependency-updater: Automated dependency updates
Related Agents
dependency-modernization-agent: Uses this skill for dependency managementmigration-readiness-assessor: Uses this skill for readiness evaluationsecurity-vulnerability-assessor: Uses this skill for dependency security