Security Auditor Skill
Run structured security audits with actionable remediation plans.
Trigger Phrases
- "npm audit"
- "security vulnerability"
- "dependency vulnerability"
- "CVE"
- "security check"
- "audit dependencies"
- "check vulnerabilities"
Description
This skill performs comprehensive security audits on npm projects, parsing vulnerability data and generating actionable remediation plans with prioritized fixes.
Capabilities
- Execute
npm audit --jsonand parse structured output - Classify vulnerabilities by severity (critical, high, medium, low)
- Extract CVE identifiers, affected versions, and fix versions
- Distinguish direct vs transitive dependencies
- Generate markdown reports with remediation commands
- Support risk acceptance via
security-exceptions.json - Provide CI-friendly exit codes
Usage
Basic Audit
npx tsx scripts/index.ts
JSON Output
npx tsx scripts/index.ts --json
Fail on High+ Severity (for CI)
npx tsx scripts/index.ts --fail-on high
Fail on Critical Only
npx tsx scripts/index.ts --fail-on critical
Risk Acceptance
Create a security-exceptions.json file in your project root to accept known risks:
{
"exceptions": [
{
"id": "GHSA-xxxx-xxxx-xxxx",
"reason": "Not exploitable in our usage context",
"expires": "2025-06-01",
"approvedBy": "security-team"
}
]
}
Exit Codes
0- No vulnerabilities above threshold1- Vulnerabilities found above threshold (with--fail-on)2- Error running audit
Requirements
- Node.js and npm installed
- Valid
package.jsonin target directory - Optional:
package-lock.jsonfor accurate audit