dependency-auditlisted

# /dependency-audit Workflow ## Role This skill is a **pipeline coordinator**. It orchestrates a sequential supply chain security workflow by delegating scanner invocation and synthesis to appropriate tools. It does NOT perform LLM-based CVE lookup — it coordinates real CLI scanners that use live vulnerability databases, then synthesizes their output. The LLM's training data has a knowledge cutoff and cannot reliably detect post-cutoff CVEs. ## Inputs - Package manifest path or scope: $ARGUMENTS (optional — auto-detected if omitted) - Supported: `package.json`, `requirements.txt`, `pyproject.toml`, `Pipfile`, `go.mod`, `Cargo.toml`, `pom.xml`, `Gemfile` ## Step 0 — Pre-flight: detect manifest and scanner availability Tool: `Bash` (direct — coordinator does this), `Glob` **Detect manifest type** by searching for known manifest files: Tool: `Glob` Search patterns (in order): - `**/package.json` → ecosystem: Node.js, scanner: `npm audit` - `**/requirements.txt` or `**/pyproject.toml` or `**/Pipfile` → ecosystem: Python, scanners: `pip-audit` or `safety` - `**/go.mod` → ecosystem: Go, scanner: `govulncheck` - `**/Cargo.toml` → ecosystem: Rust, scanner: `cargo audit` - `**/pom.xml` → ecosystem: Java, scanner: `mvn dependency:analyze` - `**/Gemfile` → ecosystem: Ruby, scanner: `bundle audit` If $ARGUMENTS specifies a manifest path, use that directly. Otherwise, use the first manifest found. **Check scanner availability** via `which`: Tool: `Bash` ```bash TIMESTAMP=$(da