cve-scan

# /cve-scan - Dependency CVE Scanner $ARGUMENTS Detect project ecosystems and scan dependencies for known vulnerabilities using native audit tools. Zero external dependencies — uses tools already installed in the project environment. ## Usage ``` /cve-scan # Auto-detect all ecosystems, scan all /cve-scan --ecosystem npm # Force specific ecosystem /cve-scan --fix # Auto-fix where possible (npm audit fix, etc.) /cve-scan --json # Machine-readable JSON output ``` ## What This Command Does 1. **Detect** package managers by lock/manifest files in the project 2. **Run** the native audit command for each detected ecosystem 3. **Parse** results into a unified severity-based report 4. **Report** CVE IDs, affected packages, installed vs fixed versions, advisory links 5. **Fix** automatically when `--fix` is passed (where the tool supports it) ## Ecosystem Detection & Commands | Manifest File | Lock File | Ecosystem | Audit Command | CVE Database | |---------------|-----------|-----------|---------------|--------------| | `package.json` | `package-lock.json` / `yarn.lock` / `pnpm-lock.yaml` | npm/yarn/pnpm | `npm audit --json` / `yarn audit --json` / `pnpm audit --json` | GitHub Advisory DB | | `requirements.txt` / `pyproject.toml` / `setup.py` | `requirements.txt` | pip | `pip-audit --format=json` | OSV / PyPI Advisory | | `composer.json` | `composer.lock` | composer | `composer audit --format=json` | Packagist / Fr...