sca-blackduck

Solid

Software Composition Analysis (SCA) using Synopsys Black Duck for identifying open source vulnerabilities, license compliance risks, and supply chain security threats with CVE, CWE, and OWASP framework mapping. Use when: (1) Scanning dependencies for known vulnerabilities and security risks, (2) Analyzing open source license compliance and legal risks, (3) Identifying outdated or unmaintained dependencies, (4) Integrating SCA into CI/CD pipelines for continuous dependency monitoring, (5) Providing remediation guidance for vulnerable dependencies with CVE and CWE mappings, (6) Assessing supply chain security risks and third-party component threats.

AI & Automation 335 stars 29 forks Updated today

Install

View on GitHub

Quality Score: 85/100

Stars 20%
84
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
80
License 10%
0
Description 5%
100

Skill Content

# Software Composition Analysis with Black Duck ## Overview Perform comprehensive Software Composition Analysis (SCA) using Synopsys Black Duck to identify security vulnerabilities, license compliance risks, and supply chain threats in open source dependencies. This skill provides automated dependency scanning, vulnerability detection with CVE mapping, license risk analysis, and remediation guidance aligned with OWASP and NIST standards. ## Quick Start Scan a project for dependency vulnerabilities: ```bash # Using Black Duck Detect (recommended) bash <(curl -s -L https://detect.synopsys.com/detect.sh) \ --blackduck.url=$BLACKDUCK_URL \ --blackduck.api.token=$BLACKDUCK_TOKEN \ --detect.project.name="MyProject" \ --detect.project.version.name="1.0.0" ``` Scan with policy violation enforcement: ```bash # Fail build on policy violations bash <(curl -s -L https://detect.synopsys.com/detect.sh) \ --blackduck.url=$BLACKDUCK_URL \ --blackduck.api.token=$BLACKDUCK_TOKEN \ --detect.policy.check.fail.on.severities=BLOCKER,CRITICAL ``` ## Core Workflows ### Workflow 1: Initial Dependency Security Assessment Progress: [ ] 1. Identify package managers and dependency manifests in codebase [ ] 2. Run `scripts/blackduck_scan.py` with project detection [ ] 3. Analyze vulnerability findings categorized by severity (CRITICAL, HIGH, MEDIUM, LOW) [ ] 4. Map CVE findings to CWE and OWASP Top 10 categories [ ] 5. Review license compliance risks and policy violations [ ] 6. Ge...

Details

Author
aiskillstore
Repository
aiskillstore/marketplace
Created
5 months ago
Last Updated
today
Language
Python
License
None

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Solid

dependency-scanner

Software Composition Analysis (SCA) and dependency vulnerability scanning. Scan npm, pip, maven, gradle dependencies. Check CVE databases, generate SBOM (CycloneDX, SPDX), identify license compliance issues, and track EPSS scores for prioritization.

1,160 Updated today
a5c-ai
AI & Automation Featured

performing-sca-dependency-scanning-with-snyk

This skill covers implementing Software Composition Analysis (SCA) using Snyk to detect vulnerable open-source dependencies in CI/CD pipelines. It addresses scanning package manifests and lockfiles, automated fix pull request generation, license compliance checking, continuous monitoring of deployed applications, and integration with GitHub, GitLab, and Jenkins pipelines.

13,115 Updated today
mukul975
AI & Automation Solid

security-scanning-security-dependencies

You are a security expert specializing in dependency vulnerability analysis, SBOM generation, and supply chain security. Scan project dependencies across multiple ecosystems to identify vulnerabilities, assess risks, and provide automated remediation strategies.

39,350 Updated today
sickn33
DevOps & Infrastructure Listed

security-scanning-security-dependencies

You are a security expert specializing in dependency vulnerability analysis, SBOM generation, and supply chain security. Scan project dependencies across ecosystems to identify vulnerabilities, assess risks, and recommend remediation.

335 Updated today
aiskillstore
DevOps & Infrastructure Listed

security-analyzer

Comprehensive security vulnerability analysis for codebases and infrastructure. Scans dependencies (npm, pip, gem, go, cargo), containers (Docker, Kubernetes), cloud IaC (Terraform, CloudFormation), and detects secrets exposure. Fetches live CVE data from OSV.dev, calculates risk scores, and generates phased remediation plans with TDD validation tests. Use when users mention security scan, vulnerability, CVE, exploit, security audit, penetration test, OWASP, hardening, dependency audit, container security, or want to improve security posture.

335 Updated today
aiskillstore