How DevSecOps scans and classifies vulnerabilities — dependency audit, code scan, severity classification. Maps to sec_dependency_audit and sec_code_scan group calls.
Vulnerabilities exist in code, dependencies, configuration, and infrastructure. Your job is to FIND them, CLASSIFY them, and REPORT them — not fix them. Fixes are separate tasks.
Scan project dependency files for known CVEs:
What to scan:
requirements.txt, pyproject.toml, setup.pypackage.json, package-lock.jsonDockerfile (base image versions)Tools available:
semgrep MCP server (if installed) — pattern-based scanningpip audit via Bash — Python CVE databasenpm audit via Bash — Node CVE databasedependency-scanner sub-agent — isolated scanning without context bloatClassification:
| Severity | Criteria | Action |
|---|---|---|
| CRITICAL | Remote code execution, auth bypass, data exposure in production deps | fleet_alert(severity="critical", category="security") + security_hold + ntfy PO |
| HIGH | Privilege escalation, significant data leak, in production deps | fleet_alert(severity="high") + create fix task |
| MEDIUM | DoS potential, info disclosure, in non-production deps | Board memory [security, audit] + create task |
| LOW | Theoretical risk, dev-only deps, mitigated by other controls | Board memory only |
Scan source code for security anti-patterns:
Categories to check (per OWASP Top 10):
Tools:
semgrep MCP — structured rule-based scanningsecret-detector sub-agent — credential pattern matchingsecurity-auditor sub-agent — comprehensive OWASP auditStructure your findings as a vulnerability_report artifact:
## Vulnerability Assessment: {project}
Date: {date}
Scope: {what was scanned}
### Critical Findings (0)
(none found)
### High Findings (2)
- [H-001] Dependency: requests 2.28.0 has CVE-2023-XXXXX (SSRF)
Location: requirements.txt:5
Recommendation: Pin to >= 2.31.0
- [H-002] Code: SQL interpolation in query builder
Location: fleet/infra/db.py:142
Pattern: f"SELECT * FROM {table}" — allows table name injection
Recommendation: Use parameterized queries
### Medium Findings (1)
- [M-001] Configuration: DEBUG=True in production config template
Location: config/app.yaml.template:3
Recommendation: Set DEBUG=False, use environment variable
### Summary
Total: 3 findings (0 critical, 2 high, 1 medium)
Recommendation: Create fix tasks for H-001 and H-002 before next release.
security_hold is a task custom field that prevents the task from being approved. Set it when:
The hold is cleared when: the finding is resolved AND you verify the fix.
Your nightly dependency scan CRON (nightly-dependency-scan in agent-crons.yaml) runs this skill automatically:
The CRON runs in an isolated session with proper model/effort. You don't need to remember to scan — the fleet's nervous system handles scheduling. Your job during heartbeat is to ACT on findings the CRON surfaced.