Audit dependency security risks
/codex-security)/codex-review-fast)/codex-security)| Step | Goal | Safety |
|---|---|---|
| audit | Scan dependencies for vulnerabilities | read-only |
Failure behavior: report-all
$ARGUMENTS
--level <severity> — Minimum reporting level (low/moderate/high/critical), default: moderate--fix — Attempt automatic fixUse Glob to check if .claude/scripts/dep-audit.sh exists in the project root.
bash .claude/scripts/dep-audit.sh $ARGUMENTS
Detect the project ecosystem and run the audit manually.
Ecosystem detection (check project root for manifest files):
| Manifest | Ecosystem | Audit Command | Fix Command |
|---|---|---|---|
package.json + pnpm-lock.yaml | Node (pnpm) | pnpm audit --audit-level {LEVEL} | pnpm audit --fix |
package.json + yarn.lock | Node (yarn) | yarn audit --level {LEVEL} | yarn audit --fix or npx yarn-audit-fix |
package.json | Node (npm) | npm audit --audit-level={LEVEL} | npm audit fix |
pyproject.toml | Python | pip-audit or safety check | pip-audit --fix |
Cargo.toml | Rust | cargo audit | cargo audit fix |
go.mod | Go | govulncheck ./... | (manual fix) |
build.gradle | Java | ./gradlew dependencyCheckAnalyze | (manual fix) |
Default {LEVEL} is moderate unless --level argument is provided.
If --fix is specified, run the fix command for the detected ecosystem after audit.
If no recognized manifest file exists, report an error.
## Audit Results
| Severity | Count |
|----------|-------|
| Critical | 0 |
| High | 0 |
| Moderate | 0 |
| Low | 0 |
## Vulnerability Details
### [severity] Issue Title
- **Package**: package-name
- **Fix**: Available / Not available
## Gate
✅ **PASS** — No moderate or above vulnerabilities
❌ **FAIL** — Found high severity vulnerabilities
/dep-audit
/dep-audit --level high
/dep-audit --fix