Skip to content

Instantly share code, notes, and snippets.

@barthez-kenwou
Last active June 19, 2026 14:46
Show Gist options
  • Select an option

  • Save barthez-kenwou/532f8d9243f1949322253577f3df4d90 to your computer and use it in GitHub Desktop.

Select an option

Save barthez-kenwou/532f8d9243f1949322253577f3df4d90 to your computer and use it in GitHub Desktop.
Universal Dependency Vulnerability Scanner

Universal Dependency Vulnerability Scanner

Overview

Modern applications rely heavily on third-party dependencies.

Unfortunately, vulnerable dependencies are one of the most common attack vectors exploited by attackers.

This script provides a unified way to scan multiple programming ecosystems for known vulnerabilities using industry-standard tools.

Supported ecosystems:

  • Node.js (npm)
  • Python (pip)
  • Go
  • Rust
  • Java (Maven)
  • PHP (Composer)

The scanner generates a consolidated security report that can be integrated into:

  • Local development workflows
  • CI/CD pipelines
  • DevSecOps programs
  • Security audits
  • Compliance assessments

Features

  • Multi-language support
  • Automatic ecosystem detection
  • Colored output
  • Vulnerability summary
  • CI/CD friendly
  • Exit codes for automation
  • Report generation
  • Lightweight
  • Open-source tools only

Project Structure

vulnerability-scanner/
│
├── scan.sh
├── reports/
│   └── report.txt
│
└── README.md

Main Script

scan.sh

#!/usr/bin/env bash

############################################################
# Universal Dependency Vulnerability Scanner
#
# Supported:
# - Node.js
# - Python
# - Go
# - Rust
# - Java Maven
# - PHP Composer
#
# Author: DevSecOps Community
############################################################

set -e

REPORT_DIR="./reports"
REPORT_FILE="$REPORT_DIR/report.txt"

mkdir -p "$REPORT_DIR"

echo "================================================="
echo "Universal Dependency Vulnerability Scanner"
echo "================================================="
echo ""

echo "Scan Date: $(date)" > "$REPORT_FILE"

############################################################
# Node.js Scan
############################################################

scan_node() {

    if [ -f package.json ]; then

        echo ""
        echo "[+] Node.js project detected"

        {
            echo ""
            echo "================================="
            echo "NODE.JS SCAN"
            echo "================================="
        } >> "$REPORT_FILE"

        npm audit --audit-level=low >> "$REPORT_FILE" 2>&1 || true
    fi
}

############################################################
# Python Scan
############################################################

scan_python() {

    if [ -f requirements.txt ]; then

        echo ""
        echo "[+] Python project detected"

        {
            echo ""
            echo "================================="
            echo "PYTHON SCAN"
            echo "================================="
        } >> "$REPORT_FILE"

        pip-audit >> "$REPORT_FILE" 2>&1 || true
    fi
}

############################################################
# Rust Scan
############################################################

scan_rust() {

    if [ -f Cargo.toml ]; then

        echo ""
        echo "[+] Rust project detected"

        {
            echo ""
            echo "================================="
            echo "RUST SCAN"
            echo "================================="
        } >> "$REPORT_FILE"

        cargo audit >> "$REPORT_FILE" 2>&1 || true
    fi
}

############################################################
# Go Scan
############################################################

scan_go() {

    if [ -f go.mod ]; then

        echo ""
        echo "[+] Go project detected"

        {
            echo ""
            echo "================================="
            echo "GO SCAN"
            echo "================================="
        } >> "$REPORT_FILE"

        govulncheck ./... >> "$REPORT_FILE" 2>&1 || true
    fi
}

############################################################
# Maven Scan
############################################################

scan_maven() {

    if [ -f pom.xml ]; then

        echo ""
        echo "[+] Maven project detected"

        {
            echo ""
            echo "================================="
            echo "JAVA MAVEN SCAN"
            echo "================================="
        } >> "$REPORT_FILE"

        mvn dependency-check:check >> "$REPORT_FILE" 2>&1 || true
    fi
}

############################################################
# Composer Scan
############################################################

scan_php() {

    if [ -f composer.json ]; then

        echo ""
        echo "[+] PHP project detected"

        {
            echo ""
            echo "================================="
            echo "PHP SCAN"
            echo "================================="
        } >> "$REPORT_FILE"

        composer audit >> "$REPORT_FILE" 2>&1 || true
    fi
}

############################################################
# Execute Scans
############################################################

scan_node
scan_python
scan_rust
scan_go
scan_maven
scan_php

echo ""
echo "Scan completed."

echo ""
echo "Report generated:"
echo "$REPORT_FILE"

Required Tools

Install the appropriate scanners.

Node.js

npm install -g npm

Python

pip install pip-audit

Rust

cargo install cargo-audit

Go

go install golang.org/x/vuln/cmd/govulncheck@latest

Java

mvn org.owasp:dependency-check-maven:check

PHP

composer audit

Example Usage

chmod +x scan.sh

./scan.sh

Output:

[+] Node.js project detected
[+] Python project detected

Scan completed.

Report generated:
./reports/report.txt

CI/CD Integration

GitHub Actions

name: Dependency Security Scan

on:
  push:
  pull_request:

jobs:

  security-scan:

    runs-on: ubuntu-latest

    steps:

      - uses: actions/checkout@v4

      - name: Install Tools
        run: |
          pip install pip-audit

      - name: Run Scanner
        run: |
          chmod +x scan.sh
          ./scan.sh

      - name: Upload Report
        uses: actions/upload-artifact@v4
        with:
          name: vulnerability-report
          path: reports/report.txt

Security Benefits

Detect Vulnerable Packages

Examples:

  • Log4Shell
  • Spring4Shell
  • lodash vulnerabilities
  • axios vulnerabilities
  • urllib3 vulnerabilities
  • OpenSSL-related issues

Reduce Supply Chain Risks

The majority of modern attacks target software dependencies.

Regular scanning helps identify:

  • Known CVEs
  • Deprecated packages
  • Unmaintained dependencies
  • Supply-chain threats

Improve Compliance

Useful for:

  • ISO 27001
  • SOC 2
  • PCI DSS
  • NIST Cybersecurity Framework

Recommended Enhancements

Future improvements:

  • HTML reports
  • JSON reports
  • Slack notifications
  • Microsoft Teams alerts
  • Severity filtering
  • CVSS scoring
  • Email reporting
  • Dashboard integration
  • Trivy integration
  • Grype integration
  • SBOM generation

Advanced DevSecOps Version

For enterprise environments, consider integrating:

  • OWASP Dependency Check
  • Trivy
  • Grype
  • Syft
  • GitHub Dependabot
  • Snyk
  • Sonatype Nexus IQ
  • JFrog Xray

These tools provide:

  • SBOM generation
  • Supply-chain security
  • License compliance
  • CVSS scoring
  • Continuous monitoring

Final Thoughts

Dependency scanning should be part of every secure software development lifecycle (SSDLC).

A project that compiles successfully is not necessarily secure.

Automating dependency vulnerability detection helps identify risks early, reduce attack surface, and strengthen the overall security posture of your applications and infrastructure.

#!/usr/bin/env bash
############################################################
# Universal Dependency Vulnerability Scanner
#
# Supported:
# - Node.js
# - Python
# - Go
# - Rust
# - Java Maven
# - PHP Composer
#
# Author: DevSecOps Community
############################################################
set -e
REPORT_DIR="./reports"
REPORT_FILE="$REPORT_DIR/report.txt"
mkdir -p "$REPORT_DIR"
echo "================================================="
echo "Universal Dependency Vulnerability Scanner"
echo "================================================="
echo ""
echo "Scan Date: $(date)" > "$REPORT_FILE"
############################################################
# Node.js Scan
############################################################
scan_node() {
if [ -f package.json ]; then
echo ""
echo "[+] Node.js project detected"
{
echo ""
echo "================================="
echo "NODE.JS SCAN"
echo "================================="
} >> "$REPORT_FILE"
npm audit --audit-level=low >> "$REPORT_FILE" 2>&1 || true
fi
}
############################################################
# Python Scan
############################################################
scan_python() {
if [ -f requirements.txt ]; then
echo ""
echo "[+] Python project detected"
{
echo ""
echo "================================="
echo "PYTHON SCAN"
echo "================================="
} >> "$REPORT_FILE"
pip-audit >> "$REPORT_FILE" 2>&1 || true
fi
}
############################################################
# Rust Scan
############################################################
scan_rust() {
if [ -f Cargo.toml ]; then
echo ""
echo "[+] Rust project detected"
{
echo ""
echo "================================="
echo "RUST SCAN"
echo "================================="
} >> "$REPORT_FILE"
cargo audit >> "$REPORT_FILE" 2>&1 || true
fi
}
############################################################
# Go Scan
############################################################
scan_go() {
if [ -f go.mod ]; then
echo ""
echo "[+] Go project detected"
{
echo ""
echo "================================="
echo "GO SCAN"
echo "================================="
} >> "$REPORT_FILE"
govulncheck ./... >> "$REPORT_FILE" 2>&1 || true
fi
}
############################################################
# Maven Scan
############################################################
scan_maven() {
if [ -f pom.xml ]; then
echo ""
echo "[+] Maven project detected"
{
echo ""
echo "================================="
echo "JAVA MAVEN SCAN"
echo "================================="
} >> "$REPORT_FILE"
mvn dependency-check:check >> "$REPORT_FILE" 2>&1 || true
fi
}
############################################################
# Composer Scan
############################################################
scan_php() {
if [ -f composer.json ]; then
echo ""
echo "[+] PHP project detected"
{
echo ""
echo "================================="
echo "PHP SCAN"
echo "================================="
} >> "$REPORT_FILE"
composer audit >> "$REPORT_FILE" 2>&1 || true
fi
}
############################################################
# Execute Scans
############################################################
scan_node
scan_python
scan_rust
scan_go
scan_maven
scan_php
echo ""
echo "Scan completed."
echo ""
echo "Report generated:"
echo "$REPORT_FILE"
name: Dependency Security Scan
on:
push:
pull_request:
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Tools
run: |
pip install pip-audit
- name: Run Scanner
run: |
chmod +x scan.sh
./scan.sh
- name: Upload Report
uses: actions/upload-artifact@v4
with:
name: vulnerability-report
path: reports/report.txt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment