Modern applications rely heavily on third-party dependencies.
Unfortunately, vulnerable dependencies are one of the most common attack vectors exploited by attackers.
This script provides a unified way to scan multiple programming ecosystems for known vulnerabilities using industry-standard tools.
Supported ecosystems:
- Node.js (npm)
- Python (pip)
- Go
- Rust
- Java (Maven)
- PHP (Composer)
The scanner generates a consolidated security report that can be integrated into:
- Local development workflows
- CI/CD pipelines
- DevSecOps programs
- Security audits
- Compliance assessments
- Multi-language support
- Automatic ecosystem detection
- Colored output
- Vulnerability summary
- CI/CD friendly
- Exit codes for automation
- Report generation
- Lightweight
- Open-source tools only
vulnerability-scanner/
│
├── scan.sh
├── reports/
│ └── report.txt
│
└── README.md
#!/usr/bin/env bash
############################################################
# Universal Dependency Vulnerability Scanner
#
# Supported:
# - Node.js
# - Python
# - Go
# - Rust
# - Java Maven
# - PHP Composer
#
# Author: DevSecOps Community
############################################################
set -e
REPORT_DIR="./reports"
REPORT_FILE="$REPORT_DIR/report.txt"
mkdir -p "$REPORT_DIR"
echo "================================================="
echo "Universal Dependency Vulnerability Scanner"
echo "================================================="
echo ""
echo "Scan Date: $(date)" > "$REPORT_FILE"
############################################################
# Node.js Scan
############################################################
scan_node() {
if [ -f package.json ]; then
echo ""
echo "[+] Node.js project detected"
{
echo ""
echo "================================="
echo "NODE.JS SCAN"
echo "================================="
} >> "$REPORT_FILE"
npm audit --audit-level=low >> "$REPORT_FILE" 2>&1 || true
fi
}
############################################################
# Python Scan
############################################################
scan_python() {
if [ -f requirements.txt ]; then
echo ""
echo "[+] Python project detected"
{
echo ""
echo "================================="
echo "PYTHON SCAN"
echo "================================="
} >> "$REPORT_FILE"
pip-audit >> "$REPORT_FILE" 2>&1 || true
fi
}
############################################################
# Rust Scan
############################################################
scan_rust() {
if [ -f Cargo.toml ]; then
echo ""
echo "[+] Rust project detected"
{
echo ""
echo "================================="
echo "RUST SCAN"
echo "================================="
} >> "$REPORT_FILE"
cargo audit >> "$REPORT_FILE" 2>&1 || true
fi
}
############################################################
# Go Scan
############################################################
scan_go() {
if [ -f go.mod ]; then
echo ""
echo "[+] Go project detected"
{
echo ""
echo "================================="
echo "GO SCAN"
echo "================================="
} >> "$REPORT_FILE"
govulncheck ./... >> "$REPORT_FILE" 2>&1 || true
fi
}
############################################################
# Maven Scan
############################################################
scan_maven() {
if [ -f pom.xml ]; then
echo ""
echo "[+] Maven project detected"
{
echo ""
echo "================================="
echo "JAVA MAVEN SCAN"
echo "================================="
} >> "$REPORT_FILE"
mvn dependency-check:check >> "$REPORT_FILE" 2>&1 || true
fi
}
############################################################
# Composer Scan
############################################################
scan_php() {
if [ -f composer.json ]; then
echo ""
echo "[+] PHP project detected"
{
echo ""
echo "================================="
echo "PHP SCAN"
echo "================================="
} >> "$REPORT_FILE"
composer audit >> "$REPORT_FILE" 2>&1 || true
fi
}
############################################################
# Execute Scans
############################################################
scan_node
scan_python
scan_rust
scan_go
scan_maven
scan_php
echo ""
echo "Scan completed."
echo ""
echo "Report generated:"
echo "$REPORT_FILE"Install the appropriate scanners.
npm install -g npmpip install pip-auditcargo install cargo-auditgo install golang.org/x/vuln/cmd/govulncheck@latestmvn org.owasp:dependency-check-maven:checkcomposer auditchmod +x scan.sh
./scan.shOutput:
[+] Node.js project detected
[+] Python project detected
Scan completed.
Report generated:
./reports/report.txt
name: Dependency Security Scan
on:
push:
pull_request:
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Tools
run: |
pip install pip-audit
- name: Run Scanner
run: |
chmod +x scan.sh
./scan.sh
- name: Upload Report
uses: actions/upload-artifact@v4
with:
name: vulnerability-report
path: reports/report.txtExamples:
- Log4Shell
- Spring4Shell
- lodash vulnerabilities
- axios vulnerabilities
- urllib3 vulnerabilities
- OpenSSL-related issues
The majority of modern attacks target software dependencies.
Regular scanning helps identify:
- Known CVEs
- Deprecated packages
- Unmaintained dependencies
- Supply-chain threats
Useful for:
- ISO 27001
- SOC 2
- PCI DSS
- NIST Cybersecurity Framework
Future improvements:
- HTML reports
- JSON reports
- Slack notifications
- Microsoft Teams alerts
- Severity filtering
- CVSS scoring
- Email reporting
- Dashboard integration
- Trivy integration
- Grype integration
- SBOM generation
For enterprise environments, consider integrating:
- OWASP Dependency Check
- Trivy
- Grype
- Syft
- GitHub Dependabot
- Snyk
- Sonatype Nexus IQ
- JFrog Xray
These tools provide:
- SBOM generation
- Supply-chain security
- License compliance
- CVSS scoring
- Continuous monitoring
Dependency scanning should be part of every secure software development lifecycle (SSDLC).
A project that compiles successfully is not necessarily secure.
Automating dependency vulnerability detection helps identify risks early, reduce attack surface, and strengthen the overall security posture of your applications and infrastructure.