security-dependency-scanning

# Web Dependency Security Scanning Skill

This skill provides expert guidance for scanning deployed websites to identify outdated dependencies, known vulnerabilities (CVEs), insecure configurations, and missing security controls.

## When to Use This Skill

Invoke this skill when:
- Scanning a deployed website for outdated libraries and frameworks
- Identifying CVEs in frontend dependencies (jQuery, React, Vue, Bootstrap, etc.)
- Detecting CMS versions and known vulnerabilities (WordPress, Drupal, Umbraco, Sitecore, etc.)
- Auditing HTTP security headers and configurations
- Performing third-party website security assessments
- Conducting pre-acquisition technical due diligence
- Analyzing supply chain security risks in web applications
- Evaluating client-side dependency security without source code access

## Required Tools

**🚨 CRITICAL: Tool Requirements for Website Scanning 🚨**

You MUST use ONLY these tools to fetch and analyze websites:
- ✅ **WebFetch tool** - Primary method for fetching HTML and HTTP headers
- ✅ **curl** (via Bash tool) - Alternative method: `curl -i https://example.com`

You MUST NOT use these tools:
- ❌ **Playwright** or any MCP browser automation tools
- ❌ **Any browser-based tools** (mcp__playwright__browser_navigate, etc.)
- ❌ **Any other MCP web browsing tools**

**Why This Matters**:
- HTTP security headers (Content-Security-Policy, HSTS, X-Frame-Options, etc.) are ONLY available via raw HTTP responses
- Playwright and browser tools **cannot access** these critical security headers
- Using browser tools will result in **incomplete and inaccurate security header analysis**
- WebFetch and curl provide the raw HTTP response headers required for comprehensive security auditing

**If you use Playwright or browser tools, the security scan will be incomplete and the report will be invalid.**

## Core Web Security Expertise

### 1. Frontend Library Detection

To identify JavaScript and CSS libraries, analyze:
- **CDN URL Patterns**: Extract