What SBOM formats are generated?

SBOMs can be generated in CycloneDX and SPDX formats, with optional vulnerability references and outputs that are machine-readable or human-readable.

Which ecosystems and manifests are supported?

The tool parses common manifests like package.json, pom.xml, requirements.txt, and supports npm/yarn/pnpm, Maven, Gradle, pip/pipenv/poetry, Bundler, Cargo, and Go Modules.

How are dependencies visualized and exported?

Dependency trees can be exported as DOT, JSON, or Mermaid, with highlighted problematic paths and metrics like tree depth and breadth.

dependency-scanner

npx machina-cli add skill a5c-ai/babysitter/dependency-scanner --openclaw

Files (1)

SKILL.md

7.6 KB

Dependency Scanner Skill

Performs comprehensive dependency scanning and inventory generation for codebases, supporting migration planning and security assessments through SBOM (Software Bill of Materials) generation.

Purpose

Enable comprehensive dependency management for:

Direct and transitive dependency extraction
Dependency tree visualization
Version conflict detection
Circular dependency identification
License extraction and compliance
SBOM generation (CycloneDX, SPDX formats)

Capabilities

1. Direct/Transitive Dependency Extraction

Parse package manifests (package.json, pom.xml, requirements.txt, etc.)
Resolve full dependency trees including transitive dependencies
Identify version constraints and resolution results
Track dependency sources and registries

2. Dependency Tree Visualization

Generate hierarchical dependency graphs
Export to DOT, JSON, or Mermaid formats
Highlight problematic paths
Calculate tree depth and breadth metrics

3. Version Conflict Detection

Identify version conflicts in dependency trees
Detect peer dependency violations
Find incompatible version ranges
Suggest resolution strategies

4. Circular Dependency Identification

Detect circular dependency chains
Map dependency cycles
Assess impact of circular dependencies
Recommend breaking strategies

5. License Extraction

Extract license information from dependencies
Identify license types (MIT, Apache, GPL, etc.)
Flag copyleft licenses
Track dual-licensed packages

6. SBOM Generation

Generate CycloneDX format SBOMs
Generate SPDX format SBOMs
Include vulnerability references
Support machine-readable and human-readable outputs

Tool Integrations

This skill can leverage the following external tools when available:

Tool	Purpose	Integration Method
npm/yarn/pnpm	Node.js dependencies	CLI
Maven	Java dependencies	CLI
Gradle	Java/Kotlin dependencies	CLI
pip/pipenv/poetry	Python dependencies	CLI
Bundler	Ruby dependencies	CLI
Cargo	Rust dependencies	CLI
Go Modules	Go dependencies	CLI
Snyk	Security scanning	CLI / API
OWASP Dependency-Check	Vulnerability scanning	CLI
Trivy	SBOM generation	MCP Server / CLI
Syft	SBOM generation	CLI

Usage

Basic Scanning

# Invoke skill for dependency scanning
# The skill will auto-detect package managers and scan accordingly

# Expected inputs:
# - targetPath: Path to project root
# - scanDepth: 'direct' | 'transitive' | 'full'
# - outputFormat: 'json' | 'tree' | 'sbom-cyclonedx' | 'sbom-spdx'
# - includeLicenses: boolean

Scanning Workflow

Detection Phase
- Identify package managers in use
- Locate manifest files
- Check for lock files
Extraction Phase
- Parse manifest files
- Resolve dependency trees
- Extract version information
Analysis Phase
- Detect conflicts
- Identify circular dependencies
- Extract licenses
Output Generation
- Generate inventory reports
- Create SBOMs if requested
- Produce visualization artifacts

Output Schema

{
  "scanId": "string",
  "timestamp": "ISO8601",
  "target": {
    "path": "string",
    "packageManagers": ["string"],
    "manifestFiles": ["string"]
  },
  "summary": {
    "totalDependencies": "number",
    "directDependencies": "number",
    "transitiveDependencies": "number",
    "uniquePackages": "number",
    "treeDepth": "number"
  },
  "dependencies": [
    {
      "name": "string",
      "version": "string",
      "type": "direct|transitive",
      "parent": "string|null",
      "license": "string",
      "repository": "string",
      "depth": "number"
    }
  ],
  "conflicts": [
    {
      "package": "string",
      "versions": ["string"],
      "sources": ["string"],
      "recommendation": "string"
    }
  ],
  "circularDependencies": [
    {
      "chain": ["string"],
      "severity": "high|medium|low"
    }
  ],
  "licenses": {
    "summary": {
      "MIT": "number",
      "Apache-2.0": "number",
      "GPL-3.0": "number"
    },
    "copyleft": ["string"],
    "unknown": ["string"]
  },
  "sbom": {
    "format": "cyclonedx|spdx",
    "version": "string",
    "path": "string"
  }
}

Integration with Migration Processes

This skill integrates with the following Code Migration/Modernization processes:

dependency-analysis-updates: Primary tool for dependency assessment
legacy-codebase-assessment: Dependency inventory for legacy systems
framework-upgrade: Compatibility analysis for upgrades
cloud-migration: Dependency portability assessment

Configuration

Skill Configuration File

Create .dependency-scanner.json in the project root:

{
  "packageManagers": ["auto"],
  "excludePaths": ["node_modules", ".git"],
  "scanDepth": "full",
  "includeDev": true,
  "includeOptional": false,
  "licensePolicy": {
    "allowed": ["MIT", "Apache-2.0", "BSD-3-Clause", "ISC"],
    "flagged": ["GPL-3.0", "AGPL-3.0"],
    "blocked": []
  },
  "sbomConfig": {
    "format": "cyclonedx",
    "version": "1.5",
    "includeVulnerabilities": true
  }
}

MCP Server Integration

When Trivy SBOM Generator MCP Server is available:

// Example MCP tool invocation
{
  "tool": "trivy_generate_sbom",
  "arguments": {
    "target": "./",
    "format": "cyclonedx",
    "output": "./sbom.json"
  }
}

When GitHub Dependabot MCP Server is available:

// Example dependency update check
{
  "tool": "dependabot_check_updates",
  "arguments": {
    "repo": "owner/repo",
    "ecosystem": "npm"
  }
}

Package Manager Support

Node.js (npm/yarn/pnpm)

# Auto-detected files:
# - package.json
# - package-lock.json
# - yarn.lock
# - pnpm-lock.yaml

Java (Maven/Gradle)

# Auto-detected files:
# - pom.xml
# - build.gradle
# - build.gradle.kts

Python (pip/pipenv/poetry)

# Auto-detected files:
# - requirements.txt
# - Pipfile
# - pyproject.toml
# - setup.py

Ruby (Bundler)

# Auto-detected files:
# - Gemfile
# - Gemfile.lock

Go (Modules)

# Auto-detected files:
# - go.mod
# - go.sum

Rust (Cargo)

# Auto-detected files:
# - Cargo.toml
# - Cargo.lock

Best Practices

Lock File Usage: Always include lock files for reproducible scans
Regular Scanning: Integrate into CI/CD for continuous monitoring
SBOM Storage: Store SBOMs alongside releases for compliance
License Reviews: Review license changes in dependency updates
Conflict Resolution: Address version conflicts before migration

Related Skills

vulnerability-scanner: Security scanning of dependencies
license-compliance-checker: Detailed license analysis
dependency-updater: Automated dependency updates

Related Agents

dependency-modernization-agent: Uses this skill for dependency management
migration-readiness-assessor: Uses this skill for readiness evaluation
security-vulnerability-assessor: Uses this skill for dependency security

References

Source

git clone https://github.com/a5c-ai/babysitter/blob/main/plugins/babysitter/skills/babysit/process/specializations/code-migration-modernization/skills/dependency-scanner/SKILL.md

View on GitHub

Overview

The Dependency Scanner skill performs direct and transitive dependency extraction, builds dependency trees, and analyzes conflicts. It can also extract licenses and generate machine-readable SBOMs in CycloneDX and SPDX formats to support migration readiness and security assessments.

How This Skill Works

It automatically detects package managers, locates manifests, and parses them to resolve full dependency trees. It then runs conflict and circular dependency checks, license extraction, and SBOM generation, exporting inventory reports and visualization artifacts (DOT, JSON, Mermaid).

When to Use It

Planning a migration across ecosystems and needing a complete dependency inventory.
Assessing security or license compliance with SBOMs and license data.
Diagnosing version conflicts or peer dependency violations in large projects.
Identifying circular dependencies and proposing breaking strategies.
Generating SBOMs for audits and compliance reporting.

Quick Start

Step 1: Define targetPath, scanDepth, outputFormat, and includeLicenses.
Step 2: Run the dependency-scanner to auto-detect manifests and resolve trees.
Step 3: Review inventory, export SBOMs (CycloneDX/SPDX), and visualize the graph.

Best Practices

Scan both direct and transitive dependencies for a complete picture.
Include licenses and flag copyleft or dual-licensed packages.
Export SBOMs in both CycloneDX and SPDX formats.
Visualize dependency trees (DOT/JSON/Mermaid) to spot risky paths.
Integrate SBOMs into CI/CD artifacts and keep manifests up-to-date.

Example Use Cases

Audit a Node.js project to identify vulnerable transitive dependencies and licenses.
Resolve Java dependency conflicts in a multi-module Maven project.
Generate a CycloneDX SBOM for a Python project and map vulnerabilities.
Detect and break circular dependencies in a Ruby project.
Produce a comprehensive SBOM for a Go module with dependency graph.

Frequently Asked Questions

Add this skill to your agents