qa-sca
SCA (software composition analysis): 8 skills (bundle-audit-ruby, cargo-audit-rust, dependabot-config, npm-pip-maven-audit, osv-scanner, reachability-analyzer, renovate-config, snyk-test) and 1 agent (sca-prioritizer).
Install this plugin
/plugin install qa-sca@testland-qaPart of role bundle: qa-role-security
qa-sca
SCA (Software Composition Analysis) - dependency scanning + update orchestration. Three per-tool scanner skills (Snyk, OSV-Scanner, native package-manager audit) plus two reference skills for the update-orchestration tools (Dependabot, Renovate) plus an adversarial prioritizer agent that combines CVSS + EPSS + CISA KEV
Sister to qa-sast (code security) and qa-dast (runtime security) - qa-sca covers third-party dependency security.
Components
| Type | Name | Description |
|---|---|---|
| Skill | snyk-test | Multi-mode commercial scanner (snyk test SCA + snyk monitor continuous tracking + companion snyk code/container/iac modes); .snyk policy file with mandatory expires: |
| Skill | osv-scanner | Google's OSS scanner against OSV.dev; osv-scanner scan -r ./ recursive; SBOM input; osv-scanner.toml config with [[IgnoredVulns]] ignoreUntil |
| Skill | dependabot-config | GitHub-native .github/dependabot.yml reference: schedule, ignore, groups, allow, target-branch, auto-merge integration |
| Skill | renovate-config | Multi-platform renovate.json reference (GitHub/GitLab/Bitbucket/Azure DevOps/Gitea); presets, packageRules, vulnerabilityAlerts, automergeSchedule |
| Skill | npm-pip-maven-audit | Native package-manager audit commands: npm audit, pip-audit, mvn dependency-check:check, cargo audit, bundle-audit |
| Agent | sca-prioritizer | Adversarial prioritizer combining CVSS + EPSS + CISA KEV + reachability heuristic; refuses to waive CVEs in CISA KEV; refuses waivers without expires: + approved_by: + reason: |
| Skill | cargo-audit-rust | cargo-audit (RustSec advisory DB) for scanning Rust Cargo.lock dependencies. |
| Skill | bundle-audit-ruby | bundler-audit (ruby-advisory-db) for scanning Ruby Gemfile.lock dependencies. |
| Skill | reachability-analyzer | Dead-dependency / reachability analysis (depcheck, vulture, cargo-machete) to downrank unreachable vuln dependencies. |
Install
/plugin marketplace add testland/qa
/plugin install qa-sca@testland-qaSkills
bundle-audit-ruby
Installs and runs bundler-audit against a Ruby Gemfile.lock, updating the ruby-advisory-db advisory corpus, scanning for vulnerable gem versions and insecure sources, suppressing false positives via .bundler-audit.yml with justification requirements, and gating CI on non-zero exit. Use when a Ruby project needs dedicated Gemfile.lock SCA beyond the single-ecosystem touch bundler-audit receives in npm-pip-maven-audit.
cargo-audit-rust
Configures and runs cargo-audit against the RustSec Advisory Database for Rust projects; covers `cargo audit` (vulnerability scan), `cargo audit fix` (automated dependency updates), `--deny unmaintained|unsound|yanked|warnings` exit-code control, `audit.toml` per-advisory suppression with mandatory `expires` + `reason`, SARIF output for GitHub Code Scanning upload, and `rustsec/audit-check` GitHub Actions integration. Use when the codebase has a Cargo.lock and needs Rust-specific SCA beyond what the multi-ecosystem npm-pip-maven-audit wrapper provides.
dependabot-config
Reference for `.github/dependabot.yml` - GitHub-native dependency-update orchestrator. Required keys (`version: 2`, `updates[]` array) plus per-update fields (`package-ecosystem`, `directory` / `directories`, `schedule.interval`); common optional fields (`ignore`, `groups`, `allow`, `labels`, `milestone`, `open-pull-requests-limit`, `target-branch`, `vendor`, `versioning-strategy`, `assignees`, `commit-message`); auto-rebase + grouped-PR + security-only updates. Use when authoring or reviewing Dependabot configs in GitHub-hosted repos.
npm-pip-maven-audit
Configures and runs native package-manager audit commands across ecosystems - `npm audit --audit-level=high` (npm), `yarn npm audit` (Yarn 2+), `pnpm audit` (pnpm), `pip-audit` (Python via PyPA), `mvn dependency:check` (Maven via OWASP Dependency-Check plugin), `cargo audit` (Rust), `bundle audit` (Ruby Bundler); fastest no-install-required SCA option. Use when the team wants fast, no-extra-tooling SCA in CI as a first line of defense, or pairs with snyk/osv-scanner for layered coverage.
osv-scanner
Configures and runs Google OSV-Scanner - open-source SCA against the OSV.dev vulnerability database; supports `osv-scanner scan -r ./` recursive scan + per-lockfile scan via `-L package-lock.json`; SBOM input (CycloneDX / SPDX) for non-standard package managers; `--format json|sarif|markdown|vertical|html` output; suppressions via `osv-scanner.toml` config. Use when the team needs OSS-native SCA without commercial-license overhead, or wants a second-opinion DB pair with Snyk's commercial DB.
reachability-analyzer
Runs dead-dependency analysis across JS, Python, and Rust projects using ecosystem-native static tools (`depcheck`/`knip` for JS, `vulture` for Python, `cargo-machete` for Rust), then cross-references the unused-dependency list against SCA findings to downrank vulns in code that is never loaded. Use when SCA output (from `osv-scanner`, `snyk-test`, or `npm-pip-maven-audit`) is too noisy to triage and the team needs to separate unreachable CVEs from exploitable ones before sprint planning.
renovate-config
Reference for `renovate.json` - Mend Renovate dependency-update orchestrator (multi-platform: GitHub / GitLab / Bitbucket / Azure DevOps / Gitea); top-level keys (`extends` for preset references, `schedule`, `prConcurrentLimit`, `vulnerabilityAlerts`); `packageRules[]` array with `matchPackageNames` / `matchUpdateTypes` / `automerge` matching; `ignoreDeps`, `addLabels`, `automergeSchedule`. Use when authoring or reviewing Renovate configs in any repo platform Renovate supports.
snyk-test
Configures and runs Snyk - multi-mode SCA + SAST + Container + IaC scanner with `snyk test` (one-shot scan), `snyk monitor` (continuous tracking with vuln alerts), `snyk code test` (SAST mode), `snyk container test ubuntu:18.04` (container mode); supports policy file `.snyk` for ignore + patch with expiration; integrates with 50+ package managers via auto-detect. Use when the team has a Snyk license + needs the broadest single-vendor SCA + companion product coverage (SAST / Container / IaC).