CtrlK
BlogDocsLog inGet started
Tessl Logo

meterian/security-audit

Use for dependency security audits and compliance checks. Use when auditing project dependencies for vulnerabilities, answering "is [library] [version] safe?" questions, or remediating vulnerable libraries. Also activates automatically when the user opens or modifies a manifest file (package.json, package-lock.json, yarn.lock, pnpm-lock.yaml, requirements.txt, pom.xml, Cargo.toml, go.mod, Gemfile, composer.json, build.gradle, *.csproj, pubspec.yaml, conanfile.txt, conanfile.py, project.clj, deps.edn, Package.swift, pubspec.lock, Package.resolved, Gemfile.lock, poetry.lock, uv.lock, Cargo.lock, composer.lock).

96

1.83x
Quality

90%

Does it follow best practices?

Impact

99%

1.83x

Average score across 8 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files
name:
security-audit
description:
Activate for ANY dependency audit, vulnerability scan, package safety check, pre-deployment/compliance security review, or any request to assess, verify, or provide evidence of the security of third-party packages or libraries — including 'is [library] [version] safe?' queries and remediation of insecure packages. Uses the Meterian CLI (npx @meterian/cli) for cross-language, unified dependency scanning with a shared advisory database covering Node.js, Python, Java, Rust, Go, Ruby, .NET, PHP, Dart, and more. Also activates automatically when the user opens or modifies a manifest file (package.json, package-lock.json, yarn.lock, pnpm-lock.yaml, requirements.txt, pom.xml, Cargo.toml, go.mod, Gemfile, composer.json, build.gradle, *.csproj, pubspec.yaml, conanfile.txt, conanfile.py, project.clj, deps.edn, Package.swift, pubspec.lock, Package.resolved, Gemfile.lock, poetry.lock, uv.lock, Cargo.lock, composer.lock).
metadata:
{"short-description":"Audit dependencies/packages for vulnerabilities and get remediation advice","version":"1.0.12"}

Meterian Security Audit

You have access to the Meterian CLI (@meterian/cli). Always invoke it via npx @meterian/cli (not a bare meterian command) — this ensures cross-language support and access to the full Meterian advisory database.

Language Parameter Reference

Always use the following mapping to determine the language parameter:

Manifest filelanguage
package.json, package-lock.json, yarn.lock, pnpm-lock.yamlnodejs
requirements.txt, Pipfile, pyproject.toml, poetry.lock, uv.lockpython
pom.xmljava
build.gradle, build.gradle.ktsjava
Cargo.toml, Cargo.lockrust
composer.json, composer.lockphp
Gemfile, Gemfile.lockruby
go.mod, go.sumgolang
*.csprojdotnet
conanfile.txt, conanfile.pycpp
pubspec.yaml, pubspec.lockdart
project.clj, deps.ednclojure
Package.swift, Package.resolvedswift

Mode A — Full Dependency Audit

When asked to audit, scan, or check all dependencies:

  1. Find all manifest files in the workspace using Glob (search for the filenames in the Language Parameter Reference table above)

  2. Extract dependencies with their pinned versions:

    • If a lock file is available, extract all dependencies from it (direct and transitive) — lock files contain the full resolved dependency tree
    • If no lock file is available, extract direct dependencies from the manifest; use the minimum bound of any version range as the version to check

  3. Build a JSON array of {language, name, version} objects and pipe it to the CLI:

echo '<json-array>' | npx @meterian/cli check
  1. The CLI returns a compact JSON report. Present results in one single table — one row per vulnerability — using exactly these five column headers: Package, Version, Severity, ID, Safe Versions. Do not split information across multiple tables. Include a summary line in exactly this format: X vulnerabilities found across Y packages (Z clean).
## Meterian Security Audit Report

| Package | Version | Severity | ID | Safe Versions |
|---------|---------|----------|----|---------------|
| lodash  | 4.17.15 | HIGH     | CVE-2021-23337 | 4.17.21 |
...

X vulnerabilities found across Y packages (Z clean).

If vulnerable is empty, output: "✅ No vulnerabilities detected across N packages."

  1. After presenting the report, if vulnerabilities were found:

    • Offer remediation (see Mode C below)
    • Ask if the user would like to run a reachability analysis to determine which vulnerabilities are actually exploitable in their codebase.
      • If yes → invoke the reachability-analysis skill, including the list of vulnerable packages (name, version, CVE ID) in the invocation prompt
      • If no → end the audit flow

    If no vulnerabilities were found, the audit is complete — do not propose reachability analysis.

Mode B — Ad-hoc Security Query

When asked "is [library] [version] safe?" or similar:

  1. Identify the library name and version from the question
  2. Determine the language from context (file open in editor, explicit mention, or ask the user)
  3. Run:
npx @meterian/cli advisories get <language> <name> <version>
  1. Report findings inline: list each advisory with its severity, id, and description

Mode C — Remediation

For each vulnerable dependency:

  1. The check output already contains safeVersions — an array ordered [latestPatch, latestMinor, latestMajor] (nulls excluded). Select the first (least-disruptive) entry.
  2. Determine the bump level:
    • Patch: apply automatically
    • Minor or Major: show the proposed change and ask for confirmation before applying

Update the version in the manifest file and/or run the ecosystem's install command (e.g. npm install lodash@4.17.21, cargo update -p <crate>, pip install <pkg>==<ver>).

After applying all fixes, re-run the full audit (Mode A). If new vulnerabilities are found, repeat the remediation cycle. If all are clean, output: "✅ All packages are now clean."

Workspace
meterian
Visibility
Public
Created
Last updated
Publish Source
CLI
Badge
meterian/security-audit badge