vredchenko · vredchenko · Feb 2, 2026
diff --git a/.claude-plugin/marketplace.json b/.claude-plugin/marketplace.json
@@ -84,6 +84,11 @@
       "name": "webcam-automation",
       "source": "./plugins/webcam-automation",
       "description": "Webcam capture CLI tool for photographing paper notes"
+    },
+    {
+      "name": "dep-vulnerability-scanner",
+      "source": "./plugins/dep-vulnerability-scanner",
+      "description": "Dependency vulnerability scanning with Trivy, Grype, npm/bun audit, and pip-audit"
     }
   ]
 }
diff --git a/plugins/dep-vulnerability-scanner/.claude-plugin/plugin.json b/plugins/dep-vulnerability-scanner/.claude-plugin/plugin.json
@@ -0,0 +1,6 @@
+{
+  "name": "dep-vulnerability-scanner",
+  "version": "1.0.0",
+  "description": "Dependency vulnerability scanning tools: Trivy, Grype, npm audit, bun audit, and pip-audit",
+  "author": "Val Redchenko"
+}
diff --git a/plugins/dep-vulnerability-scanner/README.md b/plugins/dep-vulnerability-scanner/README.md
@@ -0,0 +1,197 @@
+# Dependency Vulnerability Scanner Plugin
+
+A comprehensive plugin for scanning project dependencies for known security vulnerabilities using industry-standard tools.
+
+## Supported Tools
+
+This plugin provides knowledge and commands for working with five vulnerability scanning tools:
+
+### Universal Scanners
+
+| Tool | Description | Best For |
+|------|-------------|----------|
+| **[Trivy](https://github.com/aquasecurity/trivy)** | Comprehensive security scanner by Aqua Security | Containers, filesystems, repos, IaC, secrets |
+| **[Grype](https://github.com/anchore/grype)** | Focused vulnerability scanner by Anchore | Fast scanning, SBOM analysis, risk scoring |
+
+### Language-Specific Scanners
+
+| Tool | Description | Best For |
+|------|-------------|----------|
+| **[npm audit](https://docs.npmjs.com/cli/v10/commands/npm-audit)** | Built-in npm security auditor | Node.js/npm projects with auto-fix support |
+| **[bun audit](https://bun.com/docs/install/audit)** | Built-in Bun security auditor | Bun.js projects |
+| **[pip-audit](https://github.com/pypa/pip-audit)** | Python environment auditor by PyPA | Python projects (supports uv via `uvx pip-audit`) |
+
+## Installation
+
+Install this plugin using the Claude Code plugin marketplace:
+
+```bash
+claude plugin install dep-vulnerability-scanner
+```
+
+## Commands
+
+### `/vuln-scan`
+Run a vulnerability scan on the current project. Automatically detects project type and suggests the appropriate tool.
+
+**Features:**
+- Auto-detects project type (npm, Bun, Python, etc.)
+- Runs the appropriate scanner with sensible defaults
+- Presents results with severity levels
+- Suggests remediation steps
+
+### `/vuln-setup`
+Install and configure vulnerability scanning tools on your system.
+
+**Supported installation methods:**
+- Homebrew (macOS)
+- apt/rpm (Linux)
+- Docker (any platform)
+- pip/pipx/uvx (Python tools)
+- Direct binary installation
+
+### `/vuln-compare`
+Compare vulnerability scanning tools to choose the right one for your project.
+
+**Compares:**
+- Supported ecosystems
+- Scan speed
+- Auto-fix capabilities
+- SBOM support
+- CI/CD integration quality
+- Output formats
+
+### `/vuln-ci-workflow`
+Generate GitHub Actions workflows for automated vulnerability scanning.
+
+**Workflow templates for:**
+- Trivy filesystem scanning with SARIF upload
+- Grype scanning with GitHub Security integration
+- npm audit for Node.js projects
+- bun audit for Bun projects
+- pip-audit for Python projects (including uv projects)
+- Multi-scanner comprehensive workflows
+
+## Tool Quick Reference
+
+### Trivy
+```bash
+# Install
+brew install trivy                    # macOS
+curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+
+# Scan
+trivy fs .                            # Scan filesystem
+trivy fs --severity HIGH,CRITICAL .   # Filter by severity
+trivy fs -f json -o results.json .    # JSON output
+trivy image myapp:latest              # Scan container image
+```
+
+### Grype
+```bash
+# Install
+brew install grype                    # macOS
+curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sudo sh -s -- -b /usr/local/bin
+
+# Scan
+grype .                               # Scan directory
+grype . --fail-on high                # Fail on high severity
+grype . -o json                       # JSON output
+grype myapp:latest                    # Scan container image
+```
+
+### npm audit
+```bash
+# No installation needed (built into npm)
+
+# Scan
+npm audit                             # Basic scan
+npm audit --audit-level=high          # Only high+ severity
+npm audit --production                # Production deps only
+npm audit --json                      # JSON output
+
+# Fix
+npm audit fix                         # Auto-fix vulnerabilities
+npm audit fix --dry-run               # Preview fixes
+```
+
+### bun audit
+```bash
+# No installation needed (built into Bun)
+
+# Scan
+bun audit                             # Basic scan
+bun audit --audit-level=high          # Only high+ severity
+bun audit --prod                      # Production deps only
+bun audit --json                      # JSON output
+bun audit --ignore CVE-2024-XXXXX     # Ignore specific CVE
+```
+
+### pip-audit
+```bash
+# Install
+pip install pip-audit                 # Via pip
+pipx install pip-audit                # Via pipx (recommended)
+uvx pip-audit                         # Run via uv (no install)
+
+# Scan
+pip-audit                             # Scan current environment
+pip-audit -r requirements.txt         # Scan requirements file
+pip-audit -f json                     # JSON output
+pip-audit -f cyclonedx-json           # SBOM output
+pip-audit --desc                      # Include descriptions
+
+# Fix
+pip-audit --fix                       # Auto-fix vulnerabilities
+pip-audit --fix --dry-run             # Preview fixes
+```
+
+## GitHub Actions Examples
+
+### Quick Setup (Trivy)
+```yaml
+- uses: aquasecurity/trivy-action@0.28.0
+  with:
+    scan-type: 'fs'
+    scan-ref: '.'
+    severity: 'HIGH,CRITICAL'
+    format: 'sarif'
+    output: 'trivy-results.sarif'
+```
+
+### Quick Setup (Grype)
+```yaml
+- uses: anchore/scan-action@v6
+  with:
+    path: "."
+    fail-build: true
+    severity-cutoff: high
+```
+
+### Quick Setup (pip-audit)
+```yaml
+- uses: pypa/gh-action-pip-audit@v1.1.0
+  with:
+    inputs: requirements.txt
+```
+
+## Tool Selection Guide
+
+| If your project is... | Use this tool |
+|-----------------------|---------------|
+| Node.js with npm | `npm audit` (has auto-fix) |
+| Node.js with Bun | `bun audit` |
+| Python | `pip-audit` (or `uvx pip-audit`) |
+| Container-based | `trivy image` or `grype` |
+| Multi-language monorepo | `trivy fs` or `grype` |
+| Need SBOM generation | `trivy` (SBOM + vulns) or `pip-audit -f cyclonedx-json` |
+| CI/CD with GitHub Security tab | `trivy` or `grype` (SARIF support) |
+
+## Related Resources
+
+- [Trivy Documentation](https://aquasecurity.github.io/trivy/)
+- [Grype Documentation](https://github.com/anchore/grype)
+- [npm audit Documentation](https://docs.npmjs.com/cli/v10/commands/npm-audit)
+- [Bun audit Documentation](https://bun.com/docs/install/audit)
+- [pip-audit Documentation](https://github.com/pypa/pip-audit)
+- [GitHub Dependabot](https://docs.github.com/en/code-security/dependabot) (complementary tool)