# Audit Dependencies with Black Duck Open source dependencies can introduce vulnerabilities, license obligations, and supply chain risk. This skill helps Claude, Codex, and Claude Code run Black Duck-centered SCA workflows with practical remediation guidance. ## Install ```bash npx skillstore add agentsecops/sca-blackduck ``` ## Metadata - - Slug: agentsecops-sca-blackduck - - Version: 0.1.0 - - Author: AgentSecOps - - GitHub username: AgentSecOps - - License: MIT - - Repository: https://github.com/AgentSecOps/SecOpsAgentKit/tree/main/skills/appsec/sca-blackduck - - Ref: main - - Supported tools: Claude, Codex, Claude Code - - Risk level: medium - - Risk factors: filesystem, external\_commands, network, env\_access, scripts - - Quality score: 50 - - Quality tier: warning - - Public page: https://skillstore.pages.dev/skills/agentsecops-sca-blackduck - - Manifest: https://skillstore.pages.dev/api/skills/agentsecops-sca-blackduck/manifest ## Capabilities - Explains Black Duck SCA workflows for vulnerability, license, and component risk review. - Provides CI/CD templates for GitHub Actions, GitLab CI, and Jenkins integration. - Maps dependency findings to CVE, CWE, OWASP, and compliance contexts. - Guides SBOM generation and dependency policy enforcement. - Offers remediation strategies for vulnerable, outdated, or risky components. ## Use Cases - Review dependency risk before release: Scan a project, triage critical CVEs, and prepare remediation priorities for release approval. - Add SCA gates to CI/CD: Adapt the bundled CI templates to fail builds on high-risk dependency policy violations. - Assess license and SBOM readiness: Review component licenses, identify policy exceptions, and generate SBOM outputs for audits. ## Prompt Templates ### Scan a project baseline ``` Use the Black Duck SCA workflow to plan a baseline dependency scan for this repository. Identify manifests and required credentials. ``` ### Triage scan findings ``` Analyze these Black Duck findings. Prioritize critical and high CVEs, map them to CWE or OWASP categories, and recommend fixes. ``` ### Prepare a CI gate ``` Create a Black Duck CI/CD integration plan for this project. Include secret handling, policy thresholds, artifacts, and failure behavior. ``` ### Build a supply chain risk review ``` Design a supply chain risk assessment using Black Duck results, license policy, SBOM outputs, and dependency health signals. ``` ## Limitations - Requires access to a configured Black Duck instance and valid API credentials. - Does not include executable scripts referenced by the documentation. - Cannot verify vulnerability exploitability without project context and scan results. - License decisions still require legal or compliance review. ## Best Practices - Store Black Duck tokens in approved CI secrets or a secrets manager. - Pin and verify downloaded scanner tools before use in production pipelines. - Document accepted risk with owners, expiration dates, and compensating controls. ## Anti Patterns - Do not paste API tokens into prompts, logs, or repository files. - Do not run network installer commands without reviewing the downloaded script source. - Do not suppress dependency findings without a tracked business justification. ## Security Audit - - Safe to publish: true - - Audited at: 2026-06-28T06:18:39.983\+00:00 - - Summary: Static analysis found many severe-looking patterns, but most are documentation, policy terminology, or intentionally vulnerable examples for SCA education. The real concern is copyable CI guidance that uses network shell installers and handles Black Duck or GitHub secrets. No prompt injection attempt or confirmed malicious intent was found, so publication is acceptable with a security warning. ## Stats - - Views: 261 - - Downloads: 4 - - Favorites: 0 - - Popularity score: 0