Dependency Audit & Security Hardening — Continuous vulnerability detection across Code and Infra

[fredcallagan]

Summary

Expand Arness's security capabilities into a continuous process — proactive vulnerability detection, dependency CVE monitoring, and security posture assessment as an ongoing workflow rather than a point-in-time check. Prioritised due to the rapid evolution of model capabilities and the new risk surface that comes with AI-assisted development tools.

Two New Capabilities

Dependency audit skill (arn-code)

• Run npm audit / pip-audit / cargo audit (auto-detected from project stack)
• Analyze project dependencies for security vulnerabilities, outdated versions, and license compliance
• Assess update risk using stored pattern knowledge from the codebase analyzer
• Route updates through the appropriate ceremony tier (swift for patch bumps, standard/thorough for major version changes)

Security & vulnerability assessment (arn-code + arn-infra)

• Expand beyond the existing security specialist agent (Code) and security auditor agent (Infra)
• Proactive vulnerability detection as a recurring workflow
• Dependency CVE monitoring integrated into the assess pipeline
• Security posture assessment that covers application code, dependencies, and infrastructure configuration

Affected Plugins

• arn-code — new dependency audit skill, expanded assess pipeline, security specialist agent enhancements
• arn-infra — security auditor agent enhancements, integration with dependency findings during deploy safety checks

Context

As AI-assisted development tools become more powerful, the security and supply chain integrity of the projects they help build needs to keep pace. This is especially relevant as new models and capabilities emerge — the attack surface grows alongside the productivity gains.