AgentSkillsCN

security-vulnerability-report

扫描 GitHub 仓库,查找包括 Dependabot 警报、代码扫描结果,以及秘密扫描发现在内的安全漏洞。适用于审核仓库安全、准备合规报告,或对漏洞警报进行分类时使用。

SKILL.md
--- frontmatter
name: security-vulnerability-report
description: Scan GitHub repositories for security vulnerabilities including Dependabot alerts, code scanning results, and secret scanning findings. Use when auditing repository security, preparing compliance reports, or triaging vulnerability alerts.

Security Vulnerability Report

Query GitHub for Dependabot alerts, code scanning results, and secret scanning findings across repositories to produce a prioritized vulnerability report.

Instructions

Phase 1: Dependabot Alerts (GitHub Agent)

  1. Fetch Dependabot alerts across all configured repositories:
    • Alert severity (critical, high, medium, low)
    • Affected package and vulnerable version range
    • Patched version available (yes/no)
    • CVE identifier and CVSS score
    • Ecosystem (npm, pip, go, etc.)
    • Alert state (open, dismissed, fixed)

Phase 2: Code Scanning Results (GitHub Agent)

  1. Fetch code scanning alerts:
    • Rule ID and description
    • Severity and confidence
    • Affected file and line number
    • Tool that detected it (CodeQL, etc.)
    • Alert state and dismissal reason if applicable

Phase 3: Secret Scanning (GitHub Agent)

  1. Check for secret scanning alerts:
    • Secret type (API key, token, password, etc.)
    • Affected file and commit
    • Whether the secret has been revoked
    • Alert state

Phase 4: Compile Report

  1. Aggregate across repositories with cross-repo dedup for shared dependencies
  2. Prioritize by:
    • Severity (critical first)
    • Exploitability (known exploits in the wild)
    • Fix availability (patch available = higher priority)
  3. Calculate risk score per repository

Output Format

markdown
## Security Vulnerability Report
**Generated**: February 9, 2026
**Repositories Scanned**: 8

### Executive Summary
| Severity | Open | Fixed (30d) | Dismissed |
|----------|------|-------------|-----------|
| Critical | 2 | 5 | 0 |
| High | 7 | 12 | 1 |
| Medium | 15 | 8 | 3 |
| Low | 23 | 6 | 5 |

**Overall Risk**: HIGH - 2 critical vulnerabilities with patches available

### Critical Vulnerabilities (Immediate Action Required)
#### 1. CVE-2026-1234 - Remote Code Execution in lodash
- **Repository**: ai-platform-engineering/ui
- **Package**: lodash@4.17.20 (npm)
- **CVSS**: 9.8 | **Exploits in Wild**: Yes
- **Fix**: Upgrade to lodash@4.17.22
- **Action**: `npm audit fix` or update package.json

#### 2. CVE-2026-5678 - SQL Injection in sqlparse
- **Repository**: ai-platform-engineering
- **Package**: sqlparse@0.4.3 (pip)
- **CVSS**: 9.1 | **Exploits in Wild**: No
- **Fix**: Upgrade to sqlparse@0.5.0
- **Action**: Update pyproject.toml dependency

### High Severity Vulnerabilities
| CVE | Package | Repository | CVSS | Fix Available |
|-----|---------|-----------|------|---------------|
| CVE-2026-2345 | express@4.18.0 | ui | 7.5 | Yes (4.18.3) |
| ... | ... | ... | ... | ... |

### Code Scanning Findings
| Rule | Severity | Repository | File | Description |
|------|----------|-----------|------|-------------|
| js/xss | High | ui | src/utils.ts:42 | Unsanitized user input in DOM |
| py/sql-injection | High | backend | api/query.py:89 | String concatenation in SQL |

### Secret Scanning Alerts
| Type | Repository | Status | Action Needed |
|------|-----------|--------|---------------|
| GitHub Token | agent-argocd | Active | Revoke and rotate |

### Repository Risk Scores
| Repository | Critical | High | Medium | Risk Score |
|------------|----------|------|--------|------------|
| ai-platform-engineering | 1 | 3 | 5 | HIGH |
| ui | 1 | 2 | 4 | HIGH |
| agent-argocd | 0 | 1 | 3 | MEDIUM |
| agent-aws | 0 | 1 | 3 | MEDIUM |

### Recommended Actions (Priority Order)
1. **Immediate**: Fix 2 critical CVEs (patches available)
2. **This Week**: Address code scanning high-severity findings
3. **This Sprint**: Revoke and rotate exposed secret in agent-argocd
4. **Ongoing**: Enable auto-merge for Dependabot PRs on patch updates

Examples

  • "Check all repositories for security vulnerabilities"
  • "Show me critical Dependabot alerts"
  • "Are there any secret scanning findings?"
  • "Generate a security report for the ai-platform-engineering repo"
  • "What vulnerabilities have patches available?"

Guidelines

  • Always sort by severity (critical first), then by fix availability
  • Flag any vulnerabilities with known exploits in the wild as top priority
  • Deduplicate shared dependencies across repos (e.g., same lodash vuln in multiple repos)
  • Include the specific fix command or version to upgrade to
  • Never display actual secret values in the report - only the type and location
  • Distinguish between direct and transitive dependencies
  • If no vulnerabilities are found, confirm with a clean security posture summary
  • Reference project codeguard rules: no hardcoded credentials, no banned crypto algorithms (MD5, SHA-1, DES, RC4)