Security Fixes - Automated Dependency Updates with Jira Integration
Automates the complete workflow of fixing Dependabot security alerts including Jira ticket management, dependency updates, Dependabot verification, and pull request creation.
Workflow
1. Get Jira Ticket Number
Check if there is an open Jira with the title "### <APPLICATION>> ### Fix Security Alerts". If not provided, Ask the user for the Jira ticket number if not provided:
What's the Jira ticket number for this security fix? (e.g., MP-1234)
2. Update Jira Ticket Status
Use the mice-jira-tickets skill or Atlassian tools to:
- •Assign the ticket to the current user
- •Move ticket status to "In Arbeit" (In Progress)
3. Create Branch and Update Dependencies
Run the automated script:
scripts/fix_security_deps.sh <TICKET-NUMBER>
The script will:
- •Create a new branch:
<TICKET-NUMBER>-security-fixfrom the latest master - •Run
bundle update --patchto update Ruby gems - •Run
yarn upgradeto update JavaScript packages (if package.json exists) - •Commit changes with message:
<TICKET-NUMBER> security fix - •Push the branch to remote
4. Verify Dependabot Alerts Are Fixed
IMPORTANT: After updating dependencies, verify that Dependabot alerts are actually resolved:
# Determine the application name from git remote
APPLICATION=$(git remote get-url origin | sed 's/.*github.com[:/]konvenit\/\(.*\)\.git/\1/')
# Check Dependabot alerts page
echo "Checking: https://github.com/konvenit/${APPLICATION}/security/dependabot"
Use web_fetch to check the Dependabot security page:
https://github.com/konvenit/<APPLICATION>/security/dependabot
What to verify:
- •Are there still open alerts?
- •Which alerts were fixed by the updates?
- •Are there any remaining alerts that need different action?
Report to user:
- •✅ "All Dependabot alerts resolved" (if no alerts remain)
- •⚠️ "X alerts resolved, Y alerts still open" (if some remain)
- •List any remaining alerts with severity and package name
If alerts remain: Ask user whether to:
- •Continue with PR (partial fix)
- •Investigate further updates
- •Create separate ticket for remaining issues
5. Create Pull Request
Only proceed with PR creation if:
- •At least some alerts were fixed, OR
- •User confirms to proceed
Use GitHub CLI to create PR:
gh pr create --title "<TICKET-NUMBER> security fix" --body "[PR body with Jira link]"
The PR will include:
- •Title:
<TICKET-NUMBER> security fix - •Body: Including link to Jira ticket and Dependabot verification results
- •Get the PR URL from the output
6. Link PR to Jira and Update Status
After PR is created:
- •Post PR link as comment to Jira ticket using Atlassian tools
- •Move ticket status to "In Codereview"
7. Report Complete Results
Provide comprehensive summary to user:
- •Branch name
- •Commit hash
- •Dependabot verification results (alerts fixed vs remaining)
- •PR link
- •List of updated dependencies
- •Jira ticket status confirmation
- •Any warnings or next steps
Example Usage
User: "Please fix the Dependabot issues for ticket MP-1234"
Claude Response:
- •Assign MP-1234 to user and move to "In Arbeit"
- •Run
scripts/fix_security_deps.sh MP-1234 - •Verify Dependabot alerts at https://github.com/konvenit/mice-portal/security/dependabot
- •Report verification results
- •Create PR (if alerts were fixed)
- •Post PR link to Jira ticket
- •Move ticket to "In Codereview"
- •Final report:
code
✅ Jira MP-1234: Assigned to you, status → In Arbeit ✅ Created branch: MP-1234-security-fix ✅ Updated dependencies: - nokogiri: 1.13.0 → 1.13.10 - rack: 2.2.3 → 2.2.8 ✅ Committed: MP-1234 security fix (commit: abc123) ✅ Dependabot verification: - 3 critical alerts resolved ✅ - 0 alerts remaining - All security issues fixed! ✅ PR created: https://github.com/konvenit/mice-portal/pull/123 ✅ Jira MP-1234: Added PR comment, status → In Codereview
Complete Workflow Steps
- •Start: Get Jira ticket number
- •Jira Update 1: Assign to user + status → "In Arbeit"
- •Git Operations: Branch, update deps, commit, push
- •Verification: Check Dependabot alerts page to confirm fixes
- •Decision Point: Proceed with PR based on verification results
- •PR Creation: Create PR with Jira link and verification results in description
- •Jira Update 2: Comment with PR link + status → "In Codereview"
- •Report: Summarize all actions including Dependabot verification
Dependabot Verification Details
How to Check
- •Use
web_fetchonhttps://github.com/konvenit/<APPLICATION>/security/dependabot - •Parse the page to identify:
- •Total alerts (before updates)
- •Resolved alerts (after updates)
- •Remaining open alerts
- •Severity levels (Critical, High, Moderate, Low)
What to Report
Dependabot Verification Results: ✅ Fixed: 3 alerts - nokogiri: Critical SQL injection vulnerability - rack: High HTTP request smuggling - rails: Moderate XSS vulnerability ⚠️ Remaining: 1 alert - devise: Low information disclosure (requires major version update) Recommendation: Proceed with PR for fixed alerts, create separate ticket for devise update.
PR Description Template with Verification
Security dependency updates for https://miceportal.atlassian.net/browse/MP-1234 ## Dependabot Verification ✅ **3 critical/high alerts resolved** ⚠️ 1 low-severity alert remains (requires major version update) See: https://github.com/konvenit/<APPLICATION>/security/dependabot ## Changes - Updated Ruby gems (patch versions) - nokogiri: 1.13.0 → 1.13.10 (fixes CVE-2023-XXXX) - rack: 2.2.3 → 2.2.8 (fixes CVE-2023-YYYY) - Updated JavaScript packages
Error Handling
If the script encounters errors:
- •Jira access issues: Report error and continue with git operations
- •Dependabot page inaccessible: Report error, suggest manual verification
- •No updates available: Verify Dependabot page to confirm no fixes needed
- •Alerts still open after updates: Report which alerts remain and why
- •Merge conflicts: Report to user and suggest manual resolution
- •Test failures: Report which tests failed and ask for guidance
- •Git errors: Show error message and suggest next steps
- •PR creation failed: Provide manual PR creation link
Integration with Other Skills
This skill integrates with:
- •mice-jira-tickets: For Jira ticket management operations
- •Atlassian: For direct Jira API access (ticket updates, comments)
- •web_fetch: To verify Dependabot alerts are resolved