AgentSkillsCN

security-fixes

为 Konvenit 项目提供自动化的依赖安全修复方案,全面集成 Jira 并通过 Dependabot 进行验证。当 Dependabot 发出告警时,此技能会自动生成包含依赖更新的拉取请求,同时管理 Jira 工单状态,确保告警被及时解决,并将 PR 与工单关联。当用户提出修复 Dependabot 问题、为安全更新依赖项、创建安全修复 PR,或提及 Jira 工单以进行安全更新时,此技能便能派上用场。当用户说出“修复 Dependabot 问题”、“安全依赖更新”、“为 MP-1234 创建安全 PR”、“修复依赖项中的安全漏洞”等语句时,此技能便会自动触发。

SKILL.md
--- frontmatter
name: security-fixes
description: Automated dependency security fixes for Konvenit projects with full Jira integration and Dependabot verification. Creates a pull request with dependency updates for Dependabot alerts, manages Jira ticket status, verifies alerts are resolved, and links PR to ticket. Use when the user asks to fix Dependabot issues, update dependencies for security, create a security fix PR, or mentions a Jira ticket for security updates. Triggers on phrases like "fix dependabot issues", "security dependency updates", "create security PR for MP-1234", "fix security vulnerabilities in dependencies".

Security Fixes - Automated Dependency Updates with Jira Integration

Automates the complete workflow of fixing Dependabot security alerts including Jira ticket management, dependency updates, Dependabot verification, and pull request creation.

Workflow

1. Get Jira Ticket Number

Check if there is an open Jira with the title "### <APPLICATION>> ### Fix Security Alerts". If not provided, Ask the user for the Jira ticket number if not provided:

code
What's the Jira ticket number for this security fix? (e.g., MP-1234)

2. Update Jira Ticket Status

Use the mice-jira-tickets skill or Atlassian tools to:

  • Assign the ticket to the current user
  • Move ticket status to "In Arbeit" (In Progress)

3. Create Branch and Update Dependencies

Run the automated script:

bash
scripts/fix_security_deps.sh <TICKET-NUMBER>

The script will:

  1. Create a new branch: <TICKET-NUMBER>-security-fix from the latest master
  2. Run bundle update --patch to update Ruby gems
  3. Run yarn upgrade to update JavaScript packages (if package.json exists)
  4. Commit changes with message: <TICKET-NUMBER> security fix
  5. Push the branch to remote

4. Verify Dependabot Alerts Are Fixed

IMPORTANT: After updating dependencies, verify that Dependabot alerts are actually resolved:

bash
# Determine the application name from git remote
APPLICATION=$(git remote get-url origin | sed 's/.*github.com[:/]konvenit\/\(.*\)\.git/\1/')

# Check Dependabot alerts page
echo "Checking: https://github.com/konvenit/${APPLICATION}/security/dependabot"

Use web_fetch to check the Dependabot security page:

code
https://github.com/konvenit/<APPLICATION>/security/dependabot

What to verify:

  • Are there still open alerts?
  • Which alerts were fixed by the updates?
  • Are there any remaining alerts that need different action?

Report to user:

  • ✅ "All Dependabot alerts resolved" (if no alerts remain)
  • ⚠️ "X alerts resolved, Y alerts still open" (if some remain)
  • List any remaining alerts with severity and package name

If alerts remain: Ask user whether to:

  • Continue with PR (partial fix)
  • Investigate further updates
  • Create separate ticket for remaining issues

5. Create Pull Request

Only proceed with PR creation if:

  • At least some alerts were fixed, OR
  • User confirms to proceed

Use GitHub CLI to create PR:

bash
gh pr create --title "<TICKET-NUMBER> security fix" --body "[PR body with Jira link]"

The PR will include:

  • Title: <TICKET-NUMBER> security fix
  • Body: Including link to Jira ticket and Dependabot verification results
  • Get the PR URL from the output

6. Link PR to Jira and Update Status

After PR is created:

  • Post PR link as comment to Jira ticket using Atlassian tools
  • Move ticket status to "In Codereview"

7. Report Complete Results

Provide comprehensive summary to user:

  • Branch name
  • Commit hash
  • Dependabot verification results (alerts fixed vs remaining)
  • PR link
  • List of updated dependencies
  • Jira ticket status confirmation
  • Any warnings or next steps

Example Usage

User: "Please fix the Dependabot issues for ticket MP-1234"

Claude Response:

  1. Assign MP-1234 to user and move to "In Arbeit"
  2. Run scripts/fix_security_deps.sh MP-1234
  3. Verify Dependabot alerts at https://github.com/konvenit/mice-portal/security/dependabot
  4. Report verification results
  5. Create PR (if alerts were fixed)
  6. Post PR link to Jira ticket
  7. Move ticket to "In Codereview"
  8. Final report:
    code
    ✅ Jira MP-1234: Assigned to you, status → In Arbeit
    ✅ Created branch: MP-1234-security-fix
    ✅ Updated dependencies:
       - nokogiri: 1.13.0 → 1.13.10
       - rack: 2.2.3 → 2.2.8
    ✅ Committed: MP-1234 security fix (commit: abc123)
    ✅ Dependabot verification:
       - 3 critical alerts resolved ✅
       - 0 alerts remaining
       - All security issues fixed!
    ✅ PR created: https://github.com/konvenit/mice-portal/pull/123
    ✅ Jira MP-1234: Added PR comment, status → In Codereview
    

Complete Workflow Steps

  1. Start: Get Jira ticket number
  2. Jira Update 1: Assign to user + status → "In Arbeit"
  3. Git Operations: Branch, update deps, commit, push
  4. Verification: Check Dependabot alerts page to confirm fixes
  5. Decision Point: Proceed with PR based on verification results
  6. PR Creation: Create PR with Jira link and verification results in description
  7. Jira Update 2: Comment with PR link + status → "In Codereview"
  8. Report: Summarize all actions including Dependabot verification

Dependabot Verification Details

How to Check

  • Use web_fetch on https://github.com/konvenit/<APPLICATION>/security/dependabot
  • Parse the page to identify:
    • Total alerts (before updates)
    • Resolved alerts (after updates)
    • Remaining open alerts
    • Severity levels (Critical, High, Moderate, Low)

What to Report

code
Dependabot Verification Results:
✅ Fixed: 3 alerts
   - nokogiri: Critical SQL injection vulnerability
   - rack: High HTTP request smuggling
   - rails: Moderate XSS vulnerability

⚠️ Remaining: 1 alert
   - devise: Low information disclosure (requires major version update)

Recommendation: Proceed with PR for fixed alerts, create separate ticket for devise update.

PR Description Template with Verification

markdown
Security dependency updates for https://miceportal.atlassian.net/browse/MP-1234

## Dependabot Verification
✅ **3 critical/high alerts resolved**
⚠️ 1 low-severity alert remains (requires major version update)

See: https://github.com/konvenit/<APPLICATION>/security/dependabot

## Changes
- Updated Ruby gems (patch versions)
  - nokogiri: 1.13.0 → 1.13.10 (fixes CVE-2023-XXXX)
  - rack: 2.2.3 → 2.2.8 (fixes CVE-2023-YYYY)
- Updated JavaScript packages

Error Handling

If the script encounters errors:

  • Jira access issues: Report error and continue with git operations
  • Dependabot page inaccessible: Report error, suggest manual verification
  • No updates available: Verify Dependabot page to confirm no fixes needed
  • Alerts still open after updates: Report which alerts remain and why
  • Merge conflicts: Report to user and suggest manual resolution
  • Test failures: Report which tests failed and ask for guidance
  • Git errors: Show error message and suggest next steps
  • PR creation failed: Provide manual PR creation link

Integration with Other Skills

This skill integrates with:

  • mice-jira-tickets: For Jira ticket management operations
  • Atlassian: For direct Jira API access (ticket updates, comments)
  • web_fetch: To verify Dependabot alerts are resolved