Skip to content

Feat/dependency vulnerability fixer#2206

Open
guilhermerios21 wants to merge 2 commits into
github:mainfrom
guilhermerios21:feat/dependency-vulnerability-fixer
Open

Feat/dependency vulnerability fixer#2206
guilhermerios21 wants to merge 2 commits into
github:mainfrom
guilhermerios21:feat/dependency-vulnerability-fixer

Conversation

@guilhermerios21

Copy link
Copy Markdown

Pull Request Checklist

  • I have read and followed the CONTRIBUTING.md guidelines.
  • I have read and followed the Guidance for submissions involving paid services.
  • My contribution adds a new instruction, prompt, agent, skill, workflow, or canvas extension file in the correct directory.
  • The file follows the required naming convention.
  • The content is clearly structured and follows the example format.
  • I have tested my instructions, prompt, agent, skill, workflow, or canvas extension with GitHub Copilot.
  • I have run npm start and verified that README.md is up to date.
  • I am targeting the main branch for this pull request.

Description

Adds the dependency-vulnerability-fixer skill and its paired dependency-security-advisor agent.

The skill analyzes npm, pip, and Maven dependency trees to identify known CVEs (via npm audit, pip-audit, and OWASP Dependency-Check) and recommends the minimal safe version upgrade for each finding, distinguishing direct from transitive dependencies and flagging fixes that require a major version bump.

The agent wraps this skill with an application security engineer persona, prioritizing findings by severity and exploitability and producing a remediation plan before applying any change.

A bundled reference file (references/severity-remediation-guide.md) maps CVSS severity to recommended action and adds ecosystem-specific remediation notes for npm, pip, and Maven.

Usage: trigger the skill by asking Copilot to audit dependencies, fix CVEs in package.json/requirements.txt/pom.xml, or by pasting existing audit output for it to interpret.


Type of Contribution

  • New instruction file.
  • New prompt file.
  • New agent file.
  • New plugin.
  • New skill file.
  • New agentic workflow.
  • New canvas extension.
  • Update to existing instruction, prompt, agent, plugin, skill, workflow, or canvas extension.
  • Other (please specify):

Additional Notes

  • The skill has no hard dependency on any specific audit tool being installed; it can work either by running npm audit, pip-audit, or mvn org.owasp:dependency-check-maven:check directly, or by parsing audit output the user pastes in, so it degrades gracefully when a terminal isn't available.
  • Severity triage follows the CVSS-to-action mapping in references/severity-remediation-guide.md, keeping the skill's core logic (in SKILL.md) and the reference data separate so the mapping can be updated without touching the main instructions.

By submitting this pull request, I confirm that my contribution abides by the Code of Conduct and will be licensed under the MIT License.

Copilot AI review requested due to automatic review settings July 3, 2026 14:14
@github-actions github-actions Bot added agent PR touches agents new-submission PR adds at least one new contribution skills PR touches skills labels Jul 3, 2026
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🔒 PR Risk Scan Results

Scanned 4 changed file(s).

Severity Count
🔴 High 0
🟠 Medium 3
ℹ️ Info 0
Severity Rule File Line Match
🟠 package-exec-command docs/README.skills.md 31 | [acreadiness-assess](../skills/acreadiness-assess/SKILL.md)<br />`gh skills install github/awesome-copilot acreadiness-assess` | Run the AgentRC readiness assessment on the curre
🟠 unpinned-version-indicator skills/dependency-vulnerability-fixer/SKILL.md 74 vulnerable-package>=1.2.4
🟠 unpinned-version-indicator skills/dependency-vulnerability-fixer/SKILL.md 87 <version>1.2.4</version>

This is an automated soft-gate report. Findings indicate review targets and do not block merge by themselves.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🔍 Vally Lint Results

⚠️ Warnings or advisories found

Scope Checked
Skills 1
Agents 1
Total 2
Severity Count
❌ Errors 0
⚠️ Warnings 0
ℹ️ Advisories 1

Summary

Level Finding
ℹ️ Vally currently lints SKILL.md content. Agent files were detected but skipped:
Full linter output
### Linting skills/dependency-vulnerability-fixer
npm warn EBADENGINE Unsupported engine {
npm warn EBADENGINE   package: 'commander@15.0.0',
npm warn EBADENGINE   required: { node: '>=22.12.0' },
npm warn EBADENGINE   current: { node: 'v20.20.2', npm: '10.8.2' }
npm warn EBADENGINE }
npm warn deprecated prebuild-install@7.1.3: No longer maintained. Please contact the author of the relevant native addon; alternatives are available.
✅ dependency-vulnerability-fixer (2/2 checks passed)
    ✓ [spec-compliance] All 1 skill(s) are spec-compliant.
        ✓ spec-compliance: All spec checks passed.
    ✓ [valid-refs] All file references across 1 skill(s) are valid.
        ✓ valid-refs: All file references resolve to existing files within the skill directory.

1 skill(s) linted, 1 passed

### Agent files detected (not linted by vally)
ℹ️ Vally currently lints SKILL.md content. Agent files were detected but skipped:
agents/dependency-security-advisor.agent.md

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new dependency security skill plus a companion agent, and registers both in the generated documentation indexes so they’re discoverable and installable from this repo.

Changes:

  • Added dependency-vulnerability-fixer skill content describing how to audit and remediate vulnerable dependencies across npm/pip/Maven.
  • Added dependency-security-advisor agent to wrap the skill with an AppSec-focused workflow/persona.
  • Updated docs/README.skills.md and docs/README.agents.md tables to include the new skill/agent.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File Description
skills/dependency-vulnerability-fixer/SKILL.md Introduces the new skill’s front matter and usage/guidance content.
agents/dependency-security-advisor.agent.md Defines the new agent’s front matter, model/tools, and operating guidelines.
docs/README.skills.md Adds the new skill to the skills index table.
docs/README.agents.md Adds the new agent to the agents index table.

@@ -0,0 +1,97 @@
---
name: dependency-vulnerability-fixer
description: Analyzes npm/pip/maven dependency trees, identifies CVEs via OWASP Dependency Check, and suggests secure versions
@@ -0,0 +1,31 @@
---
description: "Acts as an application security engineer focused on dependency risk. Triages CVEs across npm, pip, and Maven projects, prioritizes fixes by exploitability and severity, and proposes upgrade paths that avoid breaking changes when possible."
Comment thread docs/README.skills.md
| [debian-linux-triage](../skills/debian-linux-triage/SKILL.md)<br />`gh skills install github/awesome-copilot debian-linux-triage` | Triage and resolve Debian Linux issues with apt, systemd, and AppArmor-aware guidance. | None |
| [declarative-agents](../skills/declarative-agents/SKILL.md)<br />`gh skills install github/awesome-copilot declarative-agents` | Complete development kit for Microsoft 365 Copilot declarative agents with three comprehensive workflows (basic, advanced, validation), TypeSpec support, and Microsoft 365 Agents Toolkit integration | None |
| [dependabot](../skills/dependabot/SKILL.md)<br />`gh skills install github/awesome-copilot dependabot` | Comprehensive guide for configuring and managing GitHub Dependabot. Use this skill when users ask about creating or optimizing dependabot.yml files, managing Dependabot pull requests, configuring dependency update strategies, setting up grouped updates, monorepo patterns, multi-ecosystem groups, security update configuration, auto-triage rules, or any GitHub Advanced Security (GHAS) supply chain security topic related to Dependabot. For pre-commit dependency vulnerability scanning in AI coding agents via the GitHub MCP Server, this skill references the Advanced Security plugin (`advanced-security@copilot-plugins`). Use this skill when an agent needs to scan dependencies for known vulnerabilities before committing. | `references/dependabot-yml-reference.md`<br />`references/example-configs.md`<br />`references/pr-commands.md` |
| [dependency-vulnerability-fixer](../skills/dependency-vulnerability-fixer/SKILL.md)<br />`gh skills install github/awesome-copilot dependency-vulnerability-fixer` | Analyzes npm/pip/maven dependency trees, identifies CVEs via OWASP Dependency Check, and suggests secure versions | None |
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

agent PR touches agents new-submission PR adds at least one new contribution skills PR touches skills

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants