Feat/dependency vulnerability fixer#2206
Open
guilhermerios21 wants to merge 2 commits into
Open
Conversation
Contributor
🔒 PR Risk Scan ResultsScanned 4 changed file(s).
|
Contributor
🔍 Vally Lint Results
Summary
Full linter output |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new dependency security skill plus a companion agent, and registers both in the generated documentation indexes so they’re discoverable and installable from this repo.
Changes:
- Added
dependency-vulnerability-fixerskill content describing how to audit and remediate vulnerable dependencies across npm/pip/Maven. - Added
dependency-security-advisoragent to wrap the skill with an AppSec-focused workflow/persona. - Updated
docs/README.skills.mdanddocs/README.agents.mdtables to include the new skill/agent.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| skills/dependency-vulnerability-fixer/SKILL.md | Introduces the new skill’s front matter and usage/guidance content. |
| agents/dependency-security-advisor.agent.md | Defines the new agent’s front matter, model/tools, and operating guidelines. |
| docs/README.skills.md | Adds the new skill to the skills index table. |
| docs/README.agents.md | Adds the new agent to the agents index table. |
| @@ -0,0 +1,97 @@ | |||
| --- | |||
| name: dependency-vulnerability-fixer | |||
| description: Analyzes npm/pip/maven dependency trees, identifies CVEs via OWASP Dependency Check, and suggests secure versions | |||
| @@ -0,0 +1,31 @@ | |||
| --- | |||
| description: "Acts as an application security engineer focused on dependency risk. Triages CVEs across npm, pip, and Maven projects, prioritizes fixes by exploitability and severity, and proposes upgrade paths that avoid breaking changes when possible." | |||
| | [debian-linux-triage](../skills/debian-linux-triage/SKILL.md)<br />`gh skills install github/awesome-copilot debian-linux-triage` | Triage and resolve Debian Linux issues with apt, systemd, and AppArmor-aware guidance. | None | | ||
| | [declarative-agents](../skills/declarative-agents/SKILL.md)<br />`gh skills install github/awesome-copilot declarative-agents` | Complete development kit for Microsoft 365 Copilot declarative agents with three comprehensive workflows (basic, advanced, validation), TypeSpec support, and Microsoft 365 Agents Toolkit integration | None | | ||
| | [dependabot](../skills/dependabot/SKILL.md)<br />`gh skills install github/awesome-copilot dependabot` | Comprehensive guide for configuring and managing GitHub Dependabot. Use this skill when users ask about creating or optimizing dependabot.yml files, managing Dependabot pull requests, configuring dependency update strategies, setting up grouped updates, monorepo patterns, multi-ecosystem groups, security update configuration, auto-triage rules, or any GitHub Advanced Security (GHAS) supply chain security topic related to Dependabot. For pre-commit dependency vulnerability scanning in AI coding agents via the GitHub MCP Server, this skill references the Advanced Security plugin (`advanced-security@copilot-plugins`). Use this skill when an agent needs to scan dependencies for known vulnerabilities before committing. | `references/dependabot-yml-reference.md`<br />`references/example-configs.md`<br />`references/pr-commands.md` | | ||
| | [dependency-vulnerability-fixer](../skills/dependency-vulnerability-fixer/SKILL.md)<br />`gh skills install github/awesome-copilot dependency-vulnerability-fixer` | Analyzes npm/pip/maven dependency trees, identifies CVEs via OWASP Dependency Check, and suggests secure versions | None | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request Checklist
npm startand verified thatREADME.mdis up to date.mainbranch for this pull request.Description
Adds the
dependency-vulnerability-fixerskill and its paireddependency-security-advisoragent.The skill analyzes npm, pip, and Maven dependency trees to identify known CVEs (via
npm audit,pip-audit, and OWASP Dependency-Check) and recommends the minimal safe version upgrade for each finding, distinguishing direct from transitive dependencies and flagging fixes that require a major version bump.The agent wraps this skill with an application security engineer persona, prioritizing findings by severity and exploitability and producing a remediation plan before applying any change.
A bundled reference file (
references/severity-remediation-guide.md) maps CVSS severity to recommended action and adds ecosystem-specific remediation notes for npm, pip, and Maven.Usage: trigger the skill by asking Copilot to audit dependencies, fix CVEs in
package.json/requirements.txt/pom.xml, or by pasting existing audit output for it to interpret.Type of Contribution
Additional Notes
npm audit,pip-audit, ormvn org.owasp:dependency-check-maven:checkdirectly, or by parsing audit output the user pastes in, so it degrades gracefully when a terminal isn't available.references/severity-remediation-guide.md, keeping the skill's core logic (in SKILL.md) and the reference data separate so the mapping can be updated without touching the main instructions.By submitting this pull request, I confirm that my contribution abides by the Code of Conduct and will be licensed under the MIT License.