security-vulnerability-report

star 372

Scan GitHub repositories for security vulnerabilities including Dependabot alerts, code scanning results, and secret scanning findings. Use when auditing repository security, preparing compliance reports, or triaging vulnerability alerts.

cnoe-io By cnoe-io schedule Updated 2/9/2026
play_arrow Run Skill in Manus View GitHub

name: security-vulnerability-report description: Scan GitHub repositories for security vulnerabilities including Dependabot alerts, code scanning results, and secret scanning findings. Use when auditing repository security, preparing compliance reports, or triaging vulnerability alerts.

Security Vulnerability Report

Query GitHub for Dependabot alerts, code scanning results, and secret scanning findings across repositories to produce a prioritized vulnerability report.

Instructions

Phase 1: Dependabot Alerts (GitHub Agent)

  1. Fetch Dependabot alerts across all configured repositories:
    • Alert severity (critical, high, medium, low)
    • Affected package and vulnerable version range
    • Patched version available (yes/no)
    • CVE identifier and CVSS score
    • Ecosystem (npm, pip, go, etc.)
    • Alert state (open, dismissed, fixed)

Phase 2: Code Scanning Results (GitHub Agent)

  1. Fetch code scanning alerts:
    • Rule ID and description
    • Severity and confidence
    • Affected file and line number
    • Tool that detected it (CodeQL, etc.)
    • Alert state and dismissal reason if applicable

Phase 3: Secret Scanning (GitHub Agent)

  1. Check for secret scanning alerts:
    • Secret type (API key, token, password, etc.)
    • Affected file and commit
    • Whether the secret has been revoked
    • Alert state

Phase 4: Compile Report

  1. Aggregate across repositories with cross-repo dedup for shared dependencies
  2. Prioritize by:
    • Severity (critical first)
    • Exploitability (known exploits in the wild)
    • Fix availability (patch available = higher priority)
  3. Calculate risk score per repository

Output Format

## Security Vulnerability Report
**Generated**: February 9, 2026
**Repositories Scanned**: 8

### Executive Summary
| Severity | Open | Fixed (30d) | Dismissed |
|----------|------|-------------|-----------|
| Critical | 2 | 5 | 0 |
| High | 7 | 12 | 1 |
| Medium | 15 | 8 | 3 |
| Low | 23 | 6 | 5 |

**Overall Risk**: HIGH - 2 critical vulnerabilities with patches available

### Critical Vulnerabilities (Immediate Action Required)
#### 1. CVE-2026-1234 - Remote Code Execution in lodash
- **Repository**: ai-platform-engineering/ui
- **Package**: lodash@4.17.20 (npm)
- **CVSS**: 9.8 | **Exploits in Wild**: Yes
- **Fix**: Upgrade to lodash@4.17.22
- **Action**: `npm audit fix` or update package.json

#### 2. CVE-2026-5678 - SQL Injection in sqlparse
- **Repository**: ai-platform-engineering
- **Package**: sqlparse@0.4.3 (pip)
- **CVSS**: 9.1 | **Exploits in Wild**: No
- **Fix**: Upgrade to sqlparse@0.5.0
- **Action**: Update pyproject.toml dependency

### High Severity Vulnerabilities
| CVE | Package | Repository | CVSS | Fix Available |
|-----|---------|-----------|------|---------------|
| CVE-2026-2345 | express@4.18.0 | ui | 7.5 | Yes (4.18.3) |
| ... | ... | ... | ... | ... |

### Code Scanning Findings
| Rule | Severity | Repository | File | Description |
|------|----------|-----------|------|-------------|
| js/xss | High | ui | src/utils.ts:42 | Unsanitized user input in DOM |
| py/sql-injection | High | backend | api/query.py:89 | String concatenation in SQL |

### Secret Scanning Alerts
| Type | Repository | Status | Action Needed |
|------|-----------|--------|---------------|
| GitHub Token | mcp-argocd | Active | Revoke and rotate |

### Repository Risk Scores
| Repository | Critical | High | Medium | Risk Score |
|------------|----------|------|--------|------------|
| ai-platform-engineering | 1 | 3 | 5 | HIGH |
| ui | 1 | 2 | 4 | HIGH |
| mcp-argocd | 0 | 1 | 3 | MEDIUM |
| mcp-aws | 0 | 1 | 3 | MEDIUM |

### Recommended Actions (Priority Order)
1. **Immediate**: Fix 2 critical CVEs (patches available)
2. **This Week**: Address code scanning high-severity findings
3. **This Sprint**: Revoke and rotate exposed secret in mcp-argocd
4. **Ongoing**: Enable auto-merge for Dependabot PRs on patch updates

Examples

  • "Check all repositories for security vulnerabilities"
  • "Show me critical Dependabot alerts"
  • "Are there any secret scanning findings?"
  • "Generate a security report for the ai-platform-engineering repo"
  • "What vulnerabilities have patches available?"

Guidelines

  • Always sort by severity (critical first), then by fix availability
  • Flag any vulnerabilities with known exploits in the wild as top priority
  • Deduplicate shared dependencies across repos (e.g., same lodash vuln in multiple repos)
  • Include the specific fix command or version to upgrade to
  • Never display actual secret values in the report - only the type and location
  • Distinguish between direct and transitive dependencies
  • If no vulnerabilities are found, confirm with a clean security posture summary
  • Reference project codeguard rules: no hardcoded credentials, no banned crypto algorithms (MD5, SHA-1, DES, RC4)
Install via CLI
npx skills add https://github.com/cnoe-io/ai-platform-engineering --skill security-vulnerability-report
Repository Details
star Stars 372
call_split Forks 65
navigation Branch main
article Path SKILL.md
More from Creator
cnoe-io
cnoe-io Explore all skills →