cnoe-io/security-vulnerability-report

Security Vulnerability Report

Query GitHub for Dependabot alerts, code scanning results, and secret scanning findings across repositories to produce a prioritized vulnerability report.

Instructions

Phase 1: Dependabot Alerts (GitHub Agent)

1. Fetch Dependabot alerts across all configured repositories:
   • Alert severity (critical, high, medium, low)
   • Affected package and vulnerable version range
   • Patched version available (yes/no)
   • CVE identifier and CVSS score
   • Ecosystem (npm, pip, go, etc.)
   • Alert state (open, dismissed, fixed)

Phase 2: Code Scanning Results (GitHub Agent)

1. Fetch code scanning alerts:
   • Rule ID and description
   • Severity and confidence
   • Affected file and line number
   • Tool that detected it (CodeQL, etc.)
   • Alert state and dismissal reason if applicable

Phase 3: Secret Scanning (GitHub Agent)

1. Check for secret scanning alerts:
   • Secret type (API key, token, password, etc.)
   • Affected file and commit
   • Whether the secret has been revoked
   • Alert state

Phase 4: Compile Report

1. Aggregate across repositories with cross-repo dedup for shared dependencies
2. Prioritize by:
   • Severity (critical first)
   • Exploitability (known exploits in the wild)
   • Fix availability (patch available = higher priority)
3. Calculate risk score per repository

Output Format

## Security Vulnerability Report
**Generated**: February 9, 2026
**Repositories Scanned**: 8

### Executive Summary
| Severity | Open | Fixed (30d) | Dismissed |
|----------|------|-------------|-----------|
| Critical | 2 | 5 | 0 |
| High | 7 | 12 | 1 |
| Medium | 15 | 8 | 3 |
| Low | 23 | 6 | 5 |

**Overall Risk**: HIGH - 2 critical vulnerabilities with patches available

### Critical Vulnerabilities (Immediate Action Required)
#### 1. CVE-2026-1234 - Remote Code Execution in lodash
- **Repository**: ai-platform-engineering/ui
- **Package**: [email protected] (npm)
- **CVSS**: 9.8 | **Exploits in Wild**: Yes
- **Fix**: Upgrade to [email protected]
- **Action**: `npm audit fix` or update package.json

#### 2. CVE-2026-5678 - SQL Injection in sqlparse
- **Repository**: ai-platform-engineering
- **Package**: [email protected] (pip)
- **CVSS**: 9.1 | **Exploits in Wild**: No
- **Fix**: Upgrade to [email protected]
- **Action**: Update pyproject.toml dependency

### High Severity Vulnerabilities
| CVE | Package | Repository | CVSS | Fix Available |
|-----|---------|-----------|------|---------------|
| CVE-2026-2345 | [email protected] | ui | 7.5 | Yes (4.18.3) |
| ... | ... | ... | ... | ... |

### Code Scanning Findings
| Rule | Severity | Repository | File | Description |
|------|----------|-----------|------|-------------|
| js/xss | High | ui | src/utils.ts:42 | Unsanitized user input in DOM |
| py/sql-injection | High | backend | api/query.py:89 | String concatenation in SQL |

### Secret Scanning Alerts
| Type | Repository | Status | Action Needed |
|------|-----------|--------|---------------|
| GitHub Token | agent-argocd | Active | Revoke and rotate |

### Repository Risk Scores
| Repository | Critical | High | Medium | Risk Score |
|------------|----------|------|--------|------------|
| ai-platform-engineering | 1 | 3 | 5 | HIGH |
| ui | 1 | 2 | 4 | HIGH |
| agent-argocd | 0 | 1 | 3 | MEDIUM |
| agent-aws | 0 | 1 | 3 | MEDIUM |

### Recommended Actions (Priority Order)
1. **Immediate**: Fix 2 critical CVEs (patches available)
2. **This Week**: Address code scanning high-severity findings
3. **This Sprint**: Revoke and rotate exposed secret in agent-argocd
4. **Ongoing**: Enable auto-merge for Dependabot PRs on patch updates

Examples

• "Check all repositories for security vulnerabilities"
• "Show me critical Dependabot alerts"
• "Are there any secret scanning findings?"
• "Generate a security report for the ai-platform-engineering repo"
• "What vulnerabilities have patches available?"

Guidelines

• Always sort by severity (critical first), then by fix availability
• Flag any vulnerabilities with known exploits in the wild as top priority
• Deduplicate shared dependencies across repos (e.g., same lodash vuln in multiple repos)
• Include the specific fix command or version to upgrade to
• Never display actual secret values in the report - only the type and location
• Distinguish between direct and transitive dependencies
• If no vulnerabilities are found, confirm with a clean security posture summary
• Reference project codeguard rules: no hardcoded credentials, no banned crypto algorithms (MD5, SHA-1, DES, RC4)