opendatahub-io/cve-scan
helpers/skills/cve-scan/SKILL.md
Use this skill to scan a cloned repository for a specific CVE using version-matched toolchains. Supports Go (govulncheck with GOTOOLCHAIN), Node.js (npm audit), and Python (pip-audit). Writes scan result to autofix-output/cve-scan-result.json.
$ install --global
skillsauthnpx skillsauth add opendatahub-io/ai-helpers cve-scanInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 5, 2026, 7:22 AM157.4s2 files scanned
SKILL.md
- name:
- cve-scan
- description:
- >-
- allowed-tools:
- Bash Read Glob Write
- context:
- fork
- model:
- sonnet
Skill: CVE Scan
Scan a cloned repository to determine whether a specific CVE is present as an unfixed vulnerability. Uses language-appropriate scanning tools with version-matched toolchains for accurate results.
Step 1: Run the scan script
Run scripts/scan.sh which handles language detection, version-matched
toolchain selection, vulnerability scanning, package version checks, and
base image detection:
bash scripts/scan.sh "${REPO_DIR}" "${CVE_ID}" "${PACKAGE}" "${BUILD_LOCATION:-.}"
The script:
- Detects project language from manifest files (go.mod, package.json, requirements.txt)
- For Go: extracts the target Go version from go.mod and runs govulncheck with
GOTOOLCHAINset to that exact version, preventing false negatives from a newer local toolchain. Falls back to local toolchain if download fails. - For Node.js: runs
npm audit --json - For Python: runs
pip-audit -r requirements.txt - If the CVE is not found in the scan, checks package manifests directly
- If the package is not in any manifest, checks Dockerfile base images
- Writes structured result to
autofix-output/cve-scan-result.json
Step 2: Interpret the scan result
Read autofix-output/cve-scan-result.json and evaluate the verdict field.
| Verdict | Meaning |
|---------|---------|
| present | CVE confirmed in scan — fix needed |
| present_by_version | Package in manifest at vulnerable version — fix needed |
| absent | Not in scan, not in manifests — VEX justification possible |
| in_base_image | Package not in app code, found in Dockerfile base image |
| informational | Go: module present but vulnerable symbol not called |
| scan_failed | Scanner could not run — manual review needed |
Use judgment to validate the verdict:
- If
present_by_version: compare the manifest version against the CVE's affected version range to confirm it is actually vulnerable - If
in_base_image: determine whether a newer base image tag is available usingskopeo list-tags, or whether the base image team needs to act - If
scan_failed: check thescan_output_summaryfor the root cause and decide whether to retry or skip
Caller contract
The orchestrator (jira-autofix-cve-resolve) reads autofix-output/cve-scan-result.json
and routes based on verdict:
present/present_by_version→ invoke/cve-fix-applyabsent/informational→ invoke/cve-vex-assessin_base_image→ check for newer base image tag, create PR or documentscan_failed→ skip with documentation
Gotchas
- govulncheck is not installed in all environments; the script falls back to version-based detection when it is unavailable
- GOTOOLCHAIN requires a full patch version (e.g.,
go1.25.0, notgo1.25); omitting the patch segment causes the download to fail silently - Exit code 3 from govulncheck means "vulnerabilities found" (a successful scan), not a failure — do not treat it as an error
Related Skills
opendatahub-io/python-packaging-static-audit
development
VerifiedTrustedCommunity
Run hexora static analysis on a Python package repository to detect suspicious code patterns, then triage findings with deterministic rules and AI reasoning to produce a structured risk report section.
30SKILL.mdUpdated May 30, 2026
opendatahub-io/python-packaging-git-audit
development
VerifiedTrustedCommunity
Inspect recent git history of a Python package repository for suspicious commits touching supply-chain-sensitive files, then triage findings with AI reasoning to produce a structured risk report section.
30SKILL.mdUpdated May 30, 2026
opendatahub-io/python-packaging-binary-audit
development
VerifiedTrustedCommunity
Scan a Python package repository for compiled/binary files using Fromager-style detection and malcontent YARA analysis, then triage findings with deterministic rules and AI reasoning to produce a structured risk report section.
30SKILL.mdUpdated May 30, 2026
opendatahub-io/non-redhat-rpms
testing
VerifiedTrustedCommunity
Use this skill to identify non-Red Hat RPM packages installed in container images or on the local machine. For containers, pulls images across multiple architectures and release tags; for local scans, inspects the host directly. Extracts RPM signing metadata and reports packages not signed with the Red Hat GPG key as CSV output. Use when auditing compliance, checking supply-chain provenance, or scanning for third-party RPMs in RHOAI component images.
30SKILL.mdUpdated May 29, 2026