opendatahub-io/cve-verify
helpers/skills/cve-verify/SKILL.md
Use this skill to verify that a CVE fix actually resolved the vulnerability by scanning the compiled binary or updated manifests. Catches transitive dep overrides, replace directives, and lockfile conflicts. Writes result to autofix-output/cve-verify-result.json.
$ install --global
skillsauthnpx skillsauth add opendatahub-io/ai-helpers cve-verifyInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 5, 2026, 7:22 AM128.0s2 files scanned
SKILL.md
- name:
- cve-verify
- description:
- >-
- allowed-tools:
- Bash Read Write
- context:
- fork
- model:
- sonnet
Skill: CVE Verify
After a fix is applied by /cve-fix-apply, verify the CVE is actually resolved
by scanning the compiled output. Source-level scans can give false negatives
when transitive dependencies override the fixed version at build time.
Step 1: Run the verify script
Run scripts/verify.sh which builds the binary (Go) or regenerates lockfiles
(Node.js) and re-scans for the CVE:
bash scripts/verify.sh "${REPO_DIR}" "${CVE_ID}" "${LANG}" "${TARGET_GO_VERSION:-}" "${BUILD_LOCATION:-.}"
The script:
- For Go: builds the binary and runs
govulncheck -mode binary(gold standard). Falls back to source scan if build fails. - For Node.js: regenerates lockfile and runs
npm audit - For Python: re-runs
pip-audit - Writes structured result to
autofix-output/cve-verify-result.json
Step 2: Interpret the result
Read autofix-output/cve-verify-result.json and evaluate the verdict field.
| Verdict | Meaning |
|---------|---------|
| fixed | CVE no longer detected — safe to create PR |
| still_present | CVE still detected after fix — do NOT create PR |
| scan_failed | Verification scan could not run — manual review needed |
Use judgment for edge cases:
- If
still_present: the fix was insufficient. This can happen with transitive dependency conflicts, Go replace directives overriding the fix, or lockfile conflicts. Do NOT create a PR — add a Jira comment explaining the fix was attempted but CVE persists, manual investigation is required. - If
scan_failed: check thescan_output_summaryfor the root cause. If the build failed due to the fix itself (e.g., incompatible version), the fix approach may need to change.
Caller contract
The orchestrator reads verdict:
fixed→ push branch, create PRstill_present→ do NOT create PR, add Jira comment explaining fix was insufficientscan_failed→ skip with documentation, manual review needed
Gotchas
- Binary scan is the gold standard for Go; source scan can miss transitive dependency overrides that re-introduce the vulnerable version at build time
- A
still_presentverdict means do NOT create a PR — post a Jira comment instead explaining the fix was attempted but the CVE persists - SCAN_TIMEOUT defaults to 300s; set it higher for repos with many main packages or slow build times
Related Skills
opendatahub-io/python-packaging-static-audit
development
VerifiedTrustedCommunity
Run hexora static analysis on a Python package repository to detect suspicious code patterns, then triage findings with deterministic rules and AI reasoning to produce a structured risk report section.
30SKILL.mdUpdated May 30, 2026
opendatahub-io/python-packaging-git-audit
development
VerifiedTrustedCommunity
Inspect recent git history of a Python package repository for suspicious commits touching supply-chain-sensitive files, then triage findings with AI reasoning to produce a structured risk report section.
30SKILL.mdUpdated May 30, 2026
opendatahub-io/python-packaging-binary-audit
development
VerifiedTrustedCommunity
Scan a Python package repository for compiled/binary files using Fromager-style detection and malcontent YARA analysis, then triage findings with deterministic rules and AI reasoning to produce a structured risk report section.
30SKILL.mdUpdated May 30, 2026
opendatahub-io/non-redhat-rpms
testing
VerifiedTrustedCommunity
Use this skill to identify non-Red Hat RPM packages installed in container images or on the local machine. For containers, pulls images across multiple architectures and release tags; for local scans, inspects the host directly. Extracts RPM signing metadata and reports packages not signed with the Red Hat GPG key as CSV output. Use when auditing compliance, checking supply-chain provenance, or scanning for third-party RPMs in RHOAI component images.
30SKILL.mdUpdated May 29, 2026