santosomar/patch-advisor
skills/security/patch-advisor/SKILL.md
Recommends the specific code change to remediate a detected vulnerability by dispatching on CWE to the matching Project CodeGuard rule's prescribed fix pattern. Use after a finding has been confirmed and located, when the user asks how to fix a vulnerability, or when generating remediation PRs.
development
Updated Apr 13, 2026
$ install --global
skillsauthnpx skillsauth add santosomar/general-secure-coding-agent-skills patch-advisorInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 13, 2026, 4:31 AM82.5s1 file scanned
SKILL.md
- name:
- patch-advisor
- description:
- Recommends the specific code change to remediate a detected vulnerability by dispatching on CWE to the matching Project CodeGuard rule's prescribed fix pattern. Use after a finding has been confirmed and located, when the user asks how to fix a vulnerability, or when generating remediation PRs.
- license:
- Apache-2.0
- category:
- security
- suite:
- general-secure-coding-agent-skills
- version:
- 0.3.0
- upstream:
- cosai-oasis/project-codeguard
- codeguard-version:
- 1.3.0
- related:
- static-vulnerability-detector, vulnerability-pattern-matcher
Patch Advisor
This skill delegates to Project CodeGuard for remediation patterns. Every CodeGuard rule includes an "Implementation Checklist" and concrete before→after code; this skill is the CWE→rule→fix lookup.
Upstream: https://github.com/cosai-oasis/project-codeguard/tree/main/skills/software-security
Dispatch (CWE → CodeGuard rule → fix section)
| CWE | CodeGuard rule | Fix pattern |
| ------ | ------------------------------------------- | ------------------------------------- |
| 89 | codeguard-0-input-validation-injection | PreparedStatement / parameterized query examples |
| 78 | codeguard-0-input-validation-injection | ProcessBuilder / structured-exec + arg allow-list |
| 79 | codeguard-0-client-side-web-security | Context-aware encoding, DOMPurify, Trusted Types |
| 502 | codeguard-0-xml-and-serialization | yaml.safe_load, ObjectInputStream allow-list, TypeNameHandling=None |
| 611 | codeguard-0-xml-and-serialization | disallow-doctype-decl, DtdProcessing.Prohibit, defusedxml |
| 22 | codeguard-0-file-handling-and-uploads | Canonicalize-then-prefix-check; value allow-list |
| 798 | codeguard-1-hardcoded-credentials | KMS/vault extraction; env injection at runtime |
| 327 | codeguard-1-crypto-algorithms | Algorithm substitution table (MD5→SHA-256, AES-ECB→AES-GCM) |
| 862 | codeguard-0-authorization-access-control | User-scoped query; middleware enforce; DTO allow-list |
Workflow
- Take CWE + language from the upstream finding.
- Look up the rule; extract the fix pattern for that language.
- Emit: the minimal diff, the rule ID it satisfies, and the rule's test-plan line for verification.
- If the CWE isn't in the table, fall back to the CodeGuard language→rules map and apply the closest rule's Implementation Checklist.
Related Skills
santosomar/verified-pseudocode-extractor
development
VerifiedTrustedCommunity
Extracts human-readable pseudocode from a verified formal artifact (Dafny, Lean, TLA+) while preserving the verified properties as annotations, so the proof-carrying logic can be reimplemented in a production language. Use when porting verified code to an unverified target, when documenting what a formal spec actually does, or when handing a verified algorithm to an implementer.
SKILL.mdUpdated Apr 13, 2026
santosomar/tlaplus-spec-generator
development
VerifiedTrustedCommunity
Translates natural-language or pseudocode descriptions of concurrent and distributed systems into TLA+ specifications ready for the TLC model checker. Identifies state variables, actions, type invariants, safety properties, and liveness properties from the description. Use when formalizing a protocol, when the user describes a distributed algorithm to verify, when designing a consensus or locking scheme, or when starting formal verification of a concurrent system.
SKILL.mdUpdated Apr 13, 2026
santosomar/tlaplus-model-reduction
testing
VerifiedTrustedCommunity
Reduces a TLA+ model so TLC can actually check it — shrinks constants, adds state constraints, abstracts data, or applies symmetry — when the state space is too large to enumerate. Use when TLC runs out of memory, when checking takes hours, or when a spec works at N=2 and you need confidence at larger scale.
SKILL.mdUpdated Apr 13, 2026
santosomar/tlaplus-guided-code-repair
development
VerifiedTrustedCommunity
TLA+-specific instance of model-guided repair — reads a TLC error trace, identifies the enabling condition that should have been false, strengthens the corresponding action, and maps the fix to source code. Use when TLC reports an invariant violation or deadlock and you have the code-to-TLA+ mapping from extraction.
SKILL.mdUpdated Apr 13, 2026