| name | cve-scan |
| description | Use this skill to scan a cloned repository for a specific CVE using version-matched toolchains. Supports Go (govulncheck with GOTOOLCHAIN), Node.js (npm audit), and Python (pip-audit). Writes scan result to autofix-output/cve-scan-result.json. |
| allowed-tools | Bash Read Glob Write |
| context | fork |
| model | sonnet |
Skill: CVE Scan
Scan a cloned repository to determine whether a specific CVE is present as an
unfixed vulnerability. Uses language-appropriate scanning tools with
version-matched toolchains for accurate results.
Step 1: Run the scan script
Run scripts/scan.sh which handles language detection, version-matched
toolchain selection, vulnerability scanning, package version checks, and
base image detection:
bash scripts/scan.sh "${REPO_DIR}" "${CVE_ID}" "${PACKAGE}" "${BUILD_LOCATION:-.}"
The script:
- Detects project language from manifest files (go.mod, package.json, requirements.txt)
- For Go: extracts the target Go version from go.mod and runs govulncheck with
GOTOOLCHAIN set to that exact version, preventing false negatives from a
newer local toolchain. Falls back to local toolchain if download fails.
- For Node.js: runs
npm audit --json
- For Python: runs
pip-audit -r requirements.txt
- If the CVE is not found in the scan, checks package manifests directly
- If the package is not in any manifest, checks Dockerfile base images
- Writes structured result to
autofix-output/cve-scan-result.json
Step 2: Interpret the scan result
Read autofix-output/cve-scan-result.json and evaluate the verdict field.
| Verdict | Meaning |
|---|
present | CVE confirmed in scan — fix needed |
present_by_version | Package in manifest at vulnerable version — fix needed |
absent | Not in scan, not in manifests — VEX justification possible |
in_base_image | Package not in app code, found in Dockerfile base image |
informational | Go: module present but vulnerable symbol not called |
scan_failed | Scanner could not run — manual review needed |
Use judgment to validate the verdict:
- If
present_by_version: compare the manifest version against the CVE's
affected version range to confirm it is actually vulnerable
- If
in_base_image: determine whether a newer base image tag is available
using skopeo list-tags, or whether the base image team needs to act
- If
scan_failed: check the scan_output_summary for the root cause and
decide whether to retry or skip
Caller contract
The orchestrator (jira-autofix-cve-resolve) reads autofix-output/cve-scan-result.json
and routes based on verdict:
present / present_by_version → invoke /cve-fix-apply
absent / informational → invoke /cve-vex-assess
in_base_image → check for newer base image tag, create PR or document
scan_failed → skip with documentation
Gotchas
- govulncheck is not installed in all environments; the script falls back to version-based detection when it is unavailable
- GOTOOLCHAIN requires a full patch version (e.g.,
go1.25.0, not go1.25); omitting the patch segment causes the download to fail silently
- Exit code 3 from govulncheck means "vulnerabilities found" (a successful scan), not a failure — do not treat it as an error