| name | security-vulnerability-report |
| description | Scan GitHub repositories for security vulnerabilities including Dependabot alerts, code scanning results, and secret scanning findings. Use when auditing repository security, preparing compliance reports, or triaging vulnerability alerts. |
Security Vulnerability Report
Query GitHub for Dependabot alerts, code scanning results, and secret scanning findings across repositories to produce a prioritized vulnerability report.
Instructions
Phase 1: Dependabot Alerts (GitHub Agent)
- Fetch Dependabot alerts across all configured repositories:
- Alert severity (critical, high, medium, low)
- Affected package and vulnerable version range
- Patched version available (yes/no)
- CVE identifier and CVSS score
- Ecosystem (npm, pip, go, etc.)
- Alert state (open, dismissed, fixed)
Phase 2: Code Scanning Results (GitHub Agent)
- Fetch code scanning alerts:
- Rule ID and description
- Severity and confidence
- Affected file and line number
- Tool that detected it (CodeQL, etc.)
- Alert state and dismissal reason if applicable
Phase 3: Secret Scanning (GitHub Agent)
- Check for secret scanning alerts:
- Secret type (API key, token, password, etc.)
- Affected file and commit
- Whether the secret has been revoked
- Alert state
Phase 4: Compile Report
- Aggregate across repositories with cross-repo dedup for shared dependencies
- Prioritize by:
- Severity (critical first)
- Exploitability (known exploits in the wild)
- Fix availability (patch available = higher priority)
- Calculate risk score per repository
Output Format
## Security Vulnerability Report
**Generated**: February 9, 2026
**Repositories Scanned**: 8
### Executive Summary
| Severity | Open | Fixed (30d) | Dismissed |
|----------|------|-------------|-----------|
| Critical | 2 | 5 | 0 |
| High | 7 | 12 | 1 |
| Medium | 15 | 8 | 3 |
| Low | 23 | 6 | 5 |
**Overall Risk**: HIGH - 2 critical vulnerabilities with patches available
### Critical Vulnerabilities (Immediate Action Required)
#### 1. CVE-2026-1234 - Remote Code Execution in lodash
- **Repository**: ai-platform-engineering/ui
- **Package**: lodash@4.17.20 (npm)
- **CVSS**: 9.8 | **Exploits in Wild**: Yes
- **Fix**: Upgrade to lodash@4.17.22
- **Action**: `npm audit fix` or update package.json
#### 2. CVE-2026-5678 - SQL Injection in sqlparse
- **Repository**: ai-platform-engineering
- **Package**: sqlparse@0.4.3 (pip)
- **CVSS**: 9.1 | **Exploits in Wild**: No
- **Fix**: Upgrade to sqlparse@0.5.0
- **Action**: Update pyproject.toml dependency
### High Severity Vulnerabilities
| CVE | Package | Repository | CVSS | Fix Available |
|-----|---------|-----------|------|---------------|
| CVE-2026-2345 | express@4.18.0 | ui | 7.5 | Yes (4.18.3) |
| ... | ... | ... | ... | ... |
### Code Scanning Findings
| Rule | Severity | Repository | File | Description |
|------|----------|-----------|------|-------------|
| js/xss | High | ui | src/utils.ts:42 | Unsanitized user input in DOM |
| py/sql-injection | High | backend | api/query.py:89 | String concatenation in SQL |
### Secret Scanning Alerts
| Type | Repository | Status | Action Needed |
|------|-----------|--------|---------------|
| GitHub Token | mcp-argocd | Active | Revoke and rotate |
### Repository Risk Scores
| Repository | Critical | High | Medium | Risk Score |
|------------|----------|------|--------|------------|
| ai-platform-engineering | 1 | 3 | 5 | HIGH |
| ui | 1 | 2 | 4 | HIGH |
| mcp-argocd | 0 | 1 | 3 | MEDIUM |
| mcp-aws | 0 | 1 | 3 | MEDIUM |
### Recommended Actions (Priority Order)
1. **Immediate**: Fix 2 critical CVEs (patches available)
2. **This Week**: Address code scanning high-severity findings
3. **This Sprint**: Revoke and rotate exposed secret in mcp-argocd
4. **Ongoing**: Enable auto-merge for Dependabot PRs on patch updates
Examples
- "Check all repositories for security vulnerabilities"
- "Show me critical Dependabot alerts"
- "Are there any secret scanning findings?"
- "Generate a security report for the ai-platform-engineering repo"
- "What vulnerabilities have patches available?"
Guidelines
- Always sort by severity (critical first), then by fix availability
- Flag any vulnerabilities with known exploits in the wild as top priority
- Deduplicate shared dependencies across repos (e.g., same lodash vuln in multiple repos)
- Include the specific fix command or version to upgrade to
- Never display actual secret values in the report - only the type and location
- Distinguish between direct and transitive dependencies
- If no vulnerabilities are found, confirm with a clean security posture summary
- Reference project codeguard rules: no hardcoded credentials, no banned crypto algorithms (MD5, SHA-1, DES, RC4)