// Triage a CVE: assess impact against this repo's dependencies, then bump, document not-affected, or plan a code fix. Use when the user mentions a CVE, Jira vulnerability issue, or security advisory for a dependency.
Update Python dependencies with uv, regenerate lock and Konflux requirements files, then verify lint, types, and tests. Fix breakage from API changes in bumped packages. Use when the user says "deps update", "bump dependencies", or "update deps".
Find functions with high cyclomatic complexity, length, or parameter count. Use when the user asks for complexity hotspots or refactor candidates.
Find unused functions, classes, imports, and unreachable code paths. Use when the user asks for dead code or cleanup candidates.
Find code duplication in the codebase. Supports branch-scoped or full sweep. Use when the user asks to find duplicated code or repeated patterns before a PR.
Investigate CI job failures on a GitHub pull request (checks, Prow, or GitHub Actions). Use when the user pastes a PR URL and asks about CI failures or red checks.
Step-by-step workflow for committing staged changes and opening a pull request for lightspeed-agentic-sandbox.
| name | resolve-cve |
| description | Triage a CVE: assess impact against this repo's dependencies, then bump, document not-affected, or plan a code fix. Use when the user mentions a CVE, Jira vulnerability issue, or security advisory for a dependency. |
Use this skill for lightspeed-agentic-sandbox. Workflow matches the Lightspeed Service skill, but Jira filters and verification targets are adjusted.
If the user gives a Jira key or URL, use that issue directly.
If they ask what to triage, search your org's vulnerability backlog. Do not
assume the same summary ~ filter as lightspeed-service-api-rhel9. For this
Konflux component, issues may reference:
lightspeed-agentic-sandbox (see .tekton/*.yaml)openshift/lightspeed-agentic-sandboxBuild a JQL filter with your project admin's pattern, e.g.:
project = <PROJECT> AND type = Vulnerability AND statusCategory = "To Do"
AND (summary ~ "lightspeed-agentic-sandbox" OR summary ~ "openshift/lightspeed-agentic-sandbox")
ORDER BY priority DESC
If no project access, ask the user for the Jira key or paste the flaw text.
Parse CVE ID, affected package, version range, and fix reference from the issue body (same approach as the upstream skill).
pyproject.toml and uv.lock for the package (case-insensitive).src/lightspeed_agentic/.uv.lock if needed.Use the same verdict template as the upstream skill (NOT AFFECTED / bump / code change). Stop for user acknowledgment before resolving.
uv lock --upgrade-package {package}, then make requirements, make verify, make test.make verify && make test.Commit message examples:
fix: resolve CVE-YYYY-NNNNN — bump {package} to {version}
--upgrade-package over full --upgrade for CVE PRs.make verify and make test before declaring done.