Run any Skill in Manus with one click

graphql-audit

Triage GitHub Code Scanning alerts (CodeQL with security-extended suite) for this repository — list open alerts, dismiss as false positive / won't fix / used in tests, query via GitHub REST + GraphQL. Use when the user asks to "review GitHub security alerts", "check CodeQL findings", "triage code scanning", or anything mentioning Code Scanning, CodeQL, security-extended, or github.com/$repo/security/code-scanning.

Run Skill in Manus

Overview

Install command

npx skills add https://github.com/netdata/netdata --skill graphql-audit

Copy and paste this command into Claude Code to install the skill

Source

netdata/netdata

Stars79,052

Forks6,452

UpdatedApril 28, 2026 at 05:11

File Explorer

4 files

SKILL.md

readonly

name

graphql-audit

description

GitHub Code Scanning triage skill

This skill drives the GitHub Code Scanning API (REST + GraphQL via gh) for the repository's CodeQL alerts. The repo's CI runs the security-extended CodeQL suite, which surfaces a wider set of findings than the default suite.

The skill operates on whatever repo this checkout points at — it derives the owner/repo from the upstream (or origin) git remote. Auth uses the gh CLI's stored credentials; no token is needed in .env.

MANDATORY — keep this skill alive

If you (the agent) discover a new pattern, gotcha, working flow, correction, or any piece of knowledge while running this skill — update this SKILL.md AND commit it BEFORE proceeding. Knowledge that isn't committed is lost.

Examples of things to capture:

A CodeQL rule with a known FP pattern + the canonical comment to use
A query (GraphQL or REST) that returns useful aggregate views not available in the UI
An alert format change or new field that started appearing
A way to bulk-dismiss without hitting REST rate limits

Setup

Prerequisite — `gh` CLI authenticated

gh auth status

Must show authentication for github.com. If not, run gh auth login.

The gh user needs write scope on the repository to dismiss alerts; read scope is enough for listing.

.env entries

None required for this skill. gh handles auth.

(Optional GITHUB_TOKEN could go in .env if you ever need to bypass gh and call REST/GraphQL directly via curl, e.g. from a script that runs without an authenticated gh session.)

Triage decision matrix

GitHub Code Scanning alerts have three lifecycle states: open, dismissed, fixed (auto-detected when the underlying code changes). Manual triage uses dismissed with one of three reasons:

Decision	API value	When to use
False Positive	`false positive`	CodeQL is wrong (path is unreachable, type is wider, guard exists)
Won't Fix	`won't fix`	Real but acceptable risk; not addressing in this codebase
Used in Tests	`used in tests`	Alert is in test fixtures / vendored test code, not production

A dismissed alert can be reopened later (manually in the UI or via PATCH /alerts/<n> with state=open); the dismissal history is preserved.

Workflow

Step 1 — see what's open

bash .agents/skills/graphql-audit/scripts/codeql-list.sh

Default output is a count-by-rule summary for open alerts:

  42  cpp/integer-overflow|warning
  17  cpp/uninitialized-local|error
  ...

Filters:

bash .agents/skills/graphql-audit/scripts/codeql-list.sh --state=open --severity=high
bash .agents/skills/graphql-audit/scripts/codeql-list.sh --tool=CodeQL --severity=critical
bash .agents/skills/graphql-audit/scripts/codeql-list.sh --raw          # full JSON

Step 2 — inspect a single alert

gh api /repos/<owner>/<repo>/code-scanning/alerts/<n>

Or visit https://github.com/<owner>/<repo>/security/code-scanning/<n> in the browser for the full data-flow view.

Step 3 — dismiss

bash .agents/skills/graphql-audit/scripts/codeql-dismiss.sh \
    <alert_number> "false positive" "<short ASCII comment>"

Comments are stored verbatim; keep them short, factual, and ASCII.

Step 4 — bulk dismissal

For a known-FP rule pattern (e.g., cpp/uninitialized-local always firing on a particular header), GitHub does NOT have a REST bulk endpoint. The working pattern is:

bash .agents/skills/graphql-audit/scripts/codeql-list.sh --raw \
  | jq -r '.[] | select(.rule.id=="cpp/uninitialized-local") | .number' \
  | while read n; do
        bash .agents/skills/graphql-audit/scripts/codeql-dismiss.sh \
            "$n" "false positive" "FP: rule firing on a stub model not real code"
    done

Throttle if you have many — the REST API tolerates ~10 req/s for a single user.

What this skill does NOT do

CodeQL query authoring: this skill triages results, not the queries that produce them. To suppress a class of FPs at the source, edit .github/codeql/ config or the queries themselves.
Workflow management: enabling/disabling CodeQL runs is in .github/workflows/codeql.yml — not here.
Other Advanced Security features (secret scanning alerts, dependabot) use sibling APIs (/secret-scanning/alerts, /dependabot/alerts). They could be added to this skill if needed.

REST vs GraphQL

CodeQL alerts are exposed via REST (/repos/{owner}/{repo}/code-scanning/...). GraphQL (gh api graphql) is useful for cross-repo queries or reaching combined data (e.g., alert + commit history in one call):

gh api graphql -f query='
  query($owner:String!,$name:String!) {
    repository(owner:$owner, name:$name) {
      vulnerabilityAlerts(first: 100, states:OPEN) {
        nodes { securityAdvisory { ghsaId, severity } }
      }
    }
  }' -F owner=netdata -F name=netdata

The above is for Dependabot advisories, not CodeQL — CodeQL alerts remain REST-only at the time of writing.

Failure modes — quick diagnosis

Symptom	Likely cause
`HTTP 403 Resource not accessible by integration`	gh token lacks `security_events` scope
`HTTP 404` on the alerts endpoint	Code Scanning not enabled for the repo, or wrong slug
`gh: not found`	gh CLI not installed
Empty output, no error	No alerts in that state — try `--state=dismissed` to confirm gh is reaching the API
Pagination cuts off at 100	Use `--paginate` (already in `codeql-list.sh`)

More from this repository

same repository

project-create-topology

netdata/netdata

Developer workflow for creating or updating Netdata topology producers and topology Function payloads using the production netdata.topology.v1 schema. Use when adding or migrating topology:network-connections, topology:streaming, topology:snmp, vSphere topology, correlation rules, graph presentation, drilldowns, direction semantics, telemetry overlays, or Cloud topology aggregation fixtures.

2026-06-0379.1k

project-writing-collectors

netdata/netdata

Best practices and orientation for AI assistants authoring or modifying Netdata data-collection plugins or modules in any language. Read before adding a new collector, modifying an existing one, working on logs, topology, NetFlow/sFlow/IPFIX, OTEL ingestion, SNMP profiles, statsd, Prometheus scraping, or interactive Functions. Covers the mental model, framework-agnostic best practices, dashboard-shaping mechanisms (NIDL, SNMP profiles, statsd synthetic_charts, OTEL mappings, Prometheus exposition), production quality criteria, the plugin landscape, per-data-type patterns (metrics, logs, snapshots, topology, enrichment), per-domain common practices, and a pre-PR self-check.

2026-06-0379.1k

codacy-audit

netdata/netdata

Codacy Cloud workflow for this repository -- run Codacy's analyzers locally before `git push` (mirrors what Codacy CI runs), and fetch/cluster Codacy issues for any PR via the v3 API. Use when the user mentions Codacy, "codacy analysis", `codacy-analysis-cli`, "codacy issues on PR", "fix codacy CI", "codacy markdownlint findings", or any Codacy gate failing on a netdata-org PR. Ships scripts analyze-local.sh (docker/binary runner for codacy-analysis-cli) and pr-issues.sh (paginated v3 issue fetch + group-by tool/pattern/severity/file). Token-safe -- CODACY_TOKEN never reaches assistant-visible stdout. Read-only by design; write actions (mark FP, mark fixed) require a GitHub issue or branch-local SOW.

2026-06-0379.1k

integrations-lifecycle

netdata/netdata

Authoritative reference for Netdata's integrations pipeline -- how `metadata.yaml` drives per-integration pages, collector `taxonomy.yaml` drives dashboard TOC placement, the `COLLECTORS.md`/`SECRETS.md`/`SERVICE-DISCOVERY.md` umbrellas, the `integrations.js` and `integrations/taxonomy.json` artifacts consumed by downstream systems, and per-integration `.md` files committed to the repo. Use when adding/modifying any integration (collector, exporter, agent or cloud notification, authentication, secretstore, service-discovery, log type, deploy method); editing `metadata.yaml` or `taxonomy.yaml`; checking whether `integrations/*.md` should be hand-edited; reading generator scripts under `integrations/`, schemas under `integrations/schemas/`, taxonomy registries under `integrations/taxonomy/`, templates under `integrations/templates/`, the workflows `generate-integrations.yml` or `check-markdown.yml`; ibm.d modules where `metadata.yaml` is generated from `contexts.yaml`; the collector-consistency rule (metadata.y

2026-06-0379.1k

project-writing-go-modules-framework-v2

netdata/netdata

Use when creating or migrating a Go go.d collector to framework V2, touching CollectorV2, metrix.CollectorStore, ChartTemplateYAML/charts.yaml, charttpl/chartengine, V2 host scopes/vnodes, or V2 collector tests. Focuses on concise maintainer-preferred V2 collector patterns.

2026-06-0279.1k

mirror-netdata-repos

netdata/netdata

Maintains a local mirror of Netdata-org source repositories at `${NETDATA_REPOS_DIR}` so AI assistants and developers can do cross-repo grep / code review locally without GitHub API round-trips and rate limits. Ships a vendored sync script (`scripts/sync-netdata-repos.sh`) that updates ~150 repos in two phases (resync existing on default branch, discover and clone new). Safety -- skips repos that have staged or modified changes; otherwise switches to the default branch and recursively updates submodules. Reset-to-default is intentional -- it prevents stale-feature-branch "black hole" repos that confuse cross-repo reasoning. Supports `--repo NAME` (repeatable) to scope to specific repos. Independent from any other repo mirrors this workstation may have. Use when the local mirror is out of date, before a cross-repo grep / review session, when adding a new netdata-org repo (auto-discovered), when an assistant needs cross-repo cognition without `gh` API turnaround.

2026-05-2279.1k

Source

netdata

netdata/netdata

View GitHub Repository View Creator Repositories

Install command

Download

Run Skill in Manus

Useful forSOC

Information Security AnalystsComputer and Mathematical Occupations15-1212L4

name

graphql-audit

description

GitHub Code Scanning triage skill

MANDATORY — keep this skill alive

Examples of things to capture:

A CodeQL rule with a known FP pattern + the canonical comment to use
A query (GraphQL or REST) that returns useful aggregate views not available in the UI
An alert format change or new field that started appearing
A way to bulk-dismiss without hitting REST rate limits

Setup

Prerequisite — `gh` CLI authenticated

gh auth status

Must show authentication for github.com. If not, run gh auth login.

The gh user needs write scope on the repository to dismiss alerts; read scope is enough for listing.

.env entries

None required for this skill. gh handles auth.

(Optional GITHUB_TOKEN could go in .env if you ever need to bypass gh and call REST/GraphQL directly via curl, e.g. from a script that runs without an authenticated gh session.)

Triage decision matrix

GitHub Code Scanning alerts have three lifecycle states: open, dismissed, fixed (auto-detected when the underlying code changes). Manual triage uses dismissed with one of three reasons:

Decision	API value	When to use
False Positive	`false positive`	CodeQL is wrong (path is unreachable, type is wider, guard exists)
Won't Fix	`won't fix`	Real but acceptable risk; not addressing in this codebase
Used in Tests	`used in tests`	Alert is in test fixtures / vendored test code, not production

A dismissed alert can be reopened later (manually in the UI or via PATCH /alerts/<n> with state=open); the dismissal history is preserved.

Workflow

Step 1 — see what's open

bash .agents/skills/graphql-audit/scripts/codeql-list.sh

Default output is a count-by-rule summary for open alerts:

  42  cpp/integer-overflow|warning
  17  cpp/uninitialized-local|error
  ...

Filters:

bash .agents/skills/graphql-audit/scripts/codeql-list.sh --state=open --severity=high
bash .agents/skills/graphql-audit/scripts/codeql-list.sh --tool=CodeQL --severity=critical
bash .agents/skills/graphql-audit/scripts/codeql-list.sh --raw          # full JSON

Step 2 — inspect a single alert

gh api /repos/<owner>/<repo>/code-scanning/alerts/<n>

Or visit https://github.com/<owner>/<repo>/security/code-scanning/<n> in the browser for the full data-flow view.

Step 3 — dismiss

bash .agents/skills/graphql-audit/scripts/codeql-dismiss.sh \
    <alert_number> "false positive" "<short ASCII comment>"

Comments are stored verbatim; keep them short, factual, and ASCII.

Step 4 — bulk dismissal

For a known-FP rule pattern (e.g., cpp/uninitialized-local always firing on a particular header), GitHub does NOT have a REST bulk endpoint. The working pattern is:

bash .agents/skills/graphql-audit/scripts/codeql-list.sh --raw \
  | jq -r '.[] | select(.rule.id=="cpp/uninitialized-local") | .number' \
  | while read n; do
        bash .agents/skills/graphql-audit/scripts/codeql-dismiss.sh \
            "$n" "false positive" "FP: rule firing on a stub model not real code"
    done

Throttle if you have many — the REST API tolerates ~10 req/s for a single user.

What this skill does NOT do

CodeQL query authoring: this skill triages results, not the queries that produce them. To suppress a class of FPs at the source, edit .github/codeql/ config or the queries themselves.
Workflow management: enabling/disabling CodeQL runs is in .github/workflows/codeql.yml — not here.
Other Advanced Security features (secret scanning alerts, dependabot) use sibling APIs (/secret-scanning/alerts, /dependabot/alerts). They could be added to this skill if needed.

REST vs GraphQL

gh api graphql -f query='
  query($owner:String!,$name:String!) {
    repository(owner:$owner, name:$name) {
      vulnerabilityAlerts(first: 100, states:OPEN) {
        nodes { securityAdvisory { ghsaId, severity } }
      }
    }
  }' -F owner=netdata -F name=netdata

The above is for Dependabot advisories, not CodeQL — CodeQL alerts remain REST-only at the time of writing.

Failure modes — quick diagnosis

Symptom	Likely cause
`HTTP 403 Resource not accessible by integration`	gh token lacks `security_events` scope
`HTTP 404` on the alerts endpoint	Code Scanning not enabled for the repo, or wrong slug
`gh: not found`	gh CLI not installed
Empty output, no error	No alerts in that state — try `--state=dismissed` to confirm gh is reaching the API
Pagination cuts off at 100	Use `--paginate` (already in `codeql-list.sh`)

graphql-audit

GitHub Code Scanning triage skill

MANDATORY — keep this skill alive

Setup

Prerequisite — gh CLI authenticated

.env entries

Triage decision matrix

Workflow

Step 1 — see what's open

Step 2 — inspect a single alert

Step 3 — dismiss

Step 4 — bulk dismissal

What this skill does NOT do

REST vs GraphQL

Failure modes — quick diagnosis

More from this repository

More from this repository

GitHub Code Scanning triage skill

MANDATORY — keep this skill alive

Setup

Prerequisite — gh CLI authenticated

.env entries

Triage decision matrix

Workflow

Step 1 — see what's open

Step 2 — inspect a single alert

Step 3 — dismiss

Step 4 — bulk dismissal

What this skill does NOT do

REST vs GraphQL

Failure modes — quick diagnosis

Prerequisite — `gh` CLI authenticated

Prerequisite — `gh` CLI authenticated