| name | security-vulnerability-report |
| description | Scan GitHub repositories for security vulnerabilities including Dependabot alerts, code scanning results, and secret scanning findings. Use when auditing repository security, preparing compliance reports, or triaging vulnerability alerts. |
Security Vulnerability Report
Query GitHub for Dependabot alerts, code scanning results, and secret scanning findings across repositories to produce a prioritized vulnerability report.
Instructions
Phase 1: Dependabot Alerts (GitHub Agent)
- Fetch Dependabot alerts across all configured repositories
- Alert severity, affected package, CVE identifier, fix availability
Phase 2: Code Scanning Results (GitHub Agent)
- Fetch code scanning alerts - rule ID, severity, file location
Phase 3: Secret Scanning (GitHub Agent)
- Check for secret scanning alerts - secret type, revocation status
Phase 4: Compile Report
- Aggregate across repositories with cross-repo dedup
- Prioritize by severity, exploitability, fix availability
- Calculate risk score per repository
Output Format
```markdown
Security Vulnerability Report
Executive Summary
| Severity | Open | Fixed (30d) | Dismissed |
|---|
| Critical | 2 | 5 | 0 |
| High | 7 | 12 | 1 |
Critical Vulnerabilities (Immediate Action Required)
1. CVE-2026-1234 - Remote Code Execution in lodash
- Repository: ai-platform-engineering/ui
- CVSS: 9.8 | Fix: Upgrade to lodash@4.17.22
```
Examples
- "Check all repositories for security vulnerabilities"
- "Show me critical Dependabot alerts"
- "Are there any secret scanning findings?"
- "Generate a security report for the ai-platform-engineering repo"
Guidelines
- Always sort by severity (critical first), then by fix availability
- Flag any vulnerabilities with known exploits in the wild as top priority
- Deduplicate shared dependencies across repos
- Never display actual secret values in the report - only the type and location
- Reference project codeguard rules: no hardcoded credentials, no banned crypto algorithms