一键导入
fix-security-issue
Handle CVE/vulnerability reports from security linters (trivy, osv-scanner, etc.). Tries to upgrade first; ignores only when safe and justified.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Handle CVE/vulnerability reports from security linters (trivy, osv-scanner, etc.). Tries to upgrade first; ignores only when safe and justified.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
How to pick the correct uxLog level (action, log, warning, error, success, other), the matching chalk color, the options object (sensitive, alwaysVisible), VS Code UI suppression, and uxLogTable. Use when adding or modifying any uxLog call.
Style rules for updating CHANGELOG.md entries. Use whenever the user asks to update, add to, or write entries in CHANGELOG.md.
Gather requirements by asking clarifying questions until the problem is fully understood. First step of the contribution workflow.
Design the solution and write a technical specification based on requirements analysis. Second step of the contribution workflow, use after /analyze.
Implement a feature, bug fix, or code change in sfdx-hardis. Use whenever the user asks to add a feature, fix a bug, implement something, or make a code change - with or without a prior /design phase.
Watch the GitHub PR for the current branch, wait for CI to finish, and autonomously fix failing jobs by reading logs, editing sources, and pushing. Stops cleanly when stuck.
| name | fix-security-issue |
| description | Handle CVE/vulnerability reports from security linters (trivy, osv-scanner, etc.). Tries to upgrade first; ignores only when safe and justified. |
| allowed-tools | Read Grep Glob Edit Write Bash WebFetch WebSearch |
| argument-hint | [CVE-ID or vulnerability description] |
| model | sonnet |
Investigate and fix the security issue $ARGUMENTS reported by trivy, osv-scanner, or another security linter.
Browse the internet to gather full context:
https://avd.aquasec.com/nvd/<cve-id>)Find where the vulnerable package comes from:
stdlib): check which linter binary embeds it — the scan output names the file (e.g. usr/bin/actionlint). Find the linter's descriptor in megalinter/descriptors/ and its pinned version.pyproject.toml, uv.lock, .config/python/dev/requirements.txt, server/requirements.txt.npm: blocks containing the package name.Check whether a fixed version is available and reachable:
pyproject.toml / requirements files, then run uv lock --python 3.12 to regenerate uv.lock.ARG ..._VERSION= line in the descriptor, then run make megalinter-build.package.json lists a fixed transitive version.If an upgrade is possible and available: do it, then stop here. No ignore entry needed.
If no fixed version exists yet (latest release is still affected), analyze whether the vulnerability is exploitable in MegaLinter's context:
Ask:
Stop and warn the user if:
Add an exception only when the CVE is genuinely not exploitable in MegaLinter's context. Acceptable reasons:
crypto/tls in a tool that makes no TLS calls)cilium-bugtool) in a package imported only for its data types.trivyignore (for trivy findings)Append to the appropriate section (or create a new one):
# <linter/package>: <one-line explanation of why not exploitable in MegaLinter>
CVE-XXXX-XXXXX
osv-scanner config (for osv-scanner findings)Check for an osv-scanner config file (e.g. .osv-scanner.toml or osv-scanner.toml) and add an ignore entry following its schema.
Always include:
Do not update CHANGELOG.md for:
If you made a real behavior change (e.g. a linter disabled due to a security incident, a config workaround added), add one line under Fixes in the beta section:
- Fix <linter/component>: <what changed and why, one sentence for users>