Skip to content

Commit ac3c290

Browse files
authored
Improve 'CVE Audit' agent (#9164)
1 parent e9274f0 commit ac3c290

2 files changed

Lines changed: 32 additions & 14 deletions

File tree

.github/agents/cve-audit.agent.md

Lines changed: 22 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ rush install
3535
```
3636

3737
- **Do not create the security branch yet.** The branch name requires a CVE ID, which is only known after the audit in Step 1. Branch creation happens in Execution Flow Step 1b (after the audit).
38-
- For multiple CVEs, use the highest-severity CVE/GHSA ID for the branch name and include others in the commit/PR text. If severity is equal, use the first ID returned by `rush audit --json`.
38+
- For multiple CVEs, use the highest-severity CVE/GHSA ID for the branch name and include others in the commit/PR text. If severity is equal, use the first ID from the audit table output.
3939

4040
### Protected Branch Guard (Required)
4141

@@ -79,14 +79,13 @@ rush change --bulk --message "" --bump-type none -b origin/<starting-branch>
7979
1. Audit — run on the starting branch before creating any branch or making any changes:
8080

8181
```bash
82-
rush audit --level high
83-
rush audit --json > /tmp/cve-audit-results.json
82+
rush audit
8483
```
8584

86-
Parse `/tmp/cve-audit-results.json` to extract CVE/GHSA IDs, severities, advisory URLs, and dependency paths. These values drive all subsequent steps (branch name, commit message, PR body, deferral issues).
85+
**Note:** `rush audit` internally invokes `rush-pnpm audit --audit-level high`. It does **not** accept `--level` or `--json` flags directly. Parse the table output to extract CVE/GHSA IDs, severities, advisory URLs, and dependency paths. Use `rush-pnpm why <package>` to investigate transitive dependency paths when the audit output shows truncated paths.
8786

8887
**1b. Early exit if no High/Critical CVEs found:**
89-
If `rush audit --level high` reports zero High or Critical vulnerabilities — **stop here**. Do not create a branch. Do not run `rush update --full`. Report all-clear to the invoker.
88+
If `rush audit` reports zero High or Critical vulnerabilities — **stop here**. Do not create a branch. Do not run `rush update`. Report all-clear to the invoker.
9089

9190
**1c. Create security branch (now that CVE ID is known):**
9291
```bash
@@ -98,12 +97,21 @@ git rev-parse --verify security/<first-CVE-ID> >/dev/null 2>&1 \
9897

9998
2. Fast-path auto updates — attempt before any manual changes:
10099

100+
```bash
101+
rush update
102+
rush audit
103+
```
104+
105+
Start with `rush update` (without `--full`) — it is faster and less disruptive. Re-run the audit immediately. If High/Critical vulnerabilities are cleared, proceed to Step 4 (verify).
106+
107+
If High/Critical remain, escalate to a full re-resolve:
108+
101109
```bash
102110
rush update --full
103-
rush audit --level high
111+
rush audit
104112
```
105113

106-
Re-run the audit immediately after `rush update --full`. If High/Critical vulnerabilities are cleared, proceed to Step 4 (verify) — no further manual changes are needed.
114+
If still not cleared after `--full`, proceed to Step 3 for manual remediation.
107115

108116
3. If High/Critical remain after step 2, remediate using the fix strategy defined in the `cve-remediation` skill:
109117

@@ -117,7 +125,12 @@ rush audit --level high
117125

118126
```bash
119127
rush update
120-
rush audit --level high
128+
rush audit
129+
```
130+
131+
After audit confirms High/Critical are resolved, run build and test validation. If the invoker prefers to validate separately (e.g., in CI), commit after audit verification and note pending validation steps in the report.
132+
133+
```bash
121134
rush build
122135
rush test
123136
```
@@ -229,7 +242,7 @@ If not requested: stop after commit and final report (no push, no PR).
229242
## Done Criteria
230243

231244
- Critical/High vulnerabilities reduced or explicitly documented with rationale.
232-
- `rush audit --level high` rerun and reported.
245+
- `rush audit` rerun and reported.
233246
- `rush build` and `rush test` pass (or no new failures with clear disclosure).
234247
- `rush change` handled non-interactively (`--verify`; blank entry via `--bulk --message "" --bump-type none` only when required).
235248
- API impact checked with `rush extract-api` when relevant.

.github/skills/cve-remediation/SKILL.md

Lines changed: 10 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,7 @@ Illustrative example (always consult the current `common/config/rush/pnpm-config
5050
}
5151
```
5252

53-
**Important:** The last entry must NOT have a trailing comma (valid JSON). When adding entries, ensure the previously-last entry gets a comma added.
53+
**Important:** This file uses JSONC (JSON with comments). The last entry in any object/array must NOT have a trailing comma. When adding entries, ensure the previously-last entry gets a comma added and the new last entry does not have one.
5454

5555
### ignoreCves (Audit Exceptions)
5656

@@ -82,13 +82,16 @@ Always attempt fixes in this order. Do not skip to overrides without trying the
8282
### 2a. Direct Dependency Fix
8383

8484
1. Update the version range in the affected `package.json`
85-
2. Run `rush update` and `rush audit --level high`
85+
2. Run `rush update` then `rush audit` to verify
8686
3. If no safe version range exists, fall through to globalOverride (document why)
8787

8888
### 2b. Transitive Dependency Fix
8989

90-
1. **Semver range update (try first):** Update the direct parent's `package.json` range to a version that resolves the transitive dep to a patched release
91-
2. **globalOverride (last resort):** Only if no safe parent version exists. Document why in the override comment
90+
1. **Check existing overrides first:** Before adding a new override, check if the package already has an entry in `globalOverrides` in `pnpm-config.json` to avoid conflicts or duplicates.
91+
2. **Semver range update (try first):** Update the direct parent's `package.json` range to a version that resolves the transitive dep to a patched release
92+
3. **Scoped globalOverride (last resort):** Only if no safe parent version exists. Scope the override to only the vulnerable version range (e.g., `"lodash@>=4.0.0 <=4.17.23": "^4.18.0"`) rather than overriding all versions blanket. This avoids interfering with future already-patched versions. Document why in the override comment.
93+
94+
Use `rush-pnpm why <package>` to trace transitive dependency paths when the audit output truncates them.
9295

9396
### 3. ignoreCves (Absolute Last Resort)
9497

@@ -113,11 +116,13 @@ After any remediation change:
113116

114117
```bash
115118
rush update # Regenerate lock file
116-
rush audit --level high # Verify CVE is resolved
119+
rush audit # Verify CVE is resolved (internally runs rush-pnpm audit --audit-level high)
117120
rush build # Ensure no build breakage
118121
rush test # Ensure no test regressions
119122
```
120123

124+
**Note:** `rush audit` does not accept `--level` or `--json` flags directly. Use `rush-pnpm why <package>` to investigate specific dependency paths.
125+
121126
When direct dependency version ranges were changed in a `package.json`:
122127

123128
```bash

0 commit comments

Comments
 (0)