You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: .github/agents/cve-audit.agent.md
+22-9Lines changed: 22 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -35,7 +35,7 @@ rush install
35
35
```
36
36
37
37
-**Do not create the security branch yet.** The branch name requires a CVE ID, which is only known after the audit in Step 1. Branch creation happens in Execution Flow Step 1b (after the audit).
38
-
- For multiple CVEs, use the highest-severity CVE/GHSA ID for the branch name and include others in the commit/PR text. If severity is equal, use the first ID returned by `rush audit --json`.
38
+
- For multiple CVEs, use the highest-severity CVE/GHSA ID for the branch name and include others in the commit/PR text. If severity is equal, use the first ID from the audit table output.
1. Audit — run on the starting branch before creating any branch or making any changes:
80
80
81
81
```bash
82
-
rush audit --level high
83
-
rush audit --json > /tmp/cve-audit-results.json
82
+
rush audit
84
83
```
85
84
86
-
Parse `/tmp/cve-audit-results.json` to extract CVE/GHSA IDs, severities, advisory URLs, and dependency paths. These values drive all subsequent steps (branch name, commit message, PR body, deferral issues).
85
+
**Note:**`rush audit` internally invokes `rush-pnpm audit --audit-level high`. It does **not** accept `--level` or `--json`flags directly. Parse the table output to extract CVE/GHSA IDs, severities, advisory URLs, and dependency paths. Use `rush-pnpm why <package>` to investigate transitive dependency paths when the audit output shows truncated paths.
87
86
88
87
**1b. Early exit if no High/Critical CVEs found:**
89
-
If `rush audit --level high` reports zero High or Critical vulnerabilities — **stop here**. Do not create a branch. Do not run `rush update --full`. Report all-clear to the invoker.
88
+
If `rush audit` reports zero High or Critical vulnerabilities — **stop here**. Do not create a branch. Do not run `rush update`. Report all-clear to the invoker.
90
89
91
90
**1c. Create security branch (now that CVE ID is known):**
2. Fast-path auto updates — attempt before any manual changes:
100
99
100
+
```bash
101
+
rush update
102
+
rush audit
103
+
```
104
+
105
+
Start with `rush update` (without `--full`) — it is faster and less disruptive. Re-run the audit immediately. If High/Critical vulnerabilities are cleared, proceed to Step 4 (verify).
106
+
107
+
If High/Critical remain, escalate to a full re-resolve:
108
+
101
109
```bash
102
110
rush update --full
103
-
rush audit --level high
111
+
rush audit
104
112
```
105
113
106
-
Re-run the audit immediately after `rush update --full`. If High/Critical vulnerabilities are cleared, proceed to Step 4 (verify) — no further manual changes are needed.
114
+
If still not cleared after `--full`, proceed to Step 3 for manual remediation.
107
115
108
116
3. If High/Critical remain after step 2, remediate using the fix strategy defined in the `cve-remediation` skill:
109
117
@@ -117,7 +125,12 @@ rush audit --level high
117
125
118
126
```bash
119
127
rush update
120
-
rush audit --level high
128
+
rush audit
129
+
```
130
+
131
+
After audit confirms High/Critical are resolved, run build and test validation. If the invoker prefers to validate separately (e.g., in CI), commit after audit verification and note pending validation steps in the report.
132
+
133
+
```bash
121
134
rush build
122
135
rush test
123
136
```
@@ -229,7 +242,7 @@ If not requested: stop after commit and final report (no push, no PR).
229
242
## Done Criteria
230
243
231
244
- Critical/High vulnerabilities reduced or explicitly documented with rationale.
232
-
-`rush audit --level high` rerun and reported.
245
+
-`rush audit` rerun and reported.
233
246
-`rush build` and `rush test` pass (or no new failures with clear disclosure).
234
247
-`rush change` handled non-interactively (`--verify`; blank entry via `--bulk --message "" --bump-type none` only when required).
235
248
- API impact checked with `rush extract-api` when relevant.
Copy file name to clipboardExpand all lines: .github/skills/cve-remediation/SKILL.md
+10-5Lines changed: 10 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -50,7 +50,7 @@ Illustrative example (always consult the current `common/config/rush/pnpm-config
50
50
}
51
51
```
52
52
53
-
**Important:** The last entry must NOT have a trailing comma (valid JSON). When adding entries, ensure the previously-last entry gets a comma added.
53
+
**Important:**This file uses JSONC (JSON with comments). The last entry in any object/array must NOT have a trailing comma. When adding entries, ensure the previously-last entry gets a comma added and the new last entry does not have one.
54
54
55
55
### ignoreCves (Audit Exceptions)
56
56
@@ -82,13 +82,16 @@ Always attempt fixes in this order. Do not skip to overrides without trying the
82
82
### 2a. Direct Dependency Fix
83
83
84
84
1. Update the version range in the affected `package.json`
85
-
2. Run `rush update`and`rush audit --level high`
85
+
2. Run `rush update`then`rush audit` to verify
86
86
3. If no safe version range exists, fall through to globalOverride (document why)
87
87
88
88
### 2b. Transitive Dependency Fix
89
89
90
-
1.**Semver range update (try first):** Update the direct parent's `package.json` range to a version that resolves the transitive dep to a patched release
91
-
2.**globalOverride (last resort):** Only if no safe parent version exists. Document why in the override comment
90
+
1.**Check existing overrides first:** Before adding a new override, check if the package already has an entry in `globalOverrides` in `pnpm-config.json` to avoid conflicts or duplicates.
91
+
2.**Semver range update (try first):** Update the direct parent's `package.json` range to a version that resolves the transitive dep to a patched release
92
+
3.**Scoped globalOverride (last resort):** Only if no safe parent version exists. Scope the override to only the vulnerable version range (e.g., `"lodash@>=4.0.0 <=4.17.23": "^4.18.0"`) rather than overriding all versions blanket. This avoids interfering with future already-patched versions. Document why in the override comment.
93
+
94
+
Use `rush-pnpm why <package>` to trace transitive dependency paths when the audit output truncates them.
92
95
93
96
### 3. ignoreCves (Absolute Last Resort)
94
97
@@ -113,11 +116,13 @@ After any remediation change:
0 commit comments