chore: add dependabot-remediation agent skill#55
Open
cidrblock wants to merge 3 commits into
Open
Conversation
Six-phase workflow for triaging and fixing Dependabot security alerts: triage, plan, remediate, validate, open PR, and babysit CI. Supports batch lanes for minor/patch updates, individual lanes for major bumps, and allowlist lanes for unfixable transitive deps. Includes guidance for fork workflows, multi-version packages, audit gate bypass for pre-existing issues, and Dependabot alert dismissal.
There was a problem hiding this comment.
Pull request overview
Adds a new AI agent skill documenting a structured workflow for triaging and remediating Dependabot security alerts in the Abbenay monorepo, including validation gates and PR/CI follow-up steps.
Changes:
- Introduces
.agents/skills/dependabot-remediation/SKILL.mdwith a phased remediation workflow (triage → plan → remediate → validate → open PR → babysit → dismiss). - Documents suggested commands for alert grouping, dependency update strategy, validation gates, and Dependabot alert dismissal.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Add --paginate and sort_by before group_by in triage jq pipeline - Make xvfb-run conditional (Linux-only) matching pr-readiness skill - Number the dismiss section as Phase 7 for consistency
Comment on lines
+31
to
+38
| gh api repos/redhat-developer/abbenay/dependabot/alerts --paginate \ | ||
| --jq '[.[] | select(.state == "open")] | sort_by(.security_vulnerability.package.name) | group_by(.security_vulnerability.package.name) | map({ | ||
| package: .[0].security_vulnerability.package.name, | ||
| ecosystem: .[0].security_vulnerability.package.ecosystem, | ||
| count: length, | ||
| max_severity: (map(.security_advisory.severity) | if any(. == "critical") then "critical" elif any(. == "high") then "high" elif any(. == "medium") then "medium" else "low" end), | ||
| alerts: map({number, severity: .security_advisory.severity, summary: .security_advisory.summary, patched: .security_vulnerability.first_patched_version.identifier, range: .security_vulnerability.vulnerable_version_range}) | ||
| }) | sort_by(if .max_severity == "critical" then 0 elif .max_severity == "high" then 1 elif .max_severity == "medium" then 2 else 3 end)' |
Comment on lines
+55
to
+61
| ``` | ||
| | # | Package | Alerts | Severity | Direct? | Runtime? | Patch available | Target | | ||
| |---|----------------|--------|----------|---------|----------|-----------------|-----------| | ||
| | 1 | vitest | 1 | critical | dev | dev-only | yes | >= 3.2.6 | | ||
| | 2 | protobufjs v7 | 8 | high | direct | runtime | yes | >= 7.5.8 | | ||
| | … | | ||
| ``` |
Comment on lines
+169
to
+175
| **Note:** `npm run audit:check` and the pre-commit audit hook may report | ||
| pre-existing vulnerabilities not yet in `.audit-allowlist`. If the only | ||
| failures are advisories unrelated to this PR's package, they are pre-existing | ||
| and do not block this PR. Verify by checking that the target package's GHSA | ||
| IDs are no longer in the output. When the pre-commit hook blocks a commit | ||
| solely due to pre-existing audit failures, use `--no-verify` to bypass it. | ||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a new agent skill (
.agents/skills/dependabot-remediation/SKILL.md)that provides a structured workflow for triaging and remediating Dependabot
security alerts.
What it does
Six-phase workflow:
Battle-tested
This skill was developed and refined while remediating all 29+ Dependabot
alerts across PRs #48-#53, covering:
Test plan