ci: add automated vulnerability remediation workflow#182
ci: add automated vulnerability remediation workflow#182ulziibay-kernel wants to merge 2 commits intomainfrom
Conversation
Made-with: Cursor
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| env: | ||
| GH_TOKEN: ${{ steps.app-token.outputs.token }} | ||
| run: | | ||
| gh api "/repos/${{ github.repository }}/dependabot/alerts?state=open&per_page=100" > dependabot-alerts.json 2>/dev/null || echo "[]" > dependabot-alerts.json |
There was a problem hiding this comment.
Silent error suppression hides API misconfiguration permanently
Medium Severity
The 2>/dev/null on the gh api call silently discards all stderr output, including authentication and permission errors. If the GitHub App token lacks the required Dependabot alerts: read permission, the API returns a 403, stderr is suppressed, and || echo "[]" creates an empty alerts file. The agent then reports "No open vulnerability alerts" and exits successfully. Since this is a weekly scheduled workflow, the team believes vulnerability remediation is running while it silently does nothing — potentially for weeks or months. Removing 2>/dev/null while keeping the || echo "[]" fallback would preserve resilience against transient failures while making permanent misconfigurations visible in workflow logs.
Made-with: Cursor
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 2 total unresolved issues (including 1 from previous review).
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| env: | ||
| SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_API_TOKEN }} | ||
| run: | | ||
| socket scan create --repo="${{ github.event.repository.name }}" --branch=main --default-branch --report --json > socket-report.json 2>/dev/null || echo '{"healthy":true,"alerts":{}}' > socket-report.json |
There was a problem hiding this comment.
Scan failure silently produces false healthy report
High Severity
When socket scan create fails (bad credentials, network error, service outage, etc.), the || fallback writes {"healthy":true,"alerts":{}} to socket-report.json, making the workflow believe no vulnerabilities exist. Combined with 2>/dev/null suppressing all error output, scan failures are silently treated as a clean bill of health. This defeats the entire purpose of the vulnerability remediation workflow — real vulnerabilities go undetected and unremediated with no indication anything went wrong.
1 participant
Adds the scheduled Dependabot vulnerability remediation workflow and prompt, aligned with the kernel repo pattern. Go is set up from root
go.mod; the remediation agent uses Makefilebuildandtesttargets per the prompt when manifests change.Made with Cursor
Note
Medium Risk
Adds a scheduled GitHub Actions job that can modify dependencies, force-push an evergreen branch, and create/update PRs; misconfiguration or prompt/agent failures could cause noisy PR churn or unintended dependency bumps.
Overview
Introduces an automated, scheduled vulnerability remediation workflow that runs Socket scans and uses a Cursor agent prompt to triage alerts and apply dependency upgrades.
The workflow authenticates via a GitHub App token, runs
socket scan create, then drives an evergreensecurity/vuln-remediationbranch/PR process (including build/test verification and PR body reporting for fixed/skipped/deferred items) as defined in the newvuln-remediation-prompt.md.Written by Cursor Bugbot for commit 3ee9d8a. This will update automatically on new commits. Configure here.