ci: add automated vulnerability remediation workflow#199
ci: add automated vulnerability remediation workflow#199ulziibay-kernel wants to merge 4 commits intomainfrom
Conversation
Made-with: Cursor
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
|
|
||
| ## Step 8: Format code | ||
|
|
||
| Run `bun run format` to ensure all code is properly formatted before committing. |
There was a problem hiding this comment.
Prompt references bun commands but Bun is not installed
Medium Severity
The prompt instructs the AI agent to run bun install, bun update, bun run build, bun test, and bun run format, but the workflow YAML does not install Bun. The PR description says Bun setup was intentionally omitted, and the repo's other CI workflows use pnpm instead. Step 8 unconditionally tells the agent to run bun run format (not gated on npm deps), which will always fail. The npm dependency instructions in Step 5, Step 6, and Step 7 also reference bun and will fail if triggered.
Additional Locations (2)
Made-with: Cursor
| env: | ||
| SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_API_TOKEN }} | ||
| run: | | ||
| socket scan create --repo="${{ github.event.repository.name }}" --branch=main --default-branch --report --json > socket-report.json 2>/dev/null || echo '{"healthy":true,"alerts":{}}' > socket-report.json |
There was a problem hiding this comment.
Socket scan failures silently produce fake healthy report
High Severity
The socket scan command suppresses all stderr with 2>/dev/null and falls back to echo '{"healthy":true,"alerts":{}}' on any failure. This means authentication errors, network issues, API failures, or misconfigured secrets all silently produce a fake "healthy" report, causing the workflow to skip vulnerability remediation entirely. Real vulnerabilities would go undetected with no visible indication of failure.
Temporarily triggers on PRs that modify the workflow files so we can validate the Socket scan + agent flow before merging to main. Made-with: Cursor
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 3 total unresolved issues (including 2 from previous reviews).
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Made-with: Cursor
1 participant
Adds the scheduled Dependabot vulnerability remediation workflow and prompt from kernel, adapted for this repository: Go uses
server/go.mod, and Bun setup/install steps are omitted since this repo does not use Bun for the main project.Made with Cursor
Note
Medium Risk
Adds a scheduled workflow with write access that can create/force-push an evergreen branch and open/update PRs, so misconfiguration of secrets/permissions or the agent prompt could lead to unintended repo changes.
Overview
Adds a new scheduled/dispatchable
Vulnerability RemediationGitHub Action that runs a Socket.dev scan and then invokes a Cursoragentwith a repo-specific remediation prompt to upgrade vulnerable dependencies and open/update a single evergreen PR onsecurity/vuln-remediation.The new prompt (
vuln-remediation-prompt.md) defines triage rules (fix CVEs only; dismiss behavioral alerts; defer risky/major/no-fix cases), prescribes build/test verification and formatting, and standardizes the PR body into Fixed/Skipped/Deferred tables.Written by Cursor Bugbot for commit 136fa85. This will update automatically on new commits. Configure here.