‹ 首页

cve-watchlist-action-recommendation-generator

@arabelatso · 收录于 1 周前

Generate prioritized CVE watchlists and actionable security recommendations for repositories. Use when analyzing CVE scan results, creating security reports, prioritizing vulnerability remediation, or generating security gate reports for CI/CD. Takes CVE scan results (JSON/SARIF from npm audit, pip-audit, Snyk), reachability analysis, and cutoff date as input. Combines severity, reachability, exploitability, and dependency criticality to rank CVEs by practical risk. Outputs markdown reports with concrete next-step guidance (immediate upgrade, monitor, ignore with justification, apply mitigation) suitable for issue trackers, security reviews, and CI security gates.

适合你,如果需要在CI/CD中自动生成优先级排序的漏洞修复报告

/ 下载安装
cve-watchlist-action-recommendation-generator.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add arabelatso/skills-4-se/cve-watchlist-action-recommendation-generator
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- arabelatso/skills-4-se/cve-watchlist-action-recommendation-generator
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify arabelatso/skills-4-se/cve-watchlist-action-recommendation-generator
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
137GitHub stars
~1.3K最小装载
~8K含声明引用
~8K文本包总量
镜像托管

怎么用

技能原文 SKILL.md作者撰写 · Apache-2.0 · 0f00a4f

CVE Watchlist & Action Recommendation Generator

Generate prioritized CVE watchlists with actionable security recommendations for development and security teams.

Workflow
1. Gather Input Data

Collect required inputs:

Required:

  • Repository name/path
  • CVE scan results (JSON/SARIF format from npm audit, pip-audit, Snyk, etc.)
  • Cutoff date (YYYY-MM-DD) for filtering new CVEs

Optional but recommended:

  • Reachability analysis results (which vulnerable code paths are actually used)
  • Exploit intelligence data (CISA KEV, ExploitDB)
  • Dependency criticality ratings (how critical each dependency is)

Parse scan results:

python scripts/parse_scan_results.py scan_results.json auto 2024-01-01 > parsed_cves.json
2. Calculate Risk Scores

Combine multiple risk factors to prioritize CVEs:

python scripts/calculate_risk_score.py parsed_cves.json reachability.json exploits.json criticality.json > scored_cves.json

Risk scoring formula:

Risk Score = (Severity × 0.35) + (Reachability × 0.30) + (Exploitability × 0.20) + (Dependency Criticality × 0.15)

See [risk_scoring.md](references/risk_scoring.md) for detailed methodology.

3. Generate Recommendations

For each CVE, determine appropriate action based on risk score and context:

Decision tree:

  • Risk ≥ 80 (Critical) → Immediate upgrade (24-48h)
  • Risk 60-79 (High) → Upgrade within days (3-5 days)
  • Risk 40-59 (Medium) → Next maintenance cycle (2-4 weeks)
  • Risk 20-39 (Low) → Monitor or defer
  • Risk < 20 (Minimal) → Ignore with justification

See [action_guidelines.md](references/action_guidelines.md) for complete decision tree and recommendation templates.

4. Generate Report

Create markdown-formatted report using template:

Report structure:

  1. Executive Summary (CVE counts by risk tier)
  2. Prioritized CVE Watchlist (grouped by risk tier)
  3. For each CVE:
  4. Risk score and breakdown
  5. Affected package and versions
  6. Reachability status
  7. Exploit availability
  8. Concrete action recommendation
  9. Upgrade commands
  10. Mitigation options (if applicable)
  11. Summary of Actions (immediate, short-term, medium-term)
  12. Dependency Overview
  13. Next Steps

Use template from [assets/report_template.md](assets/report_template.md).

Input Formats
CVE Scan Results

npm audit (JSON):

{
  "vulnerabilities": {
    "package-name": {
      "via": [{
        "cve": ["CVE-2024-1234"],
        "severity": "high",
        "title": "SQL Injection",
        "url": "https://..."
      }],
      "fixAvailable": {"version": "2.0.0"}
    }
  }
}

pip-audit (JSON):

{
  "dependencies": [{
    "name": "package-name",
    "version": "1.0.0",
    "vulns": [{
      "id": "CVE-2024-1234",
      "fix_versions": ["2.0.0"],
      "description": "..."
    }]
  }]
}

Snyk (JSON):

{
  "vulnerabilities": [{
    "id": "SNYK-...",
    "identifiers": {"CVE": ["CVE-2024-1234"]},
    "packageName": "package-name",
    "severity": "high",
    "cvssScore": 7.5
  }]
}
Reachability Analysis
{
  "package-name": {
    "status": "direct_call",
    "details": "Called from src/auth.js:42"
  },
  "other-package": {
    "status": "not_reachable",
    "details": "Dev dependency only"
  }
}

Status values: direct_call, indirect_call, imported_unused, not_reachable, unknown

Exploit Intelligence
{
  "CVE-2024-1234": {
    "actively_exploited": true,
    "public_exploit": true,
    "poc_available": true,
    "source": "CISA KEV"
  }
}
Dependency Criticality
{
  "package-name": {
    "level": "critical",
    "reason": "Handles authentication and authorization"
  },
  "dev-tool": {
    "level": "minimal",
    "reason": "Development-only linting tool"
  }
}

Levels: critical, high, medium, low, minimal

Example Output
# CVE Security Report

**Repository**: my-app
**Cutoff Date**: 2024-01-01
**New CVEs**: 5

| Risk Tier | Count | Action Required |
|-----------|-------|-----------------|
| 🔴 Critical | 1 | Immediate (24-48h) |
| 🟠 High | 2 | Within days (3-5d) |
| 🟡 Medium | 1 | Next cycle (2-4w) |
| 🟢 Low | 1 | Monitor |

---

### 🔴 Critical Risk

#### CVE-2024-1234: SQL Injection in database-driver

**Risk Score**: 96 / 100 (Critical)

**Affected Package**: database-driver@1.2.3

**Severity**: Critical (CVSS 9.8)

**Reachability**: Direct call from src/db/query.js:42

**Exploitability**: Public exploit available (ExploitDB)

**Action**: Immediate upgrade required

**Steps**:
1. Upgrade database-driver from 1.2.3 to 2.0.0
2. Run full test suite
3. Deploy with rollback plan

**Command**:

npm install database-driver@2.0.0

**Risk if not addressed**: Attackers can execute arbitrary SQL queries, leading to data breach
Tips
  • Always include reachability data when available - it significantly improves prioritization accuracy
  • Check for breaking changes in fix versions before recommending immediate upgrades
  • Document assumptions when data is missing (e.g., "Assuming moderate risk due to unknown reachability")
  • Provide specific commands for each package manager (npm, pip, maven, etc.)
  • Include mitigation options for high-risk CVEs when upgrades are blocked
  • Link to CVE details and security advisories for further investigation
  • Group multiple CVEs in the same package when a single upgrade fixes all
Resources
scripts/
  • parse_scan_results.py - Parse CVE scan results from npm audit, pip-audit, Snyk, SARIF
  • calculate_risk_score.py - Calculate composite risk scores from multiple factors
references/
  • risk_scoring.md - Risk scoring methodology and factor calculations
  • action_guidelines.md - Decision tree for generating recommendations
assets/
  • report_template.md - Markdown report template structure
按 Apache-2.0 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。