dependabot-alerts-triaginglisted

Analyze GitHub Dependabot dependency vulnerability alerts and suggest triage decisions (dismiss/fix/escalate) with explanations. Use when the user needs help reviewing Dependabot alerts, deciding whether dependencies are exploitable, or triaging CVEs across NASA PDS repositories.
NASA-PDS/pds-agent-skills · ★ 1 · AI & Automation · score 67

Install: claude install-skill NASA-PDS/pds-agent-skills

# Dependabot Alerts Triaging Skill This skill helps you make informed triage decisions on GitHub Dependabot dependency vulnerability alerts by analyzing each CVE — **one at a time** — in the context of how the affected package is actually used in NASA-PDS code. You review and approve every decision before anything is recorded or applied. ## Prerequisites - JSON export from `dependabot-alerts-exporting` skill - `gh` CLI authenticated (for creating outlaw-tracker issues) - Local clones of affected repositories (strongly recommended — see Step 1a) ## Workflow Position ``` 1. dependabot-alerts-exporting → Export alerts to JSON 2. dependabot-alerts-triaging → THIS SKILL: Analyze & decide one by one 3. dismiss-alerts.mjs → Apply dismissal decisions to GitHub ``` ## Triage Actions | Action | When to Use | GitHub API Value | |--------|-------------|-----------------| | **fix** | Patched version available; upgrade is feasible | Keep open, create outlaw-tracker issue | | **tolerable_risk** | Real CVE but attack vector doesn't apply to PDS usage | `tolerable_risk` | | **inaccurate** | CVE doesn't affect this package/version, or vulnerable function is never called | `inaccurate` | | **no_bandwidth** | Real issue, acceptable risk for now, defer to backlog | `no_bandwidth` | ## Workflow ### Step 1: Load the Export Ask the user for the path to their Dependabot alerts JSON file. Parse it and show a brief summary: ``` Loaded 5 alerts for nasa-pds/registry-legacy-solr