Skip to content

Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

38 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

GitHub Security Alerts Skill

latest GitHub release. GitHub stars. GitHub forks. GitHub open issues. GitHub PRs. GitHub license GitHub Dependabot

An open-agent skill for inspecting and managing GitHub repository security alerts across:

  • code scanning
  • Dependabot
  • Dependabot malware
  • secret scanning

This repository provides:

  • a reusable github-manage-security-alerts skill (skills/github-manage-security-alerts/SKILL.md)
  • a Python CLI helper to inspect and triage alerts
  • GitHub automation for release/security hygiene

What this skill can do

With a GitHub token in an environment variable, you can:

  • summarize repository alert posture (summary)
  • export full alert snapshots for bulk triage (export-alerts)
  • list/show/update code scanning alerts
  • list/show/update Dependabot alerts
  • list/show/update malware alerts (Dependabot malware subset)
  • list/show/update secret scanning alerts
  • inspect secret locations and secret scan history
  • inspect repository security setup overview
  • perform bulk alert updates (bulk-update-alerts) with --dry-run
  • fall back to raw REST calls for unsupported endpoints (api-call)

The helper is repository-agnostic: pass --repo to any local checkout, or pass explicit --repository owner/repo.


Repository layout

skills/
  github-manage-security-alerts/
    SKILL.md
    LICENSE.txt
    agents/
      openai.yaml
    assets/
      github-manage-security-alerts-small.svg
      github-manage-security-alerts.png
    references/
      command-guide.md
      github-mcp-guide.md
      security-triage-guide.md
    scripts/
      manage_github_security_alerts.py
      github_security_api.py
      github_security_cli.py
      github_security_common.py
      github_security_operations.py
      github_security_render.py
README.md
CONTRIBUTING.md
SECURITY.md
CHANGELOG.md

Agent compatibility

This package uses the skills/github-manage-security-alerts/ layout so npx skills installs the skill with its referenced agents/, assets/, references/, and scripts/ directories intact.

Use --agent universal for agents that consume the shared .agents/skills layout. Use --agent "*" only when you intentionally want to install to every supported agent directory.

npx skills add Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill -g --agent universal -y
npx skills add Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill -g --agent "*" -y
npm install --save-dev github-manage-security-alerts-skill
npx skills experimental_sync --agent universal -y

OpenAI-specific display metadata lives in skills/github-manage-security-alerts/agents/openai.yaml. The portable skill contract is skills/github-manage-security-alerts/SKILL.md plus the referenced assets/, references/, and scripts/ files in the same skill directory.


Publishing

The skill is packaged for GitHub releases and npm as github-manage-security-alerts-skill.

Verify the package locally before publishing:

npm run release:verify
npm publish --access public --provenance

GitHub Actions publishes with npm OIDC trusted publishing using npm publish --access public --provenance. Configure the npm package trusted publisher for repository Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill and workflow .github/workflows/release-skill.yml. The workflow intentionally does not use npm stage commands.


Quick start

1) Prerequisites

  • Python 3.10+
  • A GitHub token exported to an environment variable (recommended: GITHUB_TOKEN)

2) Set your token (do not pass it on CLI)

PowerShell

$env:GITHUB_TOKEN = "<your-token>"

Bash

export GITHUB_TOKEN="<your-token>"

3) Run the helper

From repository root:

python "skills/github-manage-security-alerts/scripts/manage_github_security_alerts.py" summary --repo "."

Machine-readable output:

python "skills/github-manage-security-alerts/scripts/manage_github_security_alerts.py" summary --repo "." --json

Common commands

# Export full alert sets for triage
python "skills/github-manage-security-alerts/scripts/manage_github_security_alerts.py" export-alerts --repo "." --json

# List open high/error code scanning alerts
python "skills/github-manage-security-alerts/scripts/manage_github_security_alerts.py" list-code-scanning --repo "." --state open --severity high,error

# Dismiss a code scanning alert (dry-run first)
python "skills/github-manage-security-alerts/scripts/manage_github_security_alerts.py" update-code-scanning --repo "." --alert 42 --state dismissed --dismissed-reason false_positive --comment "False positive after review." --dry-run

# List open Dependabot alerts
python "skills/github-manage-security-alerts/scripts/manage_github_security_alerts.py" list-dependabot --repo "." --state open

# List open secret scanning alerts
python "skills/github-manage-security-alerts/scripts/manage_github_security_alerts.py" list-secret-scanning --repo "." --state open

# Bulk update (preview only)
python "skills/github-manage-security-alerts/scripts/manage_github_security_alerts.py" bulk-update-alerts --repo "." --surface code-scanning --select-state open --target-state dismissed --dismissed-reason "false positive" --comment "Reviewed and intentionally dismissed." --limit 10 --dry-run --json

For the full command surface and workflows, see:


Security notes

  • Never paste tokens into command arguments or commit them to git.
  • Prefer environment variables and secret managers.
  • Use --dry-run before mutation and bulk mutation actions.

More details: SECURITY.md


Contributing

Contributions are welcome. Please read:


Releases and downloads

This repository includes a release workflow that creates a downloadable zip bundle:

  • Workflow: .github/workflows/release-skill.yml
  • Trigger:
    • push a tag like v0.1.0
    • run manually via workflow_dispatch with:
      • release_type: patch / minor / major
      • version: optional explicit x.y.z (overrides release_type)
      • ref: branch to release from (default main)
  • Asset: github-security-codescanning-alerts-skill-<tag>.zip

Examples:

# Manual patch bump from main
gh workflow run "Release Skill Bundle" -f release_type=patch -f ref=main

# Manual explicit release version
gh workflow run "Release Skill Bundle" -f release_type=patch -f version=0.2.0 -f ref=main

License

Released under The Unlicense.

Packages

 
 
 

Contributors