ci: add automated vulnerability remediation workflow#199
ci: add automated vulnerability remediation workflow#199ulziibay-kernel wants to merge 4 commits intomainfrom
Conversation
Made-with: Cursor
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
|
|
||
| ## Step 8: Format code | ||
|
|
||
| Run `bun run format` to ensure all code is properly formatted before committing. |
There was a problem hiding this comment.
Prompt references bun commands but Bun is not installed
Medium Severity
The prompt instructs the AI agent to run bun install, bun update, bun run build, bun test, and bun run format, but the workflow YAML does not install Bun. The PR description says Bun setup was intentionally omitted, and the repo's other CI workflows use pnpm instead. Step 8 unconditionally tells the agent to run bun run format (not gated on npm deps), which will always fail. The npm dependency instructions in Step 5, Step 6, and Step 7 also reference bun and will fail if triggered.
Additional Locations (2)
Made-with: Cursor
| env: | ||
| SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_API_TOKEN }} | ||
| run: | | ||
| socket scan create --repo="${{ github.event.repository.name }}" --branch=main --default-branch --report --json > socket-report.json 2>/dev/null || echo '{"healthy":true,"alerts":{}}' > socket-report.json |
There was a problem hiding this comment.
Socket scan failures silently produce fake healthy report
High Severity
The socket scan command suppresses all stderr with 2>/dev/null and falls back to echo '{"healthy":true,"alerts":{}}' on any failure. This means authentication errors, network issues, API failures, or misconfigured secrets all silently produce a fake "healthy" report, causing the workflow to skip vulnerability remediation entirely. Real vulnerabilities would go undetected with no visible indication of failure.
Temporarily triggers on PRs that modify the workflow files so we can validate the Socket scan + agent flow before merging to main. Made-with: Cursor
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 3 total unresolved issues (including 2 from previous reviews).
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Made-with: Cursor
1 participant
Summary
Adds a weekly Socket.dev vulnerability remediation workflow. Runs a Socket scan with reachability analysis, then uses the Cursor agent to triage alerts and create fix PRs for actionable CVEs.
Adapted for this repo: Go uses
server/go.mod, no Bun setup needed.Test plan
workflow_dispatchare active