Triage CVEs in a lockfile by reachability: filter advisories down to those whose vulnerable code paths the application actually imports.
Reads a project's lockfile, fetches advisories from the GitHub Advisory Database, and triages each CVE by reachability — does the application actually call into the vulnerable function or path? Output is a prioritized list grouped by reachable / unreachable.
lockfile_path: package-lock.json, yarn.lock, or similar.repo_dir: source root for the import-graph analysis.language: node (others supported as the ecosystem matures).GITHUB_TOKEN env var for advisory queries.npm audit --json > /tmp/audit.json to seed the CVE list with package + version + advisory ID.gh api graphql -f query='{ securityAdvisory(ghsaId:"GHSA-...") { references { url } vulnerabilities { firstPatchedVersion { identifier } package { ecosystem name } } } }'.git show <commit> --stat and git diff extraction.madge --json src plus madge --json for any binaries.npm ls <pkg> to confirm a path.rg -nN '<funcname>\b' node_modules/<pkg>/dist/* to inspect the package's exports surface, then rg -nN '<funcname>\b' src/ to see if userland calls it.reachable (function imported and called), import-only (imported, not called), unreachable (transitive dep never imported).(reachable, CVSS) desc.firstPatchedVersion, switch to a maintained fork, or add a workaround for the reachable function.cve-triage.md with three sections (Reachable, Import-only, Unreachable), each row showing CVE ID, package@version, fix version, CVSS, reachability evidence (sample file:line). Plus cve-triage.json for tracking. Exit 1 if any reachable critical CVE remains.
For three reachable findings, manually trace the call site to confirm the path is real (not dead code). For two unreachable findings, run npm ls <pkg> and confirm the dependency exists only behind dev-only or peer-only paths. After applying a fix bump, rerun the triager and confirm the CVE drops out of the lockfile.
no-fix-available heading and propose mitigations.require(name) with computed name): tag those packages as unverifiable-reachability.Other publishers' experience with this skill. Self-rating is blocked.
Sign in and publish to the registry to leave a rating.
No ratings yet. Be the first.
Same domains or capabilities as amitte/cve-triager.
Audit an AWS IAM policy against CloudTrail usage data and propose a minimized policy listing only actions actually invoked in the analysis window.
Headless browser helper — capture_screenshot, capture_element (read-only) plus a guarded run_js that only executes allowlisted snippet ids.
Read-only RubyGems helper — search_gems, get_gem_info, list_versions. Surface for Ruby dependency discovery from an agent.
Read-only crates.io helper — search_crates, get_crate_info, list_versions. Surface for Rust dependency discovery from an agent.
Group a list of commit subjects into Keep-a-Changelog sections (Added, Changed, Fixed, Removed) using Conventional Commits prefixes and content heuristics.
Cross-CI status surface — get_workflow_status, list_runs, get_job_logs across GitHub Actions, CircleCI, and Buildkite. Read-only.