github-manage-security-alerts-skill 1.0.0

package/CHANGELOG.md

@@ -0,0 +1,19 @@
+# Changelog
+
+All notable changes to this project should be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project follows semantic versioning conventions where practical.
+
+## [Unreleased]
+
+### Added
+
+- Expanded top-level repository documentation and quick start guidance.
+- Added contribution guide and security policy.
+- Added Copilot system prompt file used by workflow automation.
+
+### Changed
+
+- Aligned Dependabot configuration with this repository's actual ecosystems.
+- Retargeted repository docs/templates/workflows from the prior template to the `github-manage-security-alerts` skill and this repository's URLs/commands.

package/CONTRIBUTING.md

@@ -0,0 +1,50 @@
+## Contributing to GitHub Security Alerts Skill
+
+Thanks for contributing.
+
+This repository is primarily a skill + helper tooling repo, so high-signal docs and safe defaults matter as much as code changes.
+
+### Development setup
+
+1. Clone the repository.
+2. Ensure Python 3.10+ is available.
+3. (Optional) create and activate a virtual environment.
+
+PowerShell example:
+
+```powershell
+python -m venv .venv
+.\.venv\Scripts\Activate.ps1
+```
+
+### Local sanity checks
+
+From repo root, run:
+
+```powershell
+python -m compileall ".github/skills/github-manage-security-alerts/scripts"
+python ".github/skills/github-manage-security-alerts/scripts/manage_github_security_alerts.py" --help
+```
+
+If you touched command behavior, include example command invocations and expected output snippets in your PR description.
+
+### Security requirements
+
+- **Do not** commit secrets.
+- **Do not** pass GitHub tokens as CLI literals.
+- Use environment variables (`GITHUB_TOKEN`, `GH_TOKEN`, or `--token-env`).
+- Prefer `--dry-run` for mutation commands in docs/examples.
+
+### Commit messages
+
+This repo includes commit message conventions in:
+
+- `.github/copilot-commit-message-instructions.md`
+
+### Pull request checklist
+
+- [ ] Documentation updated (README/SKILL/help text as needed)
+- [ ] Commands in docs are still valid
+- [ ] No secrets or tokens in changes
+- [ ] Sanity checks pass locally
+- [ ] Scope is focused and reversible

package/LICENSE

@@ -0,0 +1,24 @@
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to <https://unlicense.org>

package/LICENSE.txt

@@ -0,0 +1,24 @@
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to <https://unlicense.org>

package/README.md

@@ -0,0 +1,209 @@
+# GitHub Security Alerts Skill
+
+[![latest GitHub release.](https://flat.badgen.net/github/release/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill?color=cyan)](https://github.com/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill/releases) [![GitHub stars.](https://flat.badgen.net/github/stars/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill?color=yellow)](https://github.com/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill/stargazers) [![GitHub forks.](https://flat.badgen.net/github/forks/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill?color=green)](https://github.com/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill/forks) [![GitHub open issues.](https://flat.badgen.net/github/open-issues/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill?color=red)](https://github.com/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill/issues) [![GitHub PRs.](https://flat.badgen.net/github/open-prs/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill?color=orange)](https://github.com/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill/pulls?q=sort%3Aupdated-desc+is%3Apr+is%3Aopen) [![GitHub license](https://flat.badgen.net/github/license/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill?color=purple)](https://github.com/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill/blob/main/LICENSE) [![GitHub Dependabot](https://flat.badgen.net/github/dependabot/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill?color=blue)](https://github.com/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill/network/updates)
+
+A Copilot / AI skill for inspecting and managing GitHub repository security alerts across:
+
+- code scanning
+- Dependabot
+- Dependabot malware
+- secret scanning
+
+This repository provides:
+
+- a reusable `github-manage-security-alerts` skill (`SKILL.md`)
+- a Python CLI helper to inspect and triage alerts
+- GitHub automation for release/security hygiene
+
+---
+
+## What this skill can do
+
+With a GitHub token in an environment variable, you can:
+
+- summarize repository alert posture (`summary`)
+- export full alert snapshots for bulk triage (`export-alerts`)
+- list/show/update code scanning alerts
+- list/show/update Dependabot alerts
+- list/show/update malware alerts (Dependabot malware subset)
+- list/show/update secret scanning alerts
+- inspect secret locations and secret scan history
+- inspect repository security setup overview
+- perform bulk alert updates (`bulk-update-alerts`) with `--dry-run`
+- fall back to raw REST calls for unsupported endpoints (`api-call`)
+
+> The helper is repository-agnostic: pass `--repo` to any local checkout, or pass explicit `--repository owner/repo`.
+
+---
+
+## Repository layout
+
+```text
+SKILL.md
+agents/
+  openai.yaml
+assets/
+  github-manage-security-alerts-small.svg
+  github-manage-security-alerts.png
+scripts/
+  manage_github_security_alerts.py
+  github_security_api.py
+  github_security_cli.py
+  github_security_common.py
+  github_security_operations.py
+  github_security_render.py
+README.md
+CONTRIBUTING.md
+SECURITY.md
+CHANGELOG.md
+```
+
+---
+
+## Publishing
+
+The skill is packaged for GitHub releases and npm as `github-manage-security-alerts-skill`.
+
+For the first npm publish, publish locally once so the package exists:
+
+```powershell
+npm run release:verify
+npm publish
+```
+
+Then configure npm trusted publishing for staged publishing:
+
+- Organization or user: `Nick2bad4u`
+- Repository: `Github-Security-CodeScanning-Alerts-Skill`
+- Workflow filename: `release-skill.yml`
+- Allowed action: `npm stage publish`
+
+CLI equivalent:
+
+```powershell
+npm trust github "github-manage-security-alerts-skill" --repo "Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill" --file "release-skill.yml" --allow-stage-publish
+```
+
+After that, create releases from GitHub Actions by pushing a `vX.Y.Z` tag or running the `Release Skill Bundle` workflow manually with an explicit version. The workflow uses npm OIDC trusted publishing to stage the package and does not require an npm automation token.
+
+Approve the staged package after reviewing it:
+
+```powershell
+npm stage list "github-manage-security-alerts-skill"
+npm stage approve "<stage-id>"
+```
+
+---
+
+## Quick start
+
+### 1) Prerequisites
+
+- Python 3.10+
+- A GitHub token exported to an environment variable (recommended: `GITHUB_TOKEN`)
+
+### 2) Set your token (do not pass it on CLI)
+
+#### PowerShell
+
+```powershell
+$env:GITHUB_TOKEN = "<your-token>"
+```
+
+#### Bash
+
+```bash
+export GITHUB_TOKEN="<your-token>"
+```
+
+### 3) Run the helper
+
+From repository root:
+
+```powershell
+python "scripts/manage_github_security_alerts.py" summary --repo "."
+```
+
+Machine-readable output:
+
+```powershell
+python "scripts/manage_github_security_alerts.py" summary --repo "." --json
+```
+
+---
+
+## Common commands
+
+```powershell
+# Export full alert sets for triage
+python "scripts/manage_github_security_alerts.py" export-alerts --repo "." --json
+
+# List open high/error code scanning alerts
+python "scripts/manage_github_security_alerts.py" list-code-scanning --repo "." --state open --severity high,error
+
+# Dismiss a code scanning alert (dry-run first)
+python "scripts/manage_github_security_alerts.py" update-code-scanning --repo "." --alert 42 --state dismissed --dismissed-reason false_positive --comment "False positive after review." --dry-run
+
+# List open Dependabot alerts
+python "scripts/manage_github_security_alerts.py" list-dependabot --repo "." --state open
+
+# List open secret scanning alerts
+python "scripts/manage_github_security_alerts.py" list-secret-scanning --repo "." --state open
+
+# Bulk update (preview only)
+python "scripts/manage_github_security_alerts.py" bulk-update-alerts --repo "." --surface code-scanning --select-state open --target-state dismissed --dismissed-reason "false positive" --comment "Reviewed and intentionally dismissed." --limit 10 --dry-run --json
+```
+
+For the full command surface and workflows, see:
+
+- `SKILL.md`
+
+---
+
+## Security notes
+
+- Never paste tokens into command arguments or commit them to git.
+- Prefer environment variables and secret managers.
+- Use `--dry-run` before mutation and bulk mutation actions.
+
+More details: [`SECURITY.md`](./SECURITY.md)
+
+---
+
+## Contributing
+
+Contributions are welcome. Please read:
+
+- [`CONTRIBUTING.md`](./CONTRIBUTING.md)
+- [`CHANGELOG.md`](./CHANGELOG.md)
+
+---
+
+## Releases and downloads
+
+This repository includes a release workflow that creates a downloadable zip bundle:
+
+- Workflow: `.github/workflows/release-skill.yml`
+- Trigger:
+	- push a tag like `v0.1.0`
+	- run manually via **workflow_dispatch** with:
+		- `release_type`: `patch` / `minor` / `major`
+		- `version`: optional explicit `x.y.z` (overrides `release_type`)
+		- `ref`: branch to release from (default `main`)
+- Asset: `github-security-codescanning-alerts-skill-<tag>.zip`
+
+Examples:
+
+```powershell
+# Manual patch bump from main
+gh workflow run "Release Skill Bundle" -f release_type=patch -f ref=main
+
+# Manual explicit release version
+gh workflow run "Release Skill Bundle" -f release_type=patch -f version=0.2.0 -f ref=main
+```
+
+---
+
+## License
+
+Released under [The Unlicense](./LICENSE).

package/SECURITY.md

@@ -0,0 +1,41 @@
+# Security Policy
+
+## Supported scope
+
+This repository contains automation and helper scripts for GitHub repository security alert triage.
+
+Security-sensitive areas include:
+
+- credential/token handling
+- API mutation commands (`update-code-scanning`, `update-dependabot`, `update-secret-scanning`, `bulk-update-alerts`)
+- workflow automation that can post comments or update repository state
+
+## Reporting a vulnerability
+
+If you discover a vulnerability, please avoid opening a public issue with exploit details.
+
+Instead, contact the maintainer privately (for example via GitHub security reporting or direct private channel) and include:
+
+1. affected file(s) / workflow(s)
+2. reproducible steps
+3. impact assessment
+4. any suggested mitigation
+
+## Secret handling rules
+
+- Never hardcode GitHub tokens.
+- Never include tokens in command arguments.
+- Use environment variables (e.g. `GITHUB_TOKEN`, `GH_TOKEN`).
+- Prefer secret manager retrieval into environment variables.
+
+PowerShell example:
+
+```powershell
+$env:GITHUB_TOKEN = Get-Secret GITHUB_TOKEN -AsPlainText
+```
+
+## Operational safety
+
+- Use `--dry-run` for mutation commands before applying changes.
+- Verify target repository (`--repo` or `--repository owner/repo`) before running mutations.
+- Re-check state after changes (`summary`, list/show alert commands).

package/SKILL.md

@@ -0,0 +1,254 @@
+---
+name: "github-manage-security-alerts"
+description: "Use when a user asks to inspect, triage, bulk-fix, bulk-dismiss, dismiss, reopen, resolve, assign, summarize, export, or configure GitHub repository security alerts across repositories, including code scanning, Dependabot, Dependabot malware, and secret scanning; securely reads the GitHub token from environment variables such as GITHUB_TOKEN"
+license: "Unlicense"
+metadata:
+  short-description: "Inspect and triage GitHub security alerts"
+---
+
+# GitHub Security Alerts Management
+
+## Overview
+
+Use this skill when a user asks to inspect or manage GitHub repository security alerts, including:
+
+- code scanning alerts
+- Dependabot alerts
+- Dependabot malware alerts
+- secret scanning alerts
+- secret scanning alert locations
+- secret scanning scan history
+- repository security settings overview
+- raw GitHub security API inspection across repositories
+- bulk alert export for offline triage or reporting workflows
+- bulk alert mutation for high-volume cleanup workflows
+
+The bundled helper is repository-agnostic:
+
+- point `--repo` at any local checkout
+- let it auto-detect `owner/repo` and the GitHub host from the git remote
+- or pass `--repository owner/repo` explicitly
+- authenticate via environment variable instead of putting a token on the command line
+- optionally override the API base URL for custom environments
+
+## Compatibility
+
+Requires Python 3.
+Uses the GitHub REST API directly with a token supplied through an environment variable such as `GITHUB_TOKEN` or `GH_TOKEN`.
+Supports GitHub.com and standard GHES API base URL derivation from git remotes, with a raw API fallback for anything not wrapped yet.
+
+## Invocation hints
+
+Use `repo` when the target is a local checkout, defaulting to `.`.
+Use optional `repository` and `token_env` values when auto-detection is not enough.
+Common commands include `summary`, `export-alerts`, `bulk-update-alerts`, `repo-security-overview`, `list-code-scanning`, `show-code-scanning`, `update-code-scanning`, `list-dependabot`, `show-dependabot`, `update-dependabot`, `list-malware`, `show-malware`, `update-malware`, `list-secret-scanning`, `show-secret-scanning`, `update-secret-scanning`, `list-secret-locations`, `secret-scan-history`, and `api-call`.
+
+## Security model
+
+Do not paste GitHub tokens into command arguments.
+
+Preferred pattern:
+
+```powershell
+$env:GITHUB_TOKEN = Get-Secret GITHUB_TOKEN -AsPlainText
+```
+
+If a repository uses a different environment variable name, either export that variable first or pass the variable name with `--token-env`.
+
+Examples:
+
+```powershell
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" summary --repo "."
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" summary --repo "." --token-env GITHUB_TOKEN
+```
+
+## Inputs
+
+- `repo`: path inside the target repository checkout (default `.`)
+- `repository`: optional explicit `owner/repo` override
+- `api_base_url`: optional explicit API base URL override
+- `token_env`: optional environment variable name containing the token; repeatable for fallbacks
+- `json`: optional machine-readable output flag
+
+## Important note about malware alerts
+
+GitHub surfaces malware findings as **Dependabot malware alerts**.
+
+There is not a separate repository alert family with its own dedicated REST surface. The bundled helper therefore treats malware as a filtered subset of Dependabot alerts and cross-references each alert's advisory GHSA against the GitHub Advisory Database to identify advisories whose type is `malware`.
+
+That means:
+
+- `list-malware`, `show-malware`, and `update-malware` are backed by Dependabot alert APIs
+- malware classification is strongest on GitHub.com, where the advisory database endpoint is available
+- if advisory type lookup is unavailable on the target host, the helper reports that clearly instead of silently guessing
+
+## Quick start
+
+### 1. Inspect the current security state
+
+```powershell
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" summary --repo "."
+```
+
+### 2. View repository security settings overview
+
+```powershell
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" repo-security-overview --repo "."
+```
+
+### 2.5 Export the full alert sets for bulk triage
+
+```powershell
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" export-alerts --repo "." --json
+```
+
+### 3. List code scanning alerts
+
+```powershell
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" list-code-scanning --repo "." --state open --severity high,error
+```
+
+### 3.5 Bulk-dismiss or bulk-reopen alerts
+
+```powershell
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" bulk-update-alerts --repo "." --surface code-scanning --select-state open --target-state dismissed --dismissed-reason "false positive" --comment "Reviewed and intentionally dismissed." --limit 10 --dry-run --json
+
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" bulk-update-alerts --repo "." --surface dependabot --select-state open --target-state dismissed --dismissed-reason tolerable_risk --comment "Accepted until the next dependency refresh." --limit 25 --dry-run --json
+
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" bulk-update-alerts --repo "." --surface secret-scanning --select-state open --target-state resolved --resolution used_in_tests --limit 25 --dry-run --json
+```
+
+### 4. Dismiss or reopen a code scanning alert
+
+```powershell
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" update-code-scanning --repo "." --alert 42 --state dismissed --dismissed-reason false_positive --comment "False positive after manual review." --dry-run
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" update-code-scanning --repo "." --alert 42 --state open
+```
+
+### 5. List Dependabot alerts
+
+```powershell
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" list-dependabot --repo "." --state open --ecosystem npm --has patch
+```
+
+### 6. Dismiss or reopen a Dependabot alert
+
+```powershell
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" update-dependabot --repo "." --alert 7 --state dismissed --dismissed-reason tolerable_risk --comment "Accepted until next quarterly upgrade." --dry-run
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" update-dependabot --repo "." --alert 7 --state open
+```
+
+### 7. List malware alerts
+
+```powershell
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" list-malware --repo "." --state open
+```
+
+### 8. List secret scanning alerts safely
+
+```powershell
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" list-secret-scanning --repo "." --state open
+```
+
+Secret values are hidden by default.
+
+### 9. Resolve or reopen a secret scanning alert
+
+```powershell
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" update-secret-scanning --repo "." --alert 11 --state resolved --resolution revoked --comment "Token revoked and rotated." --dry-run
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" update-secret-scanning --repo "." --alert 11 --state open
+```
+
+### 10. Show secret locations and scan history
+
+```powershell
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" list-secret-locations --repo "." --alert 11
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" secret-scan-history --repo "."
+```
+
+### 11. Use the raw API fallback for anything not wrapped yet
+
+```powershell
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" api-call --repo "." --endpoint /repos/OWNER/REPO/code-scanning/default-setup
+```
+
+## Workflow
+
+1. Resolve authentication securely.
+   - Prefer an environment variable like `GITHUB_TOKEN`.
+   - If needed, load it from a secret manager into an environment variable first.
+   - Never print the token in logs or chat output.
+2. Resolve the target repository.
+   - Prefer `--repo` and auto-detection from git remote.
+   - Fall back to `--repository owner/repo` when the local checkout is unavailable or nonstandard.
+3. Inspect current findings.
+   - Run `summary` first.
+   - Use `export-alerts` when you need a fuller multi-surface JSON snapshot for bulk triage or external reporting.
+   - Use the list/show commands for the alert family you care about.
+   - Use `repo-security-overview` when the question is about enablement or available security settings.
+4. Classify findings.
+   - Fix real defects in code or dependency configuration when appropriate.
+   - Dismiss only when you have a clear justification.
+   - Reopen alerts when the earlier dismissal or resolution is no longer valid.
+   - Use `bulk-update-alerts` when a repository has dozens or hundreds of obviously mis-triaged alerts that need the same action.
+5. Apply mutations carefully.
+   - Prefer `--dry-run` first for risky changes.
+   - Add a short, actionable dismissal or resolution comment.
+   - Remember that write operations need the corresponding GitHub permissions.
+6. Verify the post-change state.
+   - Re-run the relevant list/show command.
+   - For code or dependency fixes, wait for the next GitHub analysis cycle if you expect the alert to disappear naturally.
+
+## Bundled resources
+
+### scripts/manage_github_security_alerts.py
+
+Repository-agnostic helper for GitHub repository security alerts.
+
+Supported commands:
+
+- `summary`
+- `export-alerts`
+- `bulk-update-alerts`
+- `repo-security-overview`
+- `list-code-scanning`
+- `show-code-scanning`
+- `update-code-scanning`
+- `list-dependabot`
+- `show-dependabot`
+- `update-dependabot`
+- `list-malware`
+- `show-malware`
+- `update-malware`
+- `list-secret-scanning`
+- `show-secret-scanning`
+- `update-secret-scanning`
+- `list-secret-locations`
+- `secret-scan-history`
+- `api-call`
+
+Implementation modules:
+
+- `github_security_api.py`
+- `github_security_cli.py`
+- `github_security_common.py`
+- `github_security_operations.py`
+- `github_security_render.py`
+
+Examples:
+
+```powershell
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" summary --repo "." --json
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" export-alerts --repo "." --json
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" bulk-update-alerts --repo "." --surface code-scanning --select-state open --target-state dismissed --dismissed-reason "false positive" --comment "Reviewed and intentionally dismissed." --limit 10 --dry-run --json
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" list-code-scanning --repo "." --state open --per-page 100 --json
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" update-code-scanning --repo "." --alert 42 --state dismissed --dismissed-reason false_positive --comment "False positive after review." --dry-run
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" list-dependabot --repo "." --state open --ecosystem npm --json
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" list-malware --repo "." --json
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" update-dependabot --repo "." --alert 7 --state dismissed --dismissed-reason tolerable_risk --comment "Accepted temporarily." --dry-run
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" list-secret-scanning --repo "." --state open --json
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" update-secret-scanning --repo "." --alert 11 --state resolved --resolution revoked --comment "Revoked and rotated." --dry-run
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" list-secret-locations --repo "." --alert 11 --json
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" secret-scan-history --repo "." --json
+python "<path-to-skill>/scripts/manage_github_security_alerts.py" api-call --repo "." --endpoint /repos/OWNER/REPO/dependabot/alerts --query-param state=open --json
+```

package/agents/openai.yaml

@@ -0,0 +1,7 @@
+interface:
+  display_name: "GitHub Manage Security Alerts"
+  short_description: "Inspect and triage GitHub security alerts"
+  icon_small: "./assets/github-manage-security-alerts-small.svg"
+  icon_large: "./assets/github-manage-security-alerts.png"
+  brand_color: "#24292F"
+  default_prompt: "Use $github-manage-security-alerts to inspect GitHub security alerts, summarize exposure, and apply safe triage actions."

package/assets/github-manage-security-alerts-small.svg

@@ -0,0 +1,10 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="400" height="400" viewBox="0 0 400 400" role="img" aria-labelledby="title desc">
+  <title id="title">GitHub Manage Security Alerts</title>
+  <desc id="desc">Security shield with alert rows.</desc>
+  <rect width="400" height="400" rx="88" fill="#f6f8fa"/>
+  <path d="M200 70 292 108v76c0 74-38 120-92 146-54-26-92-72-92-146v-76z" fill="#dbeafe" stroke="#24292f" stroke-width="16" stroke-linejoin="round"/>
+  <path d="M166 168h68M166 210h68" stroke="#24292f" stroke-width="16" stroke-linecap="round"/>
+  <circle cx="258" cy="168" r="12" fill="#dc2626"/>
+  <circle cx="258" cy="210" r="12" fill="#f59e0b"/>
+  <path d="m152 256 30 28 66-78" fill="none" stroke="#059669" stroke-width="18" stroke-linecap="round" stroke-linejoin="round"/>
+</svg>