npm - github-manage-security-alerts-skill - Versions diffs - 1.0.1 → 1.0.3 - Mend

github-manage-security-alerts-skill 1.0.1 → 1.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/CONTRIBUTING.md CHANGED Viewed

@@ -1,10 +1,10 @@
-## Contributing to GitHub Security Alerts Skill
+# Contributing to GitHub Security Alerts Skill
 Thanks for contributing.
 This repository is primarily a skill + helper tooling repo, so high-signal docs and safe defaults matter as much as code changes.
-### Development setup
+## Development setup
 1. Clone the repository.
 2. Ensure Python 3.10+ is available.
@@ -17,31 +17,31 @@ python -m venv .venv
 .\.venv\Scripts\Activate.ps1
 ```
-### Local sanity checks
+## Local sanity checks
 From repo root, run:
 ```powershell
-python -m compileall ".github/skills/github-manage-security-alerts/scripts"
-python ".github/skills/github-manage-security-alerts/scripts/manage_github_security_alerts.py" --help
+python -m compileall "scripts"
+python "scripts/manage_github_security_alerts.py" --help
 ```
 If you touched command behavior, include example command invocations and expected output snippets in your PR description.
-### Security requirements
+## Security requirements
 - **Do not** commit secrets.
 - **Do not** pass GitHub tokens as CLI literals.
 - Use environment variables (`GITHUB_TOKEN`, `GH_TOKEN`, or `--token-env`).
 - Prefer `--dry-run` for mutation commands in docs/examples.
-### Commit messages
+## Commit messages
 This repo includes commit message conventions in:
-- `.github/copilot-commit-message-instructions.md`
+- `.github/agent-commit-message-instructions.md`
-### Pull request checklist
+## Pull request checklist
 - [ ] Documentation updated (README/SKILL/help text as needed)
 - [ ] Commands in docs are still valid

package/README.md CHANGED Viewed

@@ -2,7 +2,7 @@
 [![latest GitHub release.](https://flat.badgen.net/github/release/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill?color=cyan)](https://github.com/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill/releases) [![GitHub stars.](https://flat.badgen.net/github/stars/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill?color=yellow)](https://github.com/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill/stargazers) [![GitHub forks.](https://flat.badgen.net/github/forks/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill?color=green)](https://github.com/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill/forks) [![GitHub open issues.](https://flat.badgen.net/github/open-issues/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill?color=red)](https://github.com/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill/issues) [![GitHub PRs.](https://flat.badgen.net/github/open-prs/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill?color=orange)](https://github.com/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill/pulls?q=sort%3Aupdated-desc+is%3Apr+is%3Aopen) [![GitHub license](https://flat.badgen.net/github/license/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill?color=purple)](https://github.com/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill/blob/main/LICENSE) [![GitHub Dependabot](https://flat.badgen.net/github/dependabot/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill?color=blue)](https://github.com/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill/network/updates)
-A Copilot / AI skill for inspecting and managing GitHub repository security alerts across:
+An open-agent skill for inspecting and managing GitHub repository security alerts across:
 - code scanning
 - Dependabot
@@ -60,39 +60,36 @@ CHANGELOG.md
 ---
-## Publishing
+## Agent compatibility
-The skill is packaged for GitHub releases and npm as `github-manage-security-alerts-skill`.
+This is a root `SKILL.md` package. `npx skills` can install it directly from GitHub, and `npx skills experimental_sync` can discover it from `node_modules` because the npm package ships `SKILL.md` at the package root.
-For the first npm publish, publish locally once so the package exists:
+Use `--agent universal` for agents that consume the shared `.agents/skills` layout. Use `--agent "*"` only when you intentionally want to install to every supported agent directory.
 ```powershell
-npm run release:verify
-npm publish
+npx skills add Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill -g --agent universal -y
+npx skills add Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill -g --agent "*" -y
+npm install --save-dev github-manage-security-alerts-skill
+npx skills experimental_sync --agent universal -y
 ```
-Then configure npm trusted publishing for staged publishing:
+OpenAI-specific display metadata lives in `agents/openai.yaml`. The portable skill contract is `SKILL.md` plus the referenced `assets/` and `scripts/` files.
-- Organization or user: `Nick2bad4u`
-- Repository: `Github-Security-CodeScanning-Alerts-Skill`
-- Workflow filename: `release-skill.yml`
-- Allowed action: `npm stage publish`
-CLI equivalent:
+---
-```powershell
-npm trust github "github-manage-security-alerts-skill" --repo "Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill" --file "release-skill.yml" --allow-stage-publish
-```
+## Publishing
-After that, create releases from GitHub Actions by pushing a `vX.Y.Z` tag or running the `Release Skill Bundle` workflow manually with an explicit version. The workflow uses npm OIDC trusted publishing to stage the package and does not require an npm automation token.
+The skill is packaged for GitHub releases and npm as `github-manage-security-alerts-skill`.
-Approve the staged package after reviewing it:
+Verify the package locally before publishing:
 ```powershell
-npm stage list "github-manage-security-alerts-skill"
-npm stage approve "<stage-id>"
+npm run release:verify
+npm publish --access public --provenance
 ```
+GitHub Actions publishes with npm OIDC trusted publishing using `npm publish --access public --provenance`. Configure the npm package trusted publisher for repository `Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill` and workflow `.github/workflows/release-skill.yml`. The workflow intentionally does not use `npm stage` commands.
 ---
 ## Quick start
@@ -185,11 +182,11 @@ This repository includes a release workflow that creates a downloadable zip bund
 - Workflow: `.github/workflows/release-skill.yml`
 - Trigger:
-	- push a tag like `v0.1.0`
-	- run manually via **workflow_dispatch** with:
-		- `release_type`: `patch` / `minor` / `major`
-		- `version`: optional explicit `x.y.z` (overrides `release_type`)
-		- `ref`: branch to release from (default `main`)
+  - push a tag like `v0.1.0`
+  - run manually via **workflow_dispatch** with:
+    - `release_type`: `patch` / `minor` / `major`
+    - `version`: optional explicit `x.y.z` (overrides `release_type`)
+    - `ref`: branch to release from (default `main`)
 - Asset: `github-security-codescanning-alerts-skill-<tag>.zip`
 Examples:

package/SKILL.md CHANGED Viewed

@@ -1,9 +1,8 @@
 ---
-name: "github-manage-security-alerts"
-description: "Use when a user asks to inspect, triage, bulk-fix, bulk-dismiss, dismiss, reopen, resolve, assign, summarize, export, or configure GitHub repository security alerts across repositories, including code scanning, Dependabot, Dependabot malware, and secret scanning; securely reads the GitHub token from environment variables such as GITHUB_TOKEN"
+name: github-manage-security-alerts
+description: Use when the user asks to inspect, triage, summarize, export, or safely update GitHub security alerts for code scanning, Dependabot, malware, or secret scanning.
 license: "Unlicense"
-metadata:
-  short-description: "Inspect and triage GitHub security alerts"
+metadata: { "short-description": "Inspect and triage GitHub security alerts" }
 ---
 # GitHub Security Alerts Management
@@ -29,7 +28,7 @@ The bundled helper is repository-agnostic:
 - let it auto-detect `owner/repo` and the GitHub host from the git remote
 - or pass `--repository owner/repo` explicitly
 - authenticate via environment variable instead of putting a token on the command line
-- optionally override the API base URL for custom environments
+- optionally override the API or web base URL for custom environments
 ## Compatibility
@@ -40,12 +39,13 @@ Supports GitHub.com and standard GHES API base URL derivation from git remotes,
 ## Invocation hints
 Use `repo` when the target is a local checkout, defaulting to `.`.
-Use optional `repository` and `token_env` values when auto-detection is not enough.
+Use optional `repository`, `api_base_url`, `web_base_url`, and `token_env` values when auto-detection is not enough.
 Common commands include `summary`, `export-alerts`, `bulk-update-alerts`, `repo-security-overview`, `list-code-scanning`, `show-code-scanning`, `update-code-scanning`, `list-dependabot`, `show-dependabot`, `update-dependabot`, `list-malware`, `show-malware`, `update-malware`, `list-secret-scanning`, `show-secret-scanning`, `update-secret-scanning`, `list-secret-locations`, `secret-scan-history`, and `api-call`.
 ## Security model
 Do not paste GitHub tokens into command arguments.
+Do not use `--show-secret-values` unless the user explicitly asks for unredacted secret values and confirms the exposure risk. Prefer redacted alert metadata, secret locations, validity, and resolution state. If unredacted output is required for remediation, do not paste secret material into chat, issue comments, PRs, commits, logs, or saved reports.
 Preferred pattern:
@@ -67,6 +67,7 @@ python "<path-to-skill>/scripts/manage_github_security_alerts.py" summary --repo
 - `repo`: path inside the target repository checkout (default `.`)
 - `repository`: optional explicit `owner/repo` override
 - `api_base_url`: optional explicit API base URL override
+- `web_base_url`: optional explicit web base URL override for rendered links
 - `token_env`: optional environment variable name containing the token; repeatable for fallbacks
 - `json`: optional machine-readable output flag
@@ -74,13 +75,13 @@ python "<path-to-skill>/scripts/manage_github_security_alerts.py" summary --repo
 GitHub surfaces malware findings as **Dependabot malware alerts**.
-There is not a separate repository alert family with its own dedicated REST surface. The bundled helper therefore treats malware as a filtered subset of Dependabot alerts and cross-references each alert's advisory GHSA against the GitHub Advisory Database to identify advisories whose type is `malware`.
+GitHub does not provide a separate repository alert family with its own dedicated REST surface. The bundled helper therefore treats malware as a filtered subset of Dependabot alerts and cross-references each alert's advisory GHSA against the GitHub Advisory Database to identify advisories whose type is `malware`.
 That means:
 - `list-malware`, `show-malware`, and `update-malware` are backed by Dependabot alert APIs
 - malware classification is strongest on GitHub.com, where the advisory database endpoint is available
-- if advisory type lookup is unavailable on the target host, the helper reports that clearly instead of silently guessing
+- if advisory type lookup is unavailable on the target host, the helper reports that state instead of silently guessing
 ## Quick start
@@ -150,7 +151,7 @@ python "<path-to-skill>/scripts/manage_github_security_alerts.py" list-malware -
 python "<path-to-skill>/scripts/manage_github_security_alerts.py" list-secret-scanning --repo "." --state open
 ```
-Secret values are hidden by default.
+Secret values are hidden by default. Keep that default unless the user explicitly confirms that unredacted secret output is necessary.
 ### 9. Resolve or reopen a secret scanning alert
@@ -190,7 +191,7 @@ python "<path-to-skill>/scripts/manage_github_security_alerts.py" api-call --rep
    - Fix real defects in code or dependency configuration when appropriate.
    - Dismiss only when you have a clear justification.
    - Reopen alerts when the earlier dismissal or resolution is no longer valid.
-   - Use `bulk-update-alerts` when a repository has dozens or hundreds of obviously mis-triaged alerts that need the same action.
+   - Use `bulk-update-alerts` when a repository has dozens or hundreds of already-reviewed, mis-triaged alerts that need the same action.
 5. Apply mutations carefully.
    - Prefer `--dry-run` first for risky changes.
    - Add a short, actionable dismissal or resolution comment.

package/agents/openai.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 interface:
-  display_name: "GitHub Manage Security Alerts"
-  short_description: "Inspect and triage GitHub security alerts"
-  icon_small: "./assets/github-manage-security-alerts-small.svg"
-  icon_large: "./assets/github-manage-security-alerts.png"
-  brand_color: "#24292F"
-  default_prompt: "Use $github-manage-security-alerts to inspect GitHub security alerts, summarize exposure, and apply safe triage actions."
+    display_name: "GitHub Manage Security Alerts"
+    short_description: "Inspect and triage GitHub security alerts"
+    icon_small: "./assets/github-manage-security-alerts-small.svg"
+    icon_large: "./assets/github-manage-security-alerts.png"
+    brand_color: "#24292F"
+    default_prompt: "Use $github-manage-security-alerts to inspect GitHub security alerts, summarize exposure, and apply safe triage actions."

package/package.json CHANGED Viewed

@@ -1,50 +1,85 @@
 {
-  "name": "github-manage-security-alerts-skill",
-  "version": "1.0.1",
-  "private": false,
-  "description": "Codex skill for inspecting and triaging GitHub security alerts.",
-  "license": "Unlicense",
-  "type": "module",
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill.git"
-  },
-  "bugs": {
-    "url": "https://github.com/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill/issues"
-  },
-  "homepage": "https://github.com/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill#readme",
-  "keywords": [
-    "agent-skill",
-    "code-scanning",
-    "codex",
-    "dependabot",
-    "github-security",
-    "openai",
-    "secret-scanning"
-  ],
-  "files": [
-    "SKILL.md",
-    "LICENSE.txt",
-    "agents/",
-    "assets/",
-    "scripts/",
-    "CHANGELOG.md",
-    "CONTRIBUTING.md",
-    "README.md",
-    "SECURITY.md"
-  ],
-  "engines": {
-    "node": ">=22.14"
-  },
-  "scripts": {
-    "validate": "node tools/validate-skill-package.mjs",
-    "pack:dry-run": "npm pack --dry-run",
-    "publish:local": "npm run release:verify && npm publish --access public",
-    "release:verify": "npm run validate && npm run pack:dry-run"
-  },
-  "codexSkill": {
-    "name": "github-manage-security-alerts",
-    "path": ".",
-    "githubReleaseAssetPrefix": "github-security-codescanning-alerts-skill"
-  }
+    "name": "github-manage-security-alerts-skill",
+    "version": "1.0.3",
+    "private": false,
+    "description": "Codex skill for inspecting and triaging GitHub security alerts.",
+    "keywords": [
+        "agent-skill",
+        "agent-skills",
+        "ai-agent",
+        "claude-code",
+        "code-scanning",
+        "codex",
+        "cursor",
+        "dependabot",
+        "gemini-cli",
+        "github-copilot",
+        "github-security",
+        "openai",
+        "openclaw",
+        "opencode",
+        "secret-scanning",
+        "universal",
+        "zed"
+    ],
+    "homepage": "https://github.com/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill#readme",
+    "bugs": {
+        "url": "https://github.com/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill/issues"
+    },
+    "repository": {
+        "type": "git",
+        "url": "git+https://github.com/Nick2bad4u/Github-Security-CodeScanning-Alerts-Skill.git"
+    },
+    "license": "Unlicense",
+    "author": "Nick2bad4u <20943337+Nick2bad4u@users.noreply.github.com> (https://github.com/Nick2bad4u)",
+    "contributors": [
+        {
+            "name": "Nick2bad4u",
+            "email": "20943337+Nick2bad4u@users.noreply.github.com",
+            "url": "https://github.com/Nick2bad4u"
+        }
+    ],
+    "type": "module",
+    "files": [
+        "SKILL.md",
+        "LICENSE.txt",
+        "agents/",
+        "assets/",
+        "scripts/",
+        "CHANGELOG.md",
+        "CONTRIBUTING.md",
+        "README.md",
+        "SECURITY.md"
+    ],
+    "scripts": {
+        "lint:package-json": "npmPkgJsonLint . --config .npmpackagejsonlintrc.json",
+        "lint:remark": "remark . --frail --ignore-path .remarkignore",
+        "lint:remark:fix": "remark . --ignore-path .remarkignore --output",
+        "pack:dry-run": "npm pack --dry-run",
+        "publish:local": "npm run release:verify && npm publish --access public",
+        "release:verify": "npm run validate && npm run pack:dry-run",
+        "update-actions": "npx actions-up --yes --style sha",
+        "validate": "node tools/validate-skill-package.mjs"
+    },
+    "devDependencies": {
+        "npm-package-json-lint": "^10.4.1",
+        "npm-package-json-lint-config-nick2bad4u": "^1.0.3",
+        "prettier": "^3.9.0",
+        "prettier-config-nick2bad4u": "^1.0.18",
+        "remark": "^15.0.1",
+        "remark-cli": "^12.0.1",
+        "remark-config-nick2bad4u": "^1.1.2"
+    },
+    "engines": {
+        "node": ">=22.14"
+    },
+    "publishConfig": {
+        "provenance": true,
+        "registry": "https://registry.npmjs.org/"
+    },
+    "codexSkill": {
+        "name": "github-manage-security-alerts",
+        "path": ".",
+        "githubReleaseAssetPrefix": "github-security-codescanning-alerts-skill"
+    }
 }