Agent skill

cve-triage

Help users triage and prioritize CVE findings from INFYNON package scans. Use when the user has CVE scan results and needs to decide what to fix, what to defer, or how to handle a specific vulnerability. Covers severity interpretation, fix strategies, safe version selection, and handling false positives.

View SKILL.md on GitHub Repository
Stars 5
Forks 0

Install this agent skill to your Project

npx add-skill https://github.com/d4rkNinja/code-guardian/tree/main/infynon-pkg/skills/cve-triage

SKILL.md

INFYNON CVE Triage Guide

You are helping the user interpret and act on CVE scan results from infynon pkg scan.

Get the Scan Results First

bash
# Human-readable output
infynon pkg scan

# Machine-readable JSON (better for triage decisions)
infynon pkg scan --agent

Severity Decision Matrix

When you see CVE findings, use this priority framework:

Severity CVSS Action Timeline
CRITICAL 9.0–10.0 Fix immediately — block deploy Now
HIGH 7.0–8.9 Fix before next release Within 24h
MEDIUM 4.0–6.9 Schedule fix in current sprint Within 1 week
LOW 0.1–3.9 Fix at next dependency update Next sprint
INFORMATIONAL 0.0 Review, likely ignore Backlog

Fix Commands — By Severity

Fix CRITICAL + HIGH immediately

bash
# See what safe versions are available
infynon pkg scan --agent | jq '.vulnerabilities[] | {package, cve_id, severity, safe_version, fix_cmd}'

# Auto-fix all vulnerable packages
infynon pkg fix --auto

# Fix a specific package
infynon pkg npm install lodash@4.17.21 --strict high      # npm
infynon pkg pip install requests==2.31.0 --strict high    # pip
infynon pkg cargo add serde@1.0.196 --strict high         # cargo

Upgrade to the safe version shown in scan output

Each CVE finding includes a safe_version and fix_cmd field:

json
{
  "package": "lodash",
  "cve_id": "CVE-2021-23337",
  "severity": "HIGH",
  "safe_version": "4.17.21",
  "fix_cmd": "npm install lodash@4.17.21"
}

Use the fix_cmd through INFYNON:

bash
# Take the fix_cmd from the scan output, prefix with `infynon pkg`
infynon pkg npm install lodash@4.17.21 --strict high

Batch auto-fix

bash
infynon pkg fix --auto                        # Auto-upgrade all detected vulnerabilities
infynon pkg fix --auto --pkg-file Cargo.lock  # Fix specific lock file

Triage Questions to Ask

For each CRITICAL or HIGH CVE:

  1. Is this package reachable from user input?

    • If yes: fix now (exploitable attack surface)
    • If no (build-only dep): lower priority

  2. Does a safe version exist?

    • Check safe_version field in scan output
    • If no safe version: consider removing the package or finding an alternative (infynon pkg search)

  3. Is this a transitive dependency?

    bash
    infynon pkg why <vulnerable-package>
# Shows which of your direct deps pulls it in
    • If transitive: upgrade the parent package first

  4. Is there a breaking change in the safe version?

    bash
    infynon pkg diff <package> <current-version> <safe-version>
# Shows what changed between versions

Handling Specific Situations

"I can't upgrade — the safe version has breaking changes"

bash
# Option 1: Check if there's a patch release that fixes only the CVE
infynon pkg diff express 4.17.0 4.18.2

# Option 2: Find an alternative package
infynon pkg search "http server" --ecosystem npm

# Option 3: Use --skip-vulnerable in CI to at least block new vulnerable installs
# while you plan the migration
infynon pkg npm install --skip-vulnerable

"I have 50 CVEs — where do I start?"

bash
# Get a prioritized list: critical first, then high
infynon pkg scan --agent | jq '
  .vulnerabilities
  | sort_by(.severity)
  | reverse
  | .[] | "\(.severity) \(.package) \(.cve_id) — fix: \(.fix_cmd)"
'

Focus on:

  1. All CRITICAL first
  2. HIGH in packages exposed to user input
  3. MEDIUM in the same sprint
  4. LOW at next update cycle

"I have CVEs in dev dependencies only"

Dev dependencies (test frameworks, linters, build tools) are generally lower risk — they never run in production. Still fix them to:

  • Keep your security posture clean
  • Prevent toolchain compromise (supply-chain attacks)
  • Avoid CI/CD pipeline exploitation

"The same CVE keeps appearing after I fix it"

bash
# Check if it's pulled in transitively by a different parent
infynon pkg why <package>

# Check your lock file is actually updated
infynon pkg scan --pkg-file package-lock.json

Export Reports for Compliance

bash
infynon pkg scan --output markdown    # Markdown report
infynon pkg scan --output pdf         # PDF report
infynon pkg scan --output both        # Both formats

Reports include: package name, CVE ID, severity, description, affected version, safe version, fix command.

Set Up Automated CVE Gating in CI

After triage, lock in your accepted risk level with CI gates:

bash
# Block critical + high (recommended default)
infynon pkg npm install --strict high

# Only block critical (more permissive)
infynon pkg npm install --strict critical

# Block all vulnerabilities (zero tolerance)
infynon pkg npm install --strict all

Useful Audit Commands

bash
infynon pkg audit                     # Full dependency tree with CVE annotations
infynon pkg why <package>             # Trace who pulls in a package
infynon pkg outdated                  # Find packages with newer versions available
infynon pkg doctor                    # Health check: duplicates, unused, phantom deps
infynon pkg diff <pkg> <v1> <v2>     # See what changed between versions

Didn't find tool you were looking for?

Be as detailed as possible for better results