ReddRadar
Agent skill
dependabot-security
Fix Dependabot security vulnerabilities in Java/Gradle projects using severity-based processing, dependency substitution strategies, and dependency graph verification. Use when Dependabot alerts need resolution with proper CI validation.
Install this agent skill to your Project
npx add-skill https://github.com/majiayu000/claude-skill-registry/tree/main/skills/data/dependabot-security
Metadata
Additional technical details for this skill
- tags
-
java gradle security dependabot vulnerabilities cve
- version
- 2.0.0
- category
- security
- technology
- java
SKILL.md
Dependabot Security
Fix Dependabot security vulnerabilities in Java/Gradle projects with proper verification.
When to use this skill
- Resolving Dependabot security alerts
- Fixing CVE vulnerabilities in dependencies
- Verifying dependency graph for CI compliance
- Choosing the right fix strategy for transitive dependencies
- Understanding why
dependency-reviewCI check fails - When asked to "fix dependabot vulnerabilities" or "fix security alerts"
Skill Contents
Sections
- When to use this skill
- Quick Start
- Key Concepts
- References
- Related Rules
- Related Skills
Available Resources
📚 references/ - Detailed documentation
- dependency graph
- fix strategies
- severity processing
- troubleshooting
Quick Start
1. Create Jira ticket first
See global/rules/jira-ticket-workflow.md for ticket creation.
2. Get alerts by severity
REPO=$(gh repo view --json nameWithOwner -q '.nameWithOwner')
gh api --paginate repos/$REPO/dependabot/alerts --jq '.[] | select(.state == "open") | {
number, severity: .security_advisory.severity, package: .dependency.package.name,
patched_version: .security_vulnerability.first_patched_version.identifier,
cve: .security_advisory.cve_id
}'
3. Fix by severity (CRITICAL first, then HIGH, MEDIUM, LOW)
See references/fix-strategies.md for strategy hierarchy.
4. Verify with dependency graph
./gradlew -I gradle/dependency-graph-init.gradle \
--dependency-verification=off \
:ForceDependencyResolutionPlugin_resolveAllDependencies
# Check ONLY patched versions appear
grep -i "package-name" build/reports/dependency-graph-snapshots/dependency-list.txt
5. Commit and create PR
git commit -m "🤖 🛡️ fix(security): [JIRA-KEY] resolve CRITICAL vulnerabilities"
Key Concepts
Severity-Based Processing
Process ONE severity level at a time, creating separate PRs for each:
| Priority | Severity | When to Process |
|---|---|---|
| 1 | CRITICAL | Always first |
| 2 | HIGH | After no CRITICAL |
| 3 | MEDIUM | After no HIGH |
| 4 | LOW | After no MEDIUM |
Dependency Graph vs Runtime Resolution
The dependency graph plugin reports ALL versions to GitHub, not just the resolved version.
Force rules alone won't fix dependency-review failures - use substitution to remove old versions.
Fix Strategy Hierarchy
- BOM Update - Update Spring Boot, gRPC, Protobuf BOM versions
- Version Catalog - Update direct dependencies in
libs.versions.toml - Dependency Substitution - Replace transitive dependencies
- Constraints - Set minimum version floors
- Force Rules - Quick fix (combine with substitution)
- Exclude + Add - Last resort
References
| Reference | Description |
|---|---|
| references/fix-strategies.md | Detailed fix strategies with examples |
| references/severity-processing.md | Severity-based workflow |
| references/dependency-graph.md | Dependency graph plugin setup and verification |
| references/troubleshooting.md | Common issues and solutions |
Related Rules
.cursor/rules/java-vulnerability-golden-paths.mdc- Proven fix patterns for common CVEs.cursor/rules/java-versions-and-dependencies.mdc- Version management policies
Related Skills
| Skill | Purpose |
|---|---|
| gradle-standards | Gradle configuration |
| sonarqube-integration | Code quality checks |
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
majiayu000/claude-skill-registry
agent-ops-spec
Manage specification documents in .agent/specs/. Use when user provides requirements, acceptance criteria, or feature descriptions that need to be tracked and validated against implementation.
majiayu000/claude-skill-registry
agent-ops-state
Maintain .agent state files. Use at session start, after meaningful steps, and before concluding: read/update constitution/memory/focus/issues/baseline consistently.
majiayu000/claude-skill-registry
agent-ops-spec
Manage specification documents in .agent/specs/. Use when user provides requirements, acceptance criteria, or feature descriptions that need to be tracked and validated against implementation.
majiayu000/claude-skill-registry
agent-ops-testing
Test strategy, execution, and coverage analysis. Use when designing tests, running test suites, or analyzing test results beyond baseline checks.
majiayu000/claude-skill-registry
agent-ops-testing
Test strategy, execution, and coverage analysis. Use when designing tests, running test suites, or analyzing test results beyond baseline checks.
majiayu000/claude-skill-registry
agent-ops-state
Maintain .agent state files. Use at session start, after meaningful steps, and before concluding: read/update constitution/memory/focus/issues/baseline consistently.
Didn't find tool you were looking for?