Skip to content

feat: investigate Dependabot security alerts#35

Open
groovecoder wants to merge 10 commits into
mainfrom
investigate-dependabot-security-alerts
Open

feat: investigate Dependabot security alerts#35
groovecoder wants to merge 10 commits into
mainfrom
investigate-dependabot-security-alerts

Conversation

@groovecoder
Copy link
Copy Markdown
Member

@groovecoder groovecoder commented May 4, 2026

Add alert discovery in sweep, investigation workflow, and post-action routing (bump PR for non-affected, private fork for affected).

Closes #4

groovecoder added 2 commits May 4, 2026 16:35
@groovecoder
feat: investigate Dependabot security alerts
b917278 
Add alert discovery in sweep, investigation workflow, and post-action
routing (bump PR for non-affected, private fork for affected).

Closes #4
@groovecoder
feat: auto-dismiss non-affected alerts and post summary report
126e8d4 
Repos can opt in via `investigate.dismiss_not_affected: true` in their
.blender/blender.yml. When enabled, BLEnder dismisses Dependabot alerts
as "inaccurate" instead of opening bump PRs for non-affected packages.

Every investigation now posts a row to a tracking issue on the target
repo. The issue is created on the first run, then reused. Each row is
a comment (not a body edit) to avoid races when many workflows run
concurrently.
groovecoder
groovecoder commented May 5, 2026
View reviewed changes
Comment thread scripts/sweep.py
Comment thread scripts/sweep.py Outdated
Comment thread scripts/sweep.py
Comment thread scripts/gather-alert-context.sh Outdated
Comment thread scripts/post_alert_action.py Outdated
Comment thread scripts/post_alert_action.py Outdated
Comment thread scripts/post_alert_action.py Outdated
@groovecoder
fix: address PR #35 review feedback
38597a2 
Replace tracking issue with JSON artifact to avoid exposing alert
details on public repos. Remove open_bump_pr (no file changes made it
useless). Rename "not affected" to "unaffected" everywhere. Extract
shared sanitize_for_prompt into scripts/sanitize.sh. Fix "dedup"
jargon in sweep.py comments.
groovecoder
groovecoder commented May 6, 2026
View reviewed changes
Comment thread scripts/post_alert_action.py Outdated
@groovecoder
fix: generate HTML summary report with code snippets
8c49464 
Replace JSON artifact with a styled HTML report. The report shows
alert metadata, verdict, and source code snippets for each vulnerable
path identified during investigation. Styled like a coverage report
for easy in-browser review.
groovecoder
groovecoder commented May 6, 2026
View reviewed changes
Comment thread scripts/post_alert_action.py Outdated
groovecoder added 3 commits May 5, 2026 21:17
@groovecoder
refactor: extract HTML report into scripts/alert_report.py
8752094 
Move read_code_snippet, render_html, and write_summary out of
post_alert_action.py into a dedicated module. Keeps the action
script focused on orchestration.
@groovecoder
fix: move actions:write permission to job level
2dbe2dd 
zizmor flagged workflow-level actions:write as overly broad. Only the
investigate job needs it for upload-artifact.
@groovecoder
fix: redact affected alert reports for public artifact safety
581e87d 
GitHub Actions artifacts on public repos are world-readable. For
affected alerts, the report now omits the reason and code paths.
Those details live in the private security advisory instead.
Unaffected reports keep the full analysis — nothing sensitive there.
@groovecoder
Copy link
Copy Markdown
Member Author

groovecoder commented May 6, 2026

Note: this workflow requires the blender app to have additional permissions:

  • Vulnerability alerts: write (read/dismiss Dependabot alerts)
  • Security events: write (create security advisories + private forks)

I'm working with Mozilla GitHub admins on it.

@groovecoder groovecoder marked this pull request as ready for review May 6, 2026 13:01
@groovecoder @claude
fix: block auto-dismiss for high/critical severity alerts
d742b39 
High and critical alerts now require human review before dismissal,
even when dismiss_unaffected is enabled. Only low and medium severity
alerts are auto-dismissed. Addresses security team feedback.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@groovecoder
Copy link
Copy Markdown
Member Author

groovecoder commented May 7, 2026

Filed https://bugzilla.mozilla.org/show_bug.cgi?id=2038058 for the additional app perms.

@groovecoder
fix: extract verdict from Claude text output
5c9f43d 
Claude Code in sandbox mode doesn't reliably write files via tools.
Instead, the prompt now tells Claude to output a VERDICT_JSON fenced
block. extract_alert_verdict.py parses it from the Claude output log
and writes .blender-alert-verdict.json outside the sandbox.

Also fixes app token permissions, sys.path for module resolution,
and the investigate prompt turn budget.
@groovecoder
feat: step summaries, bump PRs, and deduplication
5cc18eb 
Replace HTML artifact with inline step summary and ::notice:: annotation.
Add create_bump_pr to open PRs directly (the Dependabot security-updates
API endpoint returns 404). Detect existing Dependabot and BLEnder PRs
to avoid duplicates. Add investigate-all-alerts.sh convenience script.
@groovecoder groovecoder force-pushed the investigate-dependabot-security-alerts branch from 64392a5 to 5cc18eb Compare May 19, 2026 14:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat(security): add workflow to investigate impact of dependabot security alerts

1 participant

@groovecoder