CVE remediation

Watch the CVE feeds for the dependencies you actually use, propose fixes as PRs, and let humans approve before anything lands. Read CVE → match → branch → PR → notify.

09SecurityCVE remediation

Context Graph tribal knowledge

dep ↔ repo map · per-repo cooldowns · waiver list

Sources

GitHub

CVE feed

k8s

feed + daily

Agentcy

Agentcy

CVE-triage agent

patch PR

Output

PR + Slack

TriggerCVE feed + cron daily

OutboundPR per repo + Slack #security

ConnectorsGitHub · NVD/OSV CVE feed · Kubernetes

At a glance

• Inputs: NVD / OSV CVE feeds, GitHub repos (manifests + lockfiles), Kubernetes (running images).
• Trigger: cron daily + on-demand webhook on CVE feed update.
• Output: One PR per affected repo, summary in #security, audit trail in the policy log.
• Gates: every PR creation runs through approval; destructive ops (force-push, base-branch changes) blocked by policy.

Stack

Layer	What we use
Triggers	Webhook trigger on CVE feed; Cron daily 08:00 UTC
Connectors	GitHub, Kubernetes, CVE feed (HTTP via openapi connector)
Agent	CVE-triage agent with skills for SemVer constraints + ecosystem-specific patch recipes
Policies	Rego: deny force-push; require approval for any branch ref change; deny PRs against main outside business hours
Output	GitHub PR + Slack #security

What you'll build

1. A scheduled task that pulls the last 24h of CVEs from NVD/OSV.
2. For each CVE, the agent searches the org's repos and Kubernetes images for affected packages.
3. For each match, the agent creates a branch, bumps the dependency to the patched version, and opens a PR.
4. The PR description summarizes the CVE (severity, CVSS, exploit availability), what changed, and the suggested test plan.
5. Slack #security gets a daily digest.

Prerequisites

• GitHub connector with repo:write for affected repos
• Kubernetes connector (read-only is enough)
• An HTTP/openapi connector pointing at the CVE feed of choice (NVD JSON 2.0, OSV)
• Realm scoped to security
• Policy: at least one Rego rule denying github.force_push and github.delete_branch

Worked example

# policies/cve-remediation.rego
package agentcy

default allow := false

# Allow PR creation only on dependency-bump branches.
allow if {
    input.tool == "github.create_pull_request"
    startswith(input.args.head, "agentcy/cve-")
}

# Deny force-pushes outright.
deny[msg] if {
    input.tool == "github.force_push"
    msg := "force-push is never allowed by the CVE remediation agent"
}

# Deny merges to main — humans review.
deny[msg] if {
    input.tool == "github.merge_pull_request"
    input.args.base == "main"
    msg := "merging to main is human-only"
}

Task definition:

name: cve-remediation
schedule: "0 8 * * *"
realm: security
agent: cve-triage-agent
prompt: |
  Pull the last 24h of CVEs from the OSV feed.
  For each CVE that affects a package we depend on:
    1. Find every repo where it appears in the lockfile.
    2. Open one branch and one PR per repo with the patched version.
    3. Include CVSS, severity, exploit-available flag, and a test plan in the PR body.
  Post a daily summary to #security.

What good looks like

A daily digest in #security:

Tuesday 08:00 — CVE remediation

Scanned 47 repos, 213 services. Found 3 CVEs affecting your code:

• CVE-2025-1234 (CVSS 9.8) — lodash@4.17.20 → 4.17.21 — PR opened in 8 repos
• CVE-2025-2345 (CVSS 7.5) — next@13.5.1 → 13.5.6 — PR opened in 2 repos
• CVE-2025-3456 (CVSS 5.3) — axios@1.6.0 → 1.7.4 — PR opened in 14 repos

All PRs require human approval. [View in dashboard →]

Variations

• Container image scanning — feed Trivy / Grype output to the same agent, have it propose Dockerfile base-image bumps.
• Stagger by severity — CVSS ≥ 9 opens PRs immediately; lower severity batches into a weekly digest.
• Auto-merge for trusted ecosystems — relax the github.merge_pull_request deny rule for known-safe patterns (patch-level bumps in vendor-locked deps).

Troubleshooting

• Too many PRs in one day. Tune the agent prompt to batch by severity, or add a per-repo cooldown via memory.
• PRs against the wrong base branch. Make sure your repo metadata in the connector cache is fresh — sync the GitHub source before the cron fires.
• Patched version doesn't exist for your ecosystem. The agent will note this in the digest and skip the PR. You'll see "no upstream patch" entries.

Next

• Concept: Zero-Trust Policies
• How-To: Slack channel
• Connector: GitHub