Skip to content

feat: investigate Dependabot security alerts#35

Draft
groovecoder wants to merge 6 commits intomainfrom
investigate-dependabot-security-alerts
Draft

feat: investigate Dependabot security alerts#35
groovecoder wants to merge 6 commits intomainfrom
investigate-dependabot-security-alerts

Conversation

@groovecoder
Copy link
Copy Markdown
Member

@groovecoder groovecoder commented May 4, 2026

Add alert discovery in sweep, investigation workflow, and post-action routing (bump PR for non-affected, private fork for affected).

Closes #4

groovecoder added 2 commits May 4, 2026 16:35
@groovecoder
feat: investigate Dependabot security alerts
b917278 
Add alert discovery in sweep, investigation workflow, and post-action
routing (bump PR for non-affected, private fork for affected).

Closes #4
@groovecoder
feat: auto-dismiss non-affected alerts and post summary report
126e8d4 
Repos can opt in via `investigate.dismiss_not_affected: true` in their
.blender/blender.yml. When enabled, BLEnder dismisses Dependabot alerts
as "inaccurate" instead of opening bump PRs for non-affected packages.

Every investigation now posts a row to a tracking issue on the target
repo. The issue is created on the first run, then reused. Each row is
a comment (not a body edit) to avoid races when many workflows run
concurrently.
groovecoder
groovecoder commented May 5, 2026
View reviewed changes
Comment thread scripts/sweep.py
Comment thread scripts/sweep.py Outdated
Comment thread scripts/sweep.py
Comment thread scripts/gather-alert-context.sh Outdated
Comment thread scripts/post_alert_action.py Outdated
Comment thread scripts/post_alert_action.py Outdated
Comment thread scripts/post_alert_action.py Outdated
@groovecoder
fix: address PR #35 review feedback
38597a2 
Replace tracking issue with JSON artifact to avoid exposing alert
details on public repos. Remove open_bump_pr (no file changes made it
useless). Rename "not affected" to "unaffected" everywhere. Extract
shared sanitize_for_prompt into scripts/sanitize.sh. Fix "dedup"
jargon in sweep.py comments.
groovecoder
groovecoder commented May 6, 2026
View reviewed changes
Comment thread scripts/post_alert_action.py Outdated
@groovecoder
fix: generate HTML summary report with code snippets
8c49464 
Replace JSON artifact with a styled HTML report. The report shows
alert metadata, verdict, and source code snippets for each vulnerable
path identified during investigation. Styled like a coverage report
for easy in-browser review.
groovecoder
groovecoder commented May 6, 2026
View reviewed changes
Comment thread scripts/post_alert_action.py Outdated
groovecoder added 2 commits May 5, 2026 21:17
@groovecoder
refactor: extract HTML report into scripts/alert_report.py
8752094 
Move read_code_snippet, render_html, and write_summary out of
post_alert_action.py into a dedicated module. Keeps the action
script focused on orchestration.
@groovecoder
fix: move actions:write permission to job level
2dbe2dd 
zizmor flagged workflow-level actions:write as overly broad. Only the
investigate job needs it for upload-artifact.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat(security): add workflow to investigate impact of dependabot security alerts

1 participant

@groovecoder