OpenSkillIndex← back to search
claude-codesecurity

Claude-skill-registry dependabot-security

install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/dependabot-security" ~/.claude/skills/majiayu000-claude-skill-registry-dependabot-security && rm -rf "$T"
manifest: skills/data/dependabot-security/SKILL.md
tags
#security#java#gradle#dependabot#vulnerabilities#cve
source content

Dependabot Security

Fix Dependabot security vulnerabilities in Java/Gradle projects with proper verification.

When to use this skill

  • Resolving Dependabot security alerts
  • Fixing CVE vulnerabilities in dependencies
  • Verifying dependency graph for CI compliance
  • Choosing the right fix strategy for transitive dependencies
  • Understanding why 
    dependency-review
    CI check fails
  • When asked to "fix dependabot vulnerabilities" or "fix security alerts"

Skill Contents

Sections

Available Resources

📚 references/ - Detailed documentation

Quick Start

1. Create Jira ticket first

See 

global/rules/jira-ticket-workflow.md
for ticket creation.

2. Get alerts by severity

REPO=$(gh repo view --json nameWithOwner -q '.nameWithOwner')
gh api --paginate repos/$REPO/dependabot/alerts --jq '.[] | select(.state == "open") | {
  number, severity: .security_advisory.severity, package: .dependency.package.name,
  patched_version: .security_vulnerability.first_patched_version.identifier,
  cve: .security_advisory.cve_id
}'

3. Fix by severity (CRITICAL first, then HIGH, MEDIUM, LOW)

See references/fix-strategies.md for strategy hierarchy.

4. Verify with dependency graph

./gradlew -I gradle/dependency-graph-init.gradle \
    --dependency-verification=off \
    :ForceDependencyResolutionPlugin_resolveAllDependencies

# Check ONLY patched versions appear
grep -i "package-name" build/reports/dependency-graph-snapshots/dependency-list.txt

5. Commit and create PR

git commit -m "🤖 🛡️ fix(security): [JIRA-KEY] resolve CRITICAL vulnerabilities"

Key Concepts

Severity-Based Processing

Process ONE severity level at a time, creating separate PRs for each:

PrioritySeverityWhen to Process
1CRITICALAlways first
2HIGHAfter no CRITICAL
3MEDIUMAfter no HIGH
4LOWAfter no MEDIUM

Dependency Graph vs Runtime Resolution

The dependency graph plugin reports ALL versions to GitHub, not just the resolved version. Force rules alone won't fix 

dependency-review
failures - use substitution to remove old versions.

Fix Strategy Hierarchy

  1. BOM Update - Update Spring Boot, gRPC, Protobuf BOM versions
  2. Version Catalog - Update direct dependencies in 
    libs.versions.toml
  3. Dependency Substitution - Replace transitive dependencies
  4. Constraints - Set minimum version floors
  5. Force Rules - Quick fix (combine with substitution)
  6. Exclude + Add - Last resort

References

ReferenceDescription
references/fix-strategies.mdDetailed fix strategies with examples
references/severity-processing.mdSeverity-based workflow
references/dependency-graph.mdDependency graph plugin setup and verification
references/troubleshooting.mdCommon issues and solutions

Related Rules

  • .cursor/rules/java-vulnerability-golden-paths.mdc
    - Proven fix patterns for common CVEs
  • .cursor/rules/java-versions-and-dependencies.mdc
    - Version management policies

Related Skills

SkillPurpose
gradle-standardsGradle configuration
sonarqube-integrationCode quality checks
<!-- AUTO-GENERATED FILE - DO NOT EDIT DIRECTLY --> <!-- Source: bitsoex/ai-code-instructions → java/skills/dependabot-security/SKILL.md --> <!-- To modify, edit the source file and run the distribution workflow -->