Automated security vulnerability scanning and fixing for GitHub repositories using Snyk.
Before using this skill, ensure:
npm install -g snyk and authenticated: snyk authbrew install gh and authenticated: gh auth loginbrew install jq (for JSON processing)Scan Repository → Create GitHub Issues → Auto-Fix → Create PR
critical - Critical vulnerabilities onlyhigh - High and critical vulnerabilities (default)medium - Medium, high, and criticallow - All severitiesRun complete scan → report → fix workflow:
./scripts/run-full-workflow.sh <repo-url> [base-branch] [severity] [skip-issues] [skip-fix] [dry-run]
Parameters:
repo-url - Full GitHub URL (required)base-branch - Target branch for PRs (default: dev)severity - Comma-separated levels (default: high,critical)skip-issues - true to skip GitHub issue creation (default: false)skip-fix - true to skip auto-fix (default: false)dry-run - true to simulate without making changes (default: false)Examples:
# Full workflow with defaults
./scripts/run-full-workflow.sh https://github.com/owner/repo
# Scan only, skip fixes
./scripts/run-full-workflow.sh https://github.com/owner/repo dev high false true false
# Dry run - everything but no changes
./scripts/run-full-workflow.sh https://github.com/owner/repo dev high,critical false false true
# Fix only (skip issues), target main branch
./scripts/run-full-workflow.sh https://github.com/owner/repo main high true false false
./scripts/snyk-scan.sh <repo-url> [output-file] [severity-filter]
Generates a JSON file with vulnerability details.
Example:
./scripts/snyk-scan.sh https://github.com/owner/repo results.json high,critical
python3 scripts/create-github-issues.py <results.json> <repo-url>
Creates one GitHub issue per vulnerable package, grouping all CVEs for that package.
./scripts/snyk-auto-fix.sh <repo-url> [base-branch] [dry-run]
Applies Snyk fixes and creates a PR to the specified branch.
Example:
./scripts/snyk-auto-fix.sh https://github.com/owner/repo dev false
package.json)requirements.txt, Pipfile, pyproject.toml)build.gradle)pom.xml)Issues are created with:
security, vulnerability, snykDuplicate prevention: Issues won't be created if a similar issue already exists for the same package.
PRs include:
snyk-fix-security, dependencies, snykFor periodic scans, use the skill via cron:
# Add to cron for daily scans at 9am
0 9 * * * cd ~/.openclaw/workspace/skills/snyk-vulnerability-scanner && ./scripts/run-full-workflow.sh https://github.com/owner/repo
Or via OpenClaw cron for direct integration:
{
"name": "snyk-daily-scan",
"schedule": { "kind": "cron", "expr": "0 9 * * *" },
"payload": {
"kind": "agentTurn",
"message": "Run Snyk vulnerability scan on https://github.com/owner/repo and create fixes for dev branch"
}
}
| Script | Purpose |
|---|---|
| -------- | --------- |
run-full-workflow.sh | Main entry point - runs complete workflow |
snyk-scan.sh | Scans repo, outputs JSON results |
create-github-issues.py | Creates GitHub issues from scan results |
snyk-auto-fix.sh | Applies fixes and creates PRs |
"Snyk not authenticated"
→ Run: snyk auth
"GitHub CLI not authenticated"
→ Run: gh auth login
"No vulnerabilities found"
→ Check Snyk dashboard for your project; may need to import repo first
"Permission denied" on scripts
→ Run: chmod +x scripts/*.sh
Auto-fix not working
→ Some vulnerabilities can't be auto-fixed; check Snyk dashboard for remediation advice
Dry run shows changes but real run doesn't
→ Check that Snyk has fixable suggestions for the vulnerabilities; some require manual updates
共 1 个版本