陌讯skills聚合平台

aikido-security-remediator

📁 orbiqhq/aikido-security-remediator-skill 📅 4 days ago
4
总安装量
2
周安装量
#50918
全站排名
安装命令
npx skills add https://github.com/orbiqhq/aikido-security-remediator-skill --skill aikido-security-remediator

Agent 安装分布

mcpjam 2
openhands 2
junie 2
zencoder 2
crush 2

Skill 文档

Aikido Security Remediator

Use an API-first workflow for Aikido findings. Start by fetching open issues from Aikido, then fix the highest-impact findings directly in code or package manifests.

Required Environment

  • AIKIDO_CLIENT and AIKIDO_SECRET in .env (for OAuth client credentials).
  • Optional AIKIDO_ACCESS_TOKEN in .env to skip OAuth exchange.
  • Optional AIKIDO_API_BASE in .env (default: https://app.aikido.dev/api).

Do not source .env in shell sessions; parse it as plain text because the repository may contain values that are not shell-safe.

Workflow

  1. Fetch open issue groups first:
    • python scripts/aikido_open_issue_groups.py --base-url "https://app.aikido.dev/api" --details --output /tmp/aikido-open-issues.json --markdown-summary
  2. Build a remediation queue:
    • Prioritize by severity (critical -> high -> medium -> low), then exploitability and blast radius.
    • Prefer findings with clear package/file ownership in the repository.
  3. Attempt fixes before reporting:
    • For SAST: patch vulnerable code paths first.
    • For dependency/SCA findings: update package.json/workspace manifests or overrides, then regenerate lock data.
  4. Verify every change:
    • Run targeted tests for touched apps/packages.
    • Run build for touched app/package when changes are substantial.
  5. Report unresolved findings only after at least one concrete fix attempt.

Lockfile Policy

  • Never hand-edit lockfiles (pnpm-lock.yaml, package-lock.json, yarn.lock).
  • Change the manifest (package.json, workspace dependency, or override) and let the package manager update the lockfile automatically.
  • For targeted dependency upgrades, prefer scoped commands.

API Endpoints

Base URL: https://app.aikido.dev/api (docs at https://apidocs.aikido.dev/).

  • POST /oauth/token — exchange client credentials for bearer token
  • GET /public/v1/open-issue-groups — list open issue groups
  • GET /public/v1/issues/groups/{issueGroupID} — get issue group detail
  • PUT /public/v1/issues/groups/{issueGroupID}/ignore — ignore an issue group
  • PUT /public/v1/issues/groups/{issueGroupID}/snooze — snooze an issue group

See references/remediation-playbook.md for endpoint usage, triage rules, and fix sequencing.

Execution Rules

  • Query Aikido API before searching local code for assumptions about findings.
  • Keep fixes minimal and local to the reported vulnerability.
  • Avoid broad refactors while remediating security findings.
  • If a finding is not reproducible or not in scope for this repo, document exact evidence and blockers.
GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台
本页面由 陌讯 Skills 聚合平台 收录整理,数据定期更新。