ReddRadar
Agent skill
cve-triage
Help users triage and prioritize CVE findings from INFYNON package scans. Use when the user has CVE scan results and needs to decide what to fix, what to defer, or how to handle a specific vulnerability. Covers severity interpretation, fix strategies, safe version selection, and handling false positives.
Install this agent skill to your Project
npx add-skill https://github.com/d4rkNinja/code-guardian/tree/main/infynon-pkg/skills/cve-triage
SKILL.md
INFYNON CVE Triage Guide
You are helping the user interpret and act on CVE scan results from infynon pkg scan.
Get the Scan Results First
# Human-readable output
infynon pkg scan
# Machine-readable JSON (better for triage decisions)
infynon pkg scan --agent
Severity Decision Matrix
When you see CVE findings, use this priority framework:
| Severity | CVSS | Action | Timeline |
|---|---|---|---|
| CRITICAL | 9.0–10.0 | Fix immediately — block deploy | Now |
| HIGH | 7.0–8.9 | Fix before next release | Within 24h |
| MEDIUM | 4.0–6.9 | Schedule fix in current sprint | Within 1 week |
| LOW | 0.1–3.9 | Fix at next dependency update | Next sprint |
| INFORMATIONAL | 0.0 | Review, likely ignore | Backlog |
Fix Commands — By Severity
Fix CRITICAL + HIGH immediately
# See what safe versions are available
infynon pkg scan --agent | jq '.vulnerabilities[] | {package, cve_id, severity, safe_version, fix_cmd}'
# Auto-fix all vulnerable packages
infynon pkg fix --auto
# Fix a specific package
infynon pkg npm install lodash@4.17.21 --strict high # npm
infynon pkg pip install requests==2.31.0 --strict high # pip
infynon pkg cargo add serde@1.0.196 --strict high # cargo
Upgrade to the safe version shown in scan output
Each CVE finding includes a safe_version and fix_cmd field:
{
"package": "lodash",
"cve_id": "CVE-2021-23337",
"severity": "HIGH",
"safe_version": "4.17.21",
"fix_cmd": "npm install lodash@4.17.21"
}
Use the fix_cmd through INFYNON:
# Take the fix_cmd from the scan output, prefix with `infynon pkg`
infynon pkg npm install lodash@4.17.21 --strict high
Batch auto-fix
infynon pkg fix --auto # Auto-upgrade all detected vulnerabilities
infynon pkg fix --auto --pkg-file Cargo.lock # Fix specific lock file
Triage Questions to Ask
For each CRITICAL or HIGH CVE:
-
Is this package reachable from user input?
- If yes: fix now (exploitable attack surface)
- If no (build-only dep): lower priority
-
Does a safe version exist?
- Check
safe_versionfield in scan output - If no safe version: consider removing the package or finding an alternative (
infynon pkg search)
- Check
-
Is this a transitive dependency?
bashinfynon pkg why <vulnerable-package> # Shows which of your direct deps pulls it in- If transitive: upgrade the parent package first
-
Is there a breaking change in the safe version?
bashinfynon pkg diff <package> <current-version> <safe-version> # Shows what changed between versions
Handling Specific Situations
"I can't upgrade — the safe version has breaking changes"
# Option 1: Check if there's a patch release that fixes only the CVE
infynon pkg diff express 4.17.0 4.18.2
# Option 2: Find an alternative package
infynon pkg search "http server" --ecosystem npm
# Option 3: Use --skip-vulnerable in CI to at least block new vulnerable installs
# while you plan the migration
infynon pkg npm install --skip-vulnerable
"I have 50 CVEs — where do I start?"
# Get a prioritized list: critical first, then high
infynon pkg scan --agent | jq '
.vulnerabilities
| sort_by(.severity)
| reverse
| .[] | "\(.severity) \(.package) \(.cve_id) — fix: \(.fix_cmd)"
'
Focus on:
- All CRITICAL first
- HIGH in packages exposed to user input
- MEDIUM in the same sprint
- LOW at next update cycle
"I have CVEs in dev dependencies only"
Dev dependencies (test frameworks, linters, build tools) are generally lower risk — they never run in production. Still fix them to:
- Keep your security posture clean
- Prevent toolchain compromise (supply-chain attacks)
- Avoid CI/CD pipeline exploitation
"The same CVE keeps appearing after I fix it"
# Check if it's pulled in transitively by a different parent
infynon pkg why <package>
# Check your lock file is actually updated
infynon pkg scan --pkg-file package-lock.json
Export Reports for Compliance
infynon pkg scan --output markdown # Markdown report
infynon pkg scan --output pdf # PDF report
infynon pkg scan --output both # Both formats
Reports include: package name, CVE ID, severity, description, affected version, safe version, fix command.
Set Up Automated CVE Gating in CI
After triage, lock in your accepted risk level with CI gates:
# Block critical + high (recommended default)
infynon pkg npm install --strict high
# Only block critical (more permissive)
infynon pkg npm install --strict critical
# Block all vulnerabilities (zero tolerance)
infynon pkg npm install --strict all
Useful Audit Commands
infynon pkg audit # Full dependency tree with CVE annotations
infynon pkg why <package> # Trace who pulls in a package
infynon pkg outdated # Find packages with newer versions available
infynon pkg doctor # Health check: duplicates, unused, phantom deps
infynon pkg diff <pkg> <v1> <v2> # See what changed between versions
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
d4rkNinja/code-guardian
attack-response
Emergency playbook for responding to active attacks using INFYNON firewall. Use when the user is under attack, seeing suspicious traffic, experiencing DDoS, noticing brute-force attempts, or investigating blocked requests. Covers immediate IP blocking, log analysis, rule creation, and post-incident hardening.
d4rkNinja/code-guardian
rule-writer
Help users write custom WAF rules for INFYNON firewall. Use when the user wants to create custom rules, block specific patterns, allow specific IPs, flag suspicious requests, rate-limit specific routes, or tune the firewall beyond default settings. Also use when the user shows you traffic logs and asks what rules to write.
d4rkNinja/code-guardian
firewall-setup
Help users set up and manage the INFYNON network firewall — a reverse proxy WAF with TUI dashboard. Use when the user asks about firewall configuration, WAF rules, rate limiting, IP blocking, network security, reverse proxy setup, DDoS protection, or traffic monitoring. Also use when you see infynon.toml in the project.
d4rkNinja/code-guardian
package-security
Help users secure their project dependencies using INFYNON CLI. Use when the user asks about package vulnerabilities, CVE scanning, dependency auditing, secure package installation, fixing vulnerable packages, migrating package managers, or monitoring dependencies. Also use when you detect lock files (package-lock.json, yarn.lock, Cargo.lock, uv.lock, poetry.lock, go.sum, Gemfile.lock, composer.lock, etc.) in the project.
d4rkNinja/code-guardian
eagle-eye-monitor
Help users set up and manage INFYNON Eagle Eye — continuous CVE monitoring with scheduled email alerts. Use when the user wants to monitor projects for new vulnerabilities over time, set up automated CVE alerts, configure SMTP for email notifications, or manage ongoing security monitoring.
d4rkNinja/code-guardian
weave
Help users build, run, and analyze API test flows with INFYNON Weave (`infynon weave`). Use when the user asks about API testing, integration testing, flow-based testing, testing API sequences, security probing endpoints, runtime inputs (OTP, 2FA, CAPTCHA), or when .infynon/api/ directory is detected. Covers node creation, flow building, prompt inputs, body editing, AI-assisted wiring, security probes, and TUI visualization. Always use this skill whenever the user mentions testing APIs, flows, weave, integration tests, OTP handling, or prompt inputs — even if they don't say "infynon weave" explicitly.
Didn't find tool you were looking for?