Skip to main content
Securitydavepoon

remediation

Get a context-aware remediation plan for a vulnerability with fix verification steps

Stars
2,987
Source
davepoon/buildwithclaude
Updated
2026-05-26
Slug
davepoon--buildwithclaude--remediation
View on GitHubRaw SKILL.md

// install — copy + paste into any project

mkdir -p .claude/skills && curl -fsSL https://raw.githubusercontent.com/davepoon/buildwithclaude/HEAD/plugins/vulnetix/skills/remediation/SKILL.md -o .claude/skills/remediation.md

Drops the SKILL.md into .claude/skills/remediation.md. Works with Claude Code, Cursor, and any agent that loads SKILL.md files from .claude/skills/.

Vulnetix Remediation Plan Skill

This skill generates a comprehensive, context-aware remediation plan for a specific vulnerability using the VDB V2 remediation API. It auto-detects your repository's ecosystem, package manager, installed versions, container images, and OS to provide targeted fix guidance including registry upgrades, source patches, distribution advisories, workarounds, CWE-specific remediation strategies, and verification commands.

How this differs from /vulnetix:fix: The existing /vulnetix:fix skill fetches V1 fix data and proposes manual manifest edits. This skill uses the V2 remediation plan endpoint which provides context-aware guidance (ecosystem, version, OS, container), CWE remediation strategies, CrowdSec threat intelligence (live exploitation data), workaround effectiveness scoring, SSVC decision support, and verification commands per package manager.

Vulnerability Memory (.vulnetix/memory.yaml)

This skill reads and updates the .vulnetix/memory.yaml file in the repository root. This file is shared with /vulnetix:fix, /vulnetix:exploits, /vulnetix:package-search, /vulnetix:vuln, and /vulnetix:exploits-search.

Schema

The canonical schema is defined in /vulnetix:fix. This skill updates base fields and appends remediation plan events to the history log.

Reading Prior State

At the start of every invocation:

  1. Use Glob to check if .vulnetix/memory.yaml exists in the repo root
  2. If it exists, use Read to load it and check for the vuln ID or aliases
  3. Use Glob for .vulnetix/scans/*.cdx.json -- cross-reference for component data
  4. If a prior entry exists, display:
    Previously seen: <vulnId> -- <developer-friendly status> (as of <date>)
Priority: <P1/P2/P3/P4> (<score>) (if cwss data exists)
Last decision: <developer-friendly decision> -- "<reason>"

Writing Updated State

After completing the remediation plan (Step 7):

  1. If no entry exists, create one with status: under_investigation, discovery.source: user
  2. If an entry exists, update severity, safe_harbour, and versions.fixed_in from the remediation plan data. Merge aliases.
  3. Do NOT change status or decision unless the user explicitly makes a decision during the conversation
  4. Append to history: event: remediation-plan, detail: summary of fix options found (registry fixes, source fixes, workarounds, distribution patches)
  5. Confirm to the user

VEX Status Mapping

  • not_affected --> "Not affected"
  • affected --> "Vulnerable"
  • fixed --> "Fixed"
  • under_investigation --> "Investigating"

Dependabot Integration

When gh CLI is available (check with gh auth status 2>/dev/null), query Dependabot alerts for the vuln ID to cross-reference with the remediation plan.

  1. Query alerts matching this vuln ID
  2. If a Dependabot PR exists, note it in the output: "Dependabot PR #N proposes this upgrade -- consider reviewing and merging it"
  3. Update the dependabot section in the memory entry

Workflow

Step 1: Load Memory and Detect Repository Context

  1. Load .vulnetix/memory.yaml as described above
  2. Use Glob to detect manifest files and determine:
    • Ecosystem -- npm, pypi, maven, go, cargo, rubygems, packagist
    • Package manager -- npm, yarn, pnpm, pip, poetry, uv, cargo, go, maven, gradle, bundler, composer
  3. If the vuln ID is already in memory with a package field, use that package name
  4. If not, run a quick lookup to get affected products:
    vulnetix vdb vuln "$ARGUMENTS" -o json
    Extract affected package names and ecosystems from the response.
  5. For each affected package found in the repo, detect the installed version using the priority chain: lockfile --> manifest --> installed artifacts --> unknown

Step 2: Auto-Populate Context Flags

Build the CLI flags automatically from repository state:

Flag Source How to detect
--ecosystem Manifest files From Step 1 ecosystem detection
--package-name VDB response or memory Affected package name matching repo
--current-version Lockfile/manifest Installed version from Step 1
--package-manager Manifest file type package-lock.json --> npm, yarn.lock --> yarn, poetry.lock --> pip/poetry, etc.
--purl Constructed If ecosystem + name + version are known, construct pkg:<eco>/<name>@<version>
--container-image Containerfile/Dockerfile Use Glob for Containerfile, Dockerfile, *.dockerfile. If found, Read and extract FROM image reference (e.g., node:18-alpine)
--os OS detection Check for /etc/os-release or infer from container base image
--vendor VDB response From affected products vendor field
--product VDB response From affected products product field

Always set:

  • --include-guidance -- includes CWE-specific remediation strategies
  • --include-verification-steps -- includes per-package-manager verification commands

If no package context can be determined (no manifests, no memory), run the command without package-specific flags -- the API will still return general remediation guidance.

Step 3: Execute Remediation Plan Query

vulnetix vdb remediation plan "$ARGUMENTS" -V v2 --include-guidance --include-verification-steps -o json [context flags]

CLI Reference (from vulnetix vdb remediation plan docs):

Flag Type Description
--ecosystem string Package ecosystem (npm, pypi, maven, go, cargo, etc.)
--package-name string Package name
--current-version string Currently installed version (enables version-specific guidance)
--package-manager string Package manager (npm, pip, cargo, maven, etc.)
--purl string Package URL (overrides ecosystem + package-name)
--container-image string Container image reference (e.g., node:18-alpine)
--os string OS identifier (e.g., ubuntu:22.04, debian-11)
--vendor string Vendor name for CPE matching
--product string Product name for CPE matching
--registry string Registry filter (npm, pypi, maven-central)
--include-guidance bool Include CWE-specific markdown guidance
--include-verification-steps bool Include verification commands per package manager
-V string API version -- must be v2
-o, --output string Output format: json or pretty

Examples:

# Basic remediation plan
vulnetix vdb remediation plan CVE-2021-44228 -V v2 --include-guidance --include-verification-steps -o json

# With full package context
vulnetix vdb remediation plan CVE-2021-44228 -V v2 \
  --ecosystem maven --package-name log4j-core --current-version 2.14.1 \
  --package-manager maven --include-guidance --include-verification-steps -o json

# Using PURL
vulnetix vdb remediation plan CVE-2021-44228 -V v2 \
  --purl "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1" \
  --include-guidance --include-verification-steps -o json

# With container context
vulnetix vdb remediation plan CVE-2024-XXXXX -V v2 \
  --ecosystem npm --package-name express --current-version 4.17.1 \
  --container-image "node:18-alpine" --include-guidance --include-verification-steps -o json

Response structure (from V2 OAS):

The response includes:

  • cveId, state, title, aliases, description
  • descriptions[] -- multi-source descriptions with language and source attribution
  • crowdSecSummary -- live threat intelligence:
    • totalSightings, uniqueIPs, isActive
    • firstSeen, lastSeen
    • topSourceCountries, topTargetCountries
    • mitreTechniques, behaviors
  • cvssDetails -- parsed CVSS vector components (attackVector, attackComplexity, privilegesRequired, userInteraction, scope, impact metrics)
  • agent_prompt -- AI-optimized remediation context string
  • Registry fixes, source fixes, distribution patches, workarounds, CWE guidance, verification steps (context-dependent based on flags provided)

Step 4: Present the Remediation Plan

Render a structured remediation report with the following sections:

Vulnerability Summary:

<CVE ID> -- <title>
<description -- first 2-3 sentences>
Severity: <CVSS score> (<level>)  |  EPSS: <score>

Threat Activity (from CrowdSec data, if present):

Live Exploitation: <Active/Inactive>
Sightings: <totalSightings> from <uniqueIPs> unique IPs
Last seen: <lastSeen>
Source countries: <top 3>
MITRE techniques: <techniques in developer language>

If no CrowdSec data, skip this section.

Registry Fixes (version upgrades per ecosystem):

Ecosystem Package Current Fix Version Verified Confidence Registry
maven log4j-core 2.14.1 2.17.1 Yes High Maven Central

For each fix, report Safe Harbour confidence:

  • High (> 0.90): patch-level bump, official registry release
  • Reasonable (0.35-0.90): minor version bump, backward-compatible
  • Low (< 0.35): major version bump, significant API changes

Source Fixes (upstream commits/PRs, if available):

Upstream fix: <commit URL>
  SHA: <sha>
  Author: <author>
  Message: <commit message>
  Repository health: <commit frequency, contributor count>

Distribution Patches (if --os or --container-image was set):

Distro Patch ID Affected Packages Priority
Ubuntu 22.04 USN-XXXX-X liblog4j2-java High

Workarounds (interim mitigations, if no immediate fix):

Workaround: <description>
  Effectiveness: <score>/100
  Applicable versions: <range>
  Requires restart: <Yes/No>
  Verification: <steps>

CWE Guidance (weakness-specific remediation strategies):

CWE-<id>: <title>
Remediation strategy:
<markdown guidance from API>

Verification guidance:
<markdown from API>

Verification Steps (per package manager):

Verify the fix:
  npm: npm audit --json | jq '.vulnerabilities["<package>"]'
  maven: mvn dependency:tree | grep <package>
  pip: pip show <package> | grep Version

Step 5: Cross-Reference with Dependabot and Memory

  1. If Dependabot PR exists for this upgrade, note: "Dependabot PR #N already proposes this upgrade -- consider reviewing and merging"
  2. If a prior /vulnetix:exploits analysis exists in memory (threat_model, cwss), surface the priority: "Prior exploit analysis: P1 (87.5) -- Act now"
  3. If a prior /vulnetix:fix analysis exists, note what was previously proposed

Step 6: Present Actionable Next Steps

Based on the remediation plan, present concrete actions:

  1. If registry fix available: Show exact manifest edit (same diff format as /vulnetix:fix) with the fix version from the remediation plan. Offer to apply it.
  2. If source fix only (no registry release): Note that the fix requires building from source or waiting for a release. Link to the commit/PR.
  3. If workaround only: Present the workaround steps with effectiveness score. Note: "No patch available yet -- workaround is interim mitigation."
  4. If distribution patch: Provide the package manager command (e.g., apt-get update && apt-get install --only-upgrade <package>)
  5. Test commands: Suggest running tests after applying the fix
  6. Re-scan: Suggest vulnetix vdb vuln <vuln-id> to verify the fix resolved the vulnerability
  7. Rollback guidance: If the fix introduces breaking changes, note the backup/rollback approach

Cross-references:

  • "Run /vulnetix:exploits $ARGUMENTS for exploit intelligence and threat modeling"
  • "Run /vulnetix:vuln $ARGUMENTS for full vulnerability details"
  • "Run /vulnetix:exploits-search --ecosystem <eco> to discover related exploited vulnerabilities"

Step 7: Update Vulnerability Memory

  1. Use Read to load the current memory file
  2. Create or update the entry:
    • versions.fixed_in -- from the registry fix data
    • versions.fix_source -- registry name and version
    • severity -- from CVSS data
    • safe_harbour -- computed from fix confidence
    • aliases -- merge any newly discovered aliases
    • dependabot -- if gathered in Step 5
  3. Append to history: event: remediation-plan, detail: summary of fix options (e.g., "Registry fix: 2.17.1 (Maven Central, High confidence). 2 workarounds available. CWE-502 guidance provided.")
  4. Use Write to save
  5. Confirm to the user

If the user applies a fix or makes a decision:

  • Record using the risk treatment categories from /vulnetix:exploits
  • Set status: fixed and decision.choice: fix-applied if they apply the fix
  • Append event: fix-applied with detail including the version change

Error Handling

  • If vulnetix vdb remediation plan returns an error, fall back to vulnetix vdb fixes "$ARGUMENTS" -o json (V1 endpoint) and present basic fix data. Note that V2 enrichment (workarounds, CWE guidance, verification steps) is unavailable.
  • If the vuln ID is not found, suggest checking the format and provide examples
  • If no package context can be determined from the repo, run without context flags and note that guidance is generic rather than repo-specific
  • If no fixes, workarounds, or patches are available, state clearly: "No remediation options are currently available for this vulnerability. Consider risk acceptance or component removal."
  • If .vulnetix/memory.yaml cannot be written, warn but do not block

Important Reminders

  1. This skill proposes code changes (manifest edits) but always asks before applying -- same guardrail as /vulnetix:fix
  2. Auto-populate context flags from the repo -- the V2 API returns better results with more context. Always detect ecosystem, package name, current version, and package manager.
  3. Container detection is important -- if a Containerfile/Dockerfile exists, extract the base image for OS-specific distribution patches
  4. Safe Harbour scores: compute from fix confidence tiers, display as 0.00-1.00
  5. Version source transparency is mandatory -- always disclose how the current version was determined
  6. CrowdSec data is live threat intelligence -- if sightings are active, flag prominently
  7. The agent_prompt field in the response contains AI-optimized context -- use it to inform your analysis but do not display it raw to the user
  8. Always update .vulnetix/memory.yaml after generating the plan
  9. If Dependabot already has a PR for this fix, prefer merging that PR over manual edits
  10. The V2 remediation endpoint is the most comprehensive single endpoint -- it aggregates data from registry fixes, source fixes, distribution patches, workarounds, CWE guidance, and KEV data into one response