Does this skill require the GitHub CLI?

Yes, this skill utilizes the 'gh' CLI to fetch alerts directly from the GitHub API and to verify CI/CD status.

Can I use this for bulk remediation?

Absolutely. The skill includes logic to group alerts by rule ID and severity, allowing Claude to apply batch fixes for recurring issues across the entire repository.

What types of alerts can this skill handle?

It is designed to address a variety of CodeQL alerts, specifically focusing on stack trace exposure, SQL injection vulnerabilities, empty exception blocks, and unused local variables in Python and JavaScript/TypeScript.

Does it support structured logging?

Yes, it specifically promotes the use of structured logging (like structlog) to replace dangerous practices such as returning raw exception strings to users.

How does it ensure that security fixes don't break the build?

The workflow includes mandatory local verification steps, such as running 'pnpm build --force', 'pytest', and 'ruff check', to ensure all changes pass existing quality gates before committing.

GitHub Security Fixer

Name: GitHub Security Fixer
Author: bigandslow

bybigandslow

Seguridad y Pruebas

Automates the identification, analysis, and remediation of GitHub CodeQL security alerts to maintain high code quality and security standards.

Acerca de

The GitHub Security Fixer skill enables Claude to systematically manage and resolve security vulnerabilities identified by GitHub's CodeQL analysis. It automates the end-to-end remediation workflow—from fetching open alerts via the GitHub API and grouping them by severity, to applying production-ready fixes for common issues like stack trace exposure, SQL injection patterns, and unused variables. By integrating automated linting with Ruff, structured logging with structlog, and rigorous local testing, this skill ensures that security patches are not only effective but also compliant with CI/CD requirements and documentation best practices.

Características Principales

Standardized remediation patterns for Python, TypeScript, and JavaScript vulnerabilities
Pre-commit verification workflows to ensure CI/CD pipeline success
Automated GitHub CodeQL alert fetching and severity-based grouping
Integration with Ruff and Mypy for automated linting and type-checking
Structured logging implementation to prevent sensitive stack trace exposure
0 GitHub stars

Casos de Uso

Rapidly resolving a backlog of security alerts during maintenance cycles
Applying standardized error handling and logging across large monorepos
Automating security debt reduction before major production releases

Acerca de

Características Principales

Standardized remediation patterns for Python, TypeScript, and JavaScript vulnerabilities
Pre-commit verification workflows to ensure CI/CD pipeline success
Automated GitHub CodeQL alert fetching and severity-based grouping
Integration with Ruff and Mypy for automated linting and type-checking
Structured logging implementation to prevent sensitive stack trace exposure
0 GitHub stars

Casos de Uso

Rapidly resolving a backlog of security alerts during maintenance cycles
Applying standardized error handling and logging across large monorepos
Automating security debt reduction before major production releases