feat: auto-fix vulnerable app dependencies on PR branch

[mananjain99]

What

Adds auto-remediation for app-specific vulnerabilities. When the security gate finds a CVE with a fix available in a Python dependency, it automatically updates the package on the PR branch.

How it works

Scan finds CVE in authlib@1.6.6 (fix: 1.6.9)
  → source_type == "app" && fix available? → yes
  → uv lock --upgrade-package authlib
  → Commits uv.lock to the PR branch
  → All checks re-run automatically
  → Tests pass → dev merges
  → Tests fail → dev reviews the breaking change

What it does NOT fix

• Base image CVEs (SDK team's responsibility)
• CVEs with no fix available
• Non-Python dependencies (Go, Rust binaries in base image)

These are skipped and still reported as blockers requiring allowlist or manual fix.

New input

uses: atlanhq/application-sdk/.github/workflows/build-and-scan.yaml@main
with:
  auto_fix: true   # enable auto-remediation

Default is false — repos opt in explicitly.

Safety

• Only updates the specific vulnerable package, not the entire lockfile
• Commit triggers full re-run of all checks including tests
• Nothing merges without green tests
• Fix summary posted as PR comment

[snykgituser]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[Aryamanz29]

v3 relevance check: ✅ Still relevant — auto-fix vulnerable deps on PR branch is a CI improvement. Please rebase on latest main.