Skip to content

feat: auto-fix vulnerable app dependencies on PR branch#1313

Draft
mananjain99 wants to merge 4 commits intomainfrom
feat/auto-fix-vulnerabilities
Draft

feat: auto-fix vulnerable app dependencies on PR branch#1313
mananjain99 wants to merge 4 commits intomainfrom
feat/auto-fix-vulnerabilities

Conversation

@mananjain99
Copy link
Copy Markdown
Collaborator

@mananjain99 mananjain99 commented Apr 14, 2026

What

Adds auto-remediation for app-specific vulnerabilities. When the security gate finds a CVE with a fix available in a Python dependency, it automatically updates the package on the PR branch.

How it works

Scan finds CVE in authlib@1.6.6 (fix: 1.6.9)
  → source_type == "app" && fix available? → yes
  → uv lock --upgrade-package authlib
  → Commits uv.lock to the PR branch
  → All checks re-run automatically
  → Tests pass → dev merges
  → Tests fail → dev reviews the breaking change

What it does NOT fix

  • Base image CVEs (SDK team's responsibility)
  • CVEs with no fix available
  • Non-Python dependencies (Go, Rust binaries in base image)

These are skipped and still reported as blockers requiring allowlist or manual fix.

New input

uses: atlanhq/application-sdk/.github/workflows/build-and-scan.yaml@main
with:
  auto_fix: true   # enable auto-remediation

Default is false — repos opt in explicitly.

Safety

  • Only updates the specific vulnerable package, not the entire lockfile
  • Commit triggers full re-run of all checks including tests
  • Nothing merges without green tests
  • Fix summary posted as PR comment

@snykgituser
Copy link
Copy Markdown

snykgituser commented Apr 14, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@Aryamanz29
Copy link
Copy Markdown
Member

Aryamanz29 commented Apr 22, 2026

v3 relevance check: ✅ Still relevant — auto-fix vulnerable deps on PR branch is a CI improvement. Please rebase on latest main.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@atlan-ci atlan-ci Awaiting requested review from atlan-ci atlan-ci will be requested when the pull request is marked ready for review atlan-ci is a code owner

@cmgrote cmgrote Awaiting requested review from cmgrote cmgrote will be requested when the pull request is marked ready for review cmgrote is a code owner

@OnkarVO7 OnkarVO7 Awaiting requested review from OnkarVO7 OnkarVO7 will be requested when the pull request is marked ready for review OnkarVO7 is a code owner

@louisnow louisnow Awaiting requested review from louisnow louisnow will be requested when the pull request is marked ready for review louisnow is a code owner

@Aryamanz29 Aryamanz29 Awaiting requested review from Aryamanz29 Aryamanz29 will be requested when the pull request is marked ready for review Aryamanz29 is a code owner

@vaibhavatlan vaibhavatlan Awaiting requested review from vaibhavatlan vaibhavatlan will be requested when the pull request is marked ready for review vaibhavatlan is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mananjain99 @snykgituser @Aryamanz29