ai-security-engineer/feed.yaml at main · gitpod-io/ai-security-engineer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
name: "[SecurityEngineer] Fetch Vulnerability Feeds"
description: Monitors public CVE feeds for vulnerabilities affecting our tech stack (Go, TypeScript, JavaScript, Kotlin, Java, Ubuntu, Debian, AWS, GCP) and creates Linear issues for awareness

triggers:
  - manual: {}
    context:
      projects: {}

action:
  limits:
    maxParallel: 1
    maxTotal: 10
  steps:
    - task:
        command: |
          set -e

          # Install security scanners to check coverage
          mkdir -p "$HOME/.local/bin"
          export PATH="$HOME/.local/bin:$PATH"

          echo "Installing Trivy..."
          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b "$HOME/.local/bin"

          echo "Installing OSV-Scanner..."
          curl -sfL https://github.com/google/osv-scanner/releases/latest/download/osv-scanner_linux_amd64 -o "$HOME/.local/bin/osv-scanner"
          chmod +x "$HOME/.local/bin/osv-scanner"

          # Download fresh vulnerability databases
          echo "Updating Trivy database..."
          trivy image --download-db-only

          echo "Scanners installed and databases updated"

    - task:
        command: |
          set -e

          # Calculate date ranges
          # - 48 hours for scanner-covered sources (NVD, OSV, GitHub)
          # - 2 weeks for non-scanner sources (CISA KEV, AWS, GCP)
          END_DATE=$(date -u +%Y-%m-%dT%H:%M:%S.000)
          START_DATE_48H=$(date -u -d "2 days ago" +%Y-%m-%dT%H:%M:%S.000)
          START_DATE_2W=$(date -u -d "2 weeks ago" +%Y-%m-%dT%H:%M:%S.000)

          echo "Fetching scanner-covered sources: $START_DATE_48H to $END_DATE"
          echo "Fetching non-scanner sources: $START_DATE_2W to $END_DATE"

          # Fetch from NVD API (National Vulnerability Database) - last 48 hours
          # NVD API docs: https://nvd.nist.gov/developers/vulnerabilities
          curl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?pubStartDate=${START_DATE_48H}&pubEndDate=${END_DATE}&resultsPerPage=2000" \
            -H "Accept: application/json" \
            -o /tmp/nvd-cves.json

          # Fetch from OSV (Open Source Vulnerabilities) - last 48 hours
          # Query for each ecosystem we care about
          for ecosystem in "Go" "npm" "Maven" "PyPI"; do
            echo "Fetching OSV data for $ecosystem..."
            curl -s "https://api.osv.dev/v1/query" \
              -X POST \
              -H "Content-Type: application/json" \
              -d "{\"package\": {\"ecosystem\": \"$ecosystem\"}}" \
              -o "/tmp/osv-${ecosystem}.json" || true
          done

          # Fetch GitHub Security Advisories - last 48 hours (filtered by agent)
          curl -s "https://api.github.com/advisories?per_page=100&sort=published&direction=desc" \
            -H "Accept: application/vnd.github+json" \
            -o /tmp/github-advisories.json || true

          # Fetch CISA Known Exploited Vulnerabilities (KEV) catalog - last 2 weeks
          # These are actively exploited in the wild - highest priority, not in scanners
          echo "Fetching CISA KEV catalog..."
          curl -s "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" \
            -o /tmp/cisa-kev.json || true

          # Fetch AWS Security Bulletins RSS - last 2 weeks (not in scanners)
          echo "Fetching AWS Security Bulletins..."
          curl -s "https://aws.amazon.com/security/security-bulletins/feed/" \
            -o /tmp/aws-security.xml || true

          # Fetch GCP Security Bulletins - last 2 weeks (not in scanners)
          echo "Fetching GCP Security Bulletins..."
          curl -s "https://cloud.google.com/feeds/google-cloud-security-bulletins.xml" \
            -o /tmp/gcp-security.xml || true

          echo "CVE data fetched successfully"
          echo "NVD results: $(cat /tmp/nvd-cves.json | head -c 500)"

    - agent:
        prompt: |
          Create Linear issues for new vulnerabilities NOT yet covered by scanners.

          FEEDS (already fetched):
          - /tmp/nvd-cves.json, /tmp/osv-*.json, /tmp/github-advisories.json
          - /tmp/cisa-kev.json (actively exploited - always include)
          - /tmp/aws-security.xml, /tmp/gcp-security.xml

          FILTER TO:
          - Stack: Go, TypeScript, JavaScript, Kotlin, Java, Ubuntu, Debian, AWS, GCP
          - Severity: HIGH/CRITICAL (CVSS >= 7.0) or CISA KEV
          - Time ranges based on scanner coverage:
            - Scanner-covered sources (NVD, OSV, GitHub): last 48 hours only
            - Non-scanner sources (CISA KEV, AWS, GCP bulletins): last 2 weeks

          FOR EACH VULNERABILITY:
          1. Check if it affects our stack (Go, TS, JS, Kotlin, Java, Ubuntu, Debian, AWS, GCP)
             - If not applicable to our stack, SKIP
          2. Check if scanners already cover it:
             - Query OSV API: curl -s "https://api.osv.dev/v1/vulns/<ID>"
             - Check Trivy DB: trivy image --list-all-pkgs 2>&1 | grep -i "<ID>"
             - If scanner already has this vulnerability, SKIP (no issue needed)
          3. Search Linear team "Ona AI Security Engineer" for existing issue with advisory ID
          4. If affects our stack AND not covered by scanners AND not in Linear, create issue with:
             - Title: "[Advisory] <ID>: Brief description" (ID = CVE, GHSA, USN, DSA, GO-, or vendor ID)
             - Labels: ["advisory"]

          ISSUE DESCRIPTION FORMAT:
          ```
          > **This is a vulnerability ADVISORY, not a finding. Review to determine if your codebase is affected.**

          ## Why This Was Flagged
          - [Reason: e.g., "CVSS 9.8 CRITICAL", "CISA KEV (actively exploited)", "Affects Go ecosystem"]
          - **Not yet in Trivy/OSV-Scanner databases** (early warning)

          ## Vulnerability Summary
          - **Advisory ID:** CVE-XXXX-XXXXX / GHSA-XXXX / USN-XXXX / GO-XXXX-XXXX (use available ID)
          - **Published:** YYYY-MM-DD
          - **CVSS Score:** X.X (CRITICAL/HIGH/MEDIUM) or "Not scored"
          - **CISA KEV:** Yes/No
          - **Source:** NVD / GitHub / OSV / CISA KEV / AWS / GCP

          ## Affected Components
          - **Ecosystem:** Go / npm / Maven / OS / Cloud
          - **Package(s):** package-name
          - **Vulnerable Versions:** < X.Y.Z
          - **Fixed Version:** X.Y.Z (if available)

          ## Technical Details
          [Description of the vulnerability and potential impact]

          ## Detection Guidance
          1. Search for imports/dependencies on: `package-name`
          2. Check version in: go.mod / package.json / pom.xml / build.gradle
          3. Vulnerable if version matches: < X.Y.Z

          ## Remediation
          - Upgrade to version X.Y.Z or later
          - Workaround: [if available]

          ## References
          - [Link to source advisory]
          ```

          Report: total vulnerabilities found, skipped (scanner covered), and advisories created.

    - agent:
        prompt: |
          Close advisory issues that are old or now detectable by scanners.

          1. List issues in Linear team "Ona AI Security Engineer" with label "advisory"

          2. For each advisory, check if it should be closed:
             a. **Scanner coverage:** Query OSV API or Trivy DB for the advisory ID
                - If now in scanner databases, close with comment:
                  "Auto-closing: now detectable by Trivy/OSV-Scanner. Future occurrences will be caught by repository scans."
             b. **Age:** If created more than 7 days ago, close with comment:
                  "Auto-closing: advisory is over 7 days old. Reopen if still relevant."

          3. Report count of closed advisories

    - report:
        outputs:
          - key: total_fetched
            title: Total Vulnerabilities Fetched
            string: {}
            prompt: |
              Count the total number of vulnerabilities retrieved from all feeds before filtering.
              Return ONLY the integer count, nothing else.
          - key: relevant_count
            title: Relevant (matching tech stack)
            string: {}
            prompt: |
              Count the number of vulnerabilities that matched our target tech stack filter.
              Return ONLY the integer count, nothing else.
          - key: skipped_scanner_covered
            title: Skipped (already in scanners)
            string: {}
            prompt: |
              Count how many vulnerabilities were skipped because Trivy/OSV already cover them.
              Return ONLY the integer count, nothing else.
          - key: advisories_created
            title: Advisories Created
            string: {}
            prompt: |
              Count how many new Linear advisory issues were created.
              Return ONLY the integer count, nothing else.
          - key: advisories_closed
            title: Advisories Closed
            string: {}
            prompt: |
              Count how many advisory issues were closed (due to age or scanner coverage).
              Return ONLY the integer count, nothing else.