ClawHub

Snyk Vulnerability Scanner

v1.0.0

Automates Snyk security vulnerability scanning, GitHub issue reporting, and auto-fix PR creation for repositories. Use when scanning repositories for securit...

0· 101·0 current·0 all-time
by@cr0m3
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included scripts: scanning with Snyk, creating issues via gh, and creating PRs after applying fixes. The files and runtime requirements are proportional and expected for this functionality.
Instruction Scope
SKILL.md and the scripts limit actions to cloning the target repo, running snyk, creating GitHub issues, and creating/pushing a fix branch/PR. The scripts reference only expected CLIs (git, snyk, gh, jq, python3) and temporary paths; they do not read unrelated system files or post data to unknown endpoints.
Install Mechanism
No install spec is provided (instruction-only install), and the code files are standard scripts. Nothing is downloaded from arbitrary URLs or written into unusual system locations.
Credentials
The skill does not declare environment variables but requires local CLI authentication for Snyk and GitHub and expects git credentials / repo write access. This is coherent with the purpose, but users must supply and manage credentials (gh auth, snyk auth, or git remote credentials) outside the skill; ensure those credentials have appropriate scopes.
Persistence & Privilege
The skill does not request always: true and does not modify other skills or system-wide agent settings. It will create branches/PRs and push to origin (requires repository write access), which is expected behavior for auto-fix functionality.
Assessment
This skill appears to do exactly what it claims: run Snyk scans, create GitHub issues, and open auto-fix PRs. Before using it: (1) ensure you have the Snyk CLI and GitHub CLI installed and authenticated locally (gh auth, snyk auth); (2) run with dry-run first to inspect what changes would be made; (3) note the scripts clone and push branches—only use with repos you trust and where the auth tokens have minimal necessary scope (repo write only); (4) review the included scripts for any policy you want to enforce (commit author/email, branch names, labels); and (5) if you plan to schedule automated runs, restrict which repo URLs the cron job uses and monitor generated PRs/issues.

Like a lobster shell, security has layers — review code before you run it.

automationvk972cbe1xaqekxftmeazc4cb7583nyfhgithubvk972cbe1xaqekxftmeazc4cb7583nyfhlatestvk972cbe1xaqekxftmeazc4cb7583nyfhsecurityvk972cbe1xaqekxftmeazc4cb7583nyfhsnykvk972cbe1xaqekxftmeazc4cb7583nyfhvulnerabilityvk972cbe1xaqekxftmeazc4cb7583nyfh
101downloads
0stars
1versions
Updated 3w ago
v1.0.0
MIT-0
@cr0m3
automationgithublatestsecuritysnykvulnerability
Download

Snyk Vulnerability Scanner

Automated security vulnerability scanning and fixing for GitHub repositories using Snyk.

What It Does

  1. Scans repositories for security vulnerabilities using Snyk
  2. Reports findings as GitHub issues (grouped by package)
  3. Auto-fixes vulnerabilities by applying Snyk patches and creating PRs

Prerequisites

Before using this skill, ensure:

  1. Snyk CLI is installed: npm install -g snyk and authenticated: snyk auth
  2. GitHub CLI is installed: brew install gh and authenticated: gh auth login
  3. jq is installed: brew install jq (for JSON processing)
  4. You have write access to the target repository

Workflow

Scan Repository → Create GitHub Issues → Auto-Fix → Create PR

Severity Levels

  • critical - Critical vulnerabilities only
  • high - High and critical vulnerabilities (default)
  • medium - Medium, high, and critical
  • low - All severities

Usage

Full Automated Workflow

Run complete scan → report → fix workflow:

./scripts/run-full-workflow.sh <repo-url> [base-branch] [severity] [skip-issues] [skip-fix] [dry-run]

Parameters:

  • repo-url - Full GitHub URL (required)
  • base-branch - Target branch for PRs (default: dev)
  • severity - Comma-separated levels (default: high,critical)
  • skip-issues - true to skip GitHub issue creation (default: false)
  • skip-fix - true to skip auto-fix (default: false)
  • dry-run - true to simulate without making changes (default: false)

Examples:

# Full workflow with defaults
./scripts/run-full-workflow.sh https://github.com/owner/repo

# Scan only, skip fixes
./scripts/run-full-workflow.sh https://github.com/owner/repo dev high false true false

# Dry run - everything but no changes
./scripts/run-full-workflow.sh https://github.com/owner/repo dev high,critical false false true

# Fix only (skip issues), target main branch
./scripts/run-full-workflow.sh https://github.com/owner/repo main high true false false

Step-by-Step Usage

1. Scan Only

./scripts/snyk-scan.sh <repo-url> [output-file] [severity-filter]

Generates a JSON file with vulnerability details.

Example:

./scripts/snyk-scan.sh https://github.com/owner/repo results.json high,critical

2. Create GitHub Issues

python3 scripts/create-github-issues.py <results.json> <repo-url>

Creates one GitHub issue per vulnerable package, grouping all CVEs for that package.

3. Auto-Fix and Create PR

./scripts/snyk-auto-fix.sh <repo-url> [base-branch] [dry-run]

Applies Snyk fixes and creates a PR to the specified branch.

Example:

./scripts/snyk-auto-fix.sh https://github.com/owner/repo dev false

Supported Package Managers

  • npm/yarn (package.json)
  • Python (requirements.txt, Pipfile, pyproject.toml)
  • Gradle (build.gradle)
  • Maven (pom.xml)

GitHub Issues

Issues are created with:

  • Labels: security, vulnerability, snyk
  • Package name in title with severity level
  • Detailed body with all CVEs for that package
  • Link to Snyk for more info
  • Auto-fix availability indicator

Duplicate prevention: Issues won't be created if a similar issue already exists for the same package.

Pull Requests

PRs include:

  • Branch name: snyk-fix-<timestamp>
  • Body with fix summary, changed files, and remaining vulnerabilities
  • Labels: security, dependencies, snyk
  • Target: dev branch (configurable)

Cron/Automated Runs

For periodic scans, use the skill via cron:

# Add to cron for daily scans at 9am
0 9 * * * cd ~/.openclaw/workspace/skills/snyk-vulnerability-scanner && ./scripts/run-full-workflow.sh https://github.com/owner/repo

Or via OpenClaw cron for direct integration:

{
  "name": "snyk-daily-scan",
  "schedule": { "kind": "cron", "expr": "0 9 * * *" },
  "payload": {
    "kind": "agentTurn",
    "message": "Run Snyk vulnerability scan on https://github.com/owner/repo and create fixes for dev branch"
  }
}

Scripts Reference

ScriptPurpose
run-full-workflow.shMain entry point - runs complete workflow
snyk-scan.shScans repo, outputs JSON results
create-github-issues.pyCreates GitHub issues from scan results
snyk-auto-fix.shApplies fixes and creates PRs

Troubleshooting

"Snyk not authenticated" → Run: snyk auth

"GitHub CLI not authenticated" → Run: gh auth login

"No vulnerabilities found" → Check Snyk dashboard for your project; may need to import repo first

"Permission denied" on scripts → Run: chmod +x scripts/*.sh

Auto-fix not working → Some vulnerabilities can't be auto-fixed; check Snyk dashboard for remediation advice

Dry run shows changes but real run doesn't → Check that Snyk has fixable suggestions for the vulnerabilities; some require manual updates

Comments

Loading comments...