Vulnetix Remediation Plan Skill
This skill generates a comprehensive, context-aware remediation plan for a specific vulnerability using the VDB V2 remediation API. It auto-detects your repository's ecosystem, package manager, installed versions, container images, and OS to provide targeted fix guidance including registry upgrades, source patches, distribution advisories, workarounds, CWE-specific remediation strategies, and verification commands.
How this differs from /vulnetix:fix: The existing /vulnetix:fix skill fetches V1 fix data and proposes manual manifest edits. This skill uses the V2 remediation plan endpoint which provides context-aware guidance (ecosystem, version, OS, container), CWE remediation strategies, CrowdSec threat intelligence (live exploitation data), workaround effectiveness scoring, SSVC decision support, and verification commands per package manager.
Vulnerability Memory (.vulnetix/memory.yaml)
This skill reads and updates the .vulnetix/memory.yaml file in the repository root. This file is shared with /vulnetix:fix, /vulnetix:exploits, /vulnetix:package-search, /vulnetix:vuln, and /vulnetix:exploits-search.
Schema
The canonical schema is defined in /vulnetix:fix. This skill updates base fields and appends remediation plan events to the history log.
Reading Prior State
At the start of every invocation:
- Use Glob to check if
.vulnetix/memory.yamlexists in the repo root - If it exists, use Read to load it and check for the vuln ID or aliases
- Use Glob for
.vulnetix/scans/*.cdx.json-- cross-reference for component data - If a prior entry exists, display:
Previously seen: <vulnId> -- <developer-friendly status> (as of <date>) Priority: <P1/P2/P3/P4> (<score>) (if cwss data exists) Last decision: <developer-friendly decision> -- "<reason>"
Writing Updated State
After completing the remediation plan (Step 7):
- If no entry exists, create one with
status: under_investigation,discovery.source: user - If an entry exists, update
severity,safe_harbour, andversions.fixed_infrom the remediation plan data. Merge aliases. - Do NOT change
statusordecisionunless the user explicitly makes a decision during the conversation - Append to
history:event: remediation-plan, detail: summary of fix options found (registry fixes, source fixes, workarounds, distribution patches) - Confirm to the user
VEX Status Mapping
not_affected--> "Not affected"affected--> "Vulnerable"fixed--> "Fixed"under_investigation--> "Investigating"
Dependabot Integration
When gh CLI is available (check with gh auth status 2>/dev/null), query Dependabot alerts for the vuln ID to cross-reference with the remediation plan.
- Query alerts matching this vuln ID
- If a Dependabot PR exists, note it in the output:
"Dependabot PR #N proposes this upgrade -- consider reviewing and merging it" - Update the
dependabotsection in the memory entry
Workflow
Step 1: Load Memory and Detect Repository Context
- Load
.vulnetix/memory.yamlas described above - Use Glob to detect manifest files and determine:
- Ecosystem -- npm, pypi, maven, go, cargo, rubygems, packagist
- Package manager -- npm, yarn, pnpm, pip, poetry, uv, cargo, go, maven, gradle, bundler, composer
- If the vuln ID is already in memory with a
packagefield, use that package name - If not, run a quick lookup to get affected products:
Extract affected package names and ecosystems from the response.vulnetix vdb vuln "$ARGUMENTS" -o json - For each affected package found in the repo, detect the installed version using the priority chain: lockfile --> manifest --> installed artifacts --> unknown
Step 2: Auto-Populate Context Flags
Build the CLI flags automatically from repository state:
| Flag | Source | How to detect |
|---|---|---|
--ecosystem | Manifest files | From Step 1 ecosystem detection |
--package-name | VDB response or memory | Affected package name matching repo |
--current-version | Lockfile/manifest | Installed version from Step 1 |
--package-manager | Manifest file type | package-lock.json --> npm, yarn.lock --> yarn, poetry.lock --> pip/poetry, etc. |
--purl | Constructed | If ecosystem + name + version are known, construct pkg:<eco>/<name>@<version> |
--container-image | Containerfile/Dockerfile | Use Glob for Containerfile, Dockerfile, *.dockerfile. If found, Read and extract FROM image reference (e.g., node:18-alpine) |
--os | OS detection | Check for /etc/os-release or infer from container base image |
--vendor | VDB response | From affected products vendor field |
--product | VDB response | From affected products product field |
Always set:
--include-guidance-- includes CWE-specific remediation strategies--include-verification-steps-- includes per-package-manager verification commands
If no package context can be determined (no manifests, no memory), run the command without package-specific flags -- the API will still return general remediation guidance.
Step 3: Execute Remediation Plan Query
vulnetix vdb remediation plan "$ARGUMENTS" -V v2 --include-guidance --include-verification-steps -o json [context flags]
CLI Reference (from vulnetix vdb remediation plan docs):
| Flag | Type | Description |
|---|---|---|
--ecosystem | string | Package ecosystem (npm, pypi, maven, go, cargo, etc.) |
--package-name | string | Package name |
--current-version | string | Currently installed version (enables version-specific guidance) |
--package-manager | string | Package manager (npm, pip, cargo, maven, etc.) |
--purl | string | Package URL (overrides ecosystem + package-name) |
--container-image | string | Container image reference (e.g., node:18-alpine) |
--os | string | OS identifier (e.g., ubuntu:22.04, debian-11) |
--vendor | string | Vendor name for CPE matching |
--product | string | Product name for CPE matching |
--registry | string | Registry filter (npm, pypi, maven-central) |
--include-guidance | bool | Include CWE-specific markdown guidance |
--include-verification-steps | bool | Include verification commands per package manager |
-V | string | API version -- must be v2 |
-o, --output | string | Output format: json or pretty |
Examples:
# Basic remediation plan
vulnetix vdb remediation plan CVE-2021-44228 -V v2 --include-guidance --include-verification-steps -o json
# With full package context
vulnetix vdb remediation plan CVE-2021-44228 -V v2 \
--ecosystem maven --package-name log4j-core --current-version 2.14.1 \
--package-manager maven --include-guidance --include-verification-steps -o json
# Using PURL
vulnetix vdb remediation plan CVE-2021-44228 -V v2 \
--purl "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1" \
--include-guidance --include-verification-steps -o json
# With container context
vulnetix vdb remediation plan CVE-2024-XXXXX -V v2 \
--ecosystem npm --package-name express --current-version 4.17.1 \
--container-image "node:18-alpine" --include-guidance --include-verification-steps -o json
Response structure (from V2 OAS):
The response includes:
cveId,state,title,aliases,descriptiondescriptions[]-- multi-source descriptions with language and source attributioncrowdSecSummary-- live threat intelligence:totalSightings,uniqueIPs,isActivefirstSeen,lastSeentopSourceCountries,topTargetCountriesmitreTechniques,behaviors
cvssDetails-- parsed CVSS vector components (attackVector, attackComplexity, privilegesRequired, userInteraction, scope, impact metrics)agent_prompt-- AI-optimized remediation context string- Reg