Stats
Actions
Tags
From shipyard
Finds and fixes CVEs in Submariner Go repositories by scanning with grype, applying deterministic fixes, running tests, and printing a PR command.
How this skill is triggered — by the user, by Claude, or both
Slash command
/shipyard:cve-fix [branch] [repo][branch] [repo]This skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Run the command below exactly as written. Do not read, debug, or modify
Run the command below exactly as written. Do not read, debug, or modify
the CVE scripts. If a bare repo name like subctl is passed, convert it
to ../subctl before running.
#!/bin/bash
set -euo pipefail
# Find scripts directory (in shipyard repo)
CVE_SCRIPTS="$(pwd)/scripts/cve"
if [[ ! -d "$CVE_SCRIPTS" ]]; then
CVE_SCRIPTS="$HOME/go/src/submariner-io/shipyard/scripts/cve"
fi
if [[ ! -d "$CVE_SCRIPTS" ]]; then
echo "ERROR: Cannot find scripts/cve/ directory"
echo "Expected in current directory or ~/go/src/submariner-io/shipyard/"
exit 1
fi
exec bash "$CVE_SCRIPTS/fix-all.sh" $ARGUMENTS
fix-all.sh does everything: detect config, create fix branch, scan for CVEs, fix each deterministically, run tests, agent-review all results, and print the PR command.
Exit code 0: All CVEs addressed. Review commits and run the printed PR command.
Exit code 2: Some CVEs unresolved after review.
Exit code 1: Error.
For multiple repos, spawn one agent per repo. Each agent should run
bash ~/go/src/submariner-io/shipyard/scripts/cve/fix-all.sh REPO BRANCH
via the Bash tool (not the Skill tool, which times out in subagents).
Report per repo: CVEs found, fixed, ignored, and PR command. On errors
or timeout, clean up orphaned processes with
bash ~/go/src/submariner-io/shipyard/scripts/cve/clean.sh before reporting.
Never modify the CVE fix scripts themselves.
/cve-fix - current repo, current branch/cve-fix 0.23 - current repo, specified branch (short form)/cve-fix ../submariner-operator - specified repo, current branch/cve-fix release-0.23 ../submariner-operator - both specified (order doesn't matter)Arguments are order-independent. Short versions like 0.23 auto-expand
to release-0.23. Repos must be paths. If a bare name like subctl is passed, resolve it
to ../subctl (from any submariner repo) or ~/go/src/submariner-io/subctl.
From the command line (without Claude):
make cve-fix # current repo, current branch
make cve-fix BRANCH=release-0.23 # current repo, specified branch
make cve-fix REPO=../submariner-operator BRANCH=release-0.23 # specified repo and branch
| Issue | Solution |
|---|---|
| CVE persists after fix | Verify FIXED-IN version; check for replace directives |
| New CVE appears after fix | Dependency downgrade introduced it; fix immediately |
| Tests fail | Try different version; check CI logs |
| Container "no route to host" | Run sudo systemctl restart docker or sudo systemctl restart podman |
| Stdlib CVEs | Fixed via go directive update. Check Shipyard Go version if CI fails |
| Git fetch fails | Run git fetch manually before starting |
npx claudepluginhub submariner-io/shipyard --plugin shipyardGenerates actionable remediation plans for vulnerable Go codebases, including dependency updates, code refactoring, workarounds, configuration changes, and verification steps. Use after CVE impact analysis.
Remediate a vulnerable container image by fetching its Critical/High CVEs from Sysdig, resolving safe fix versions through chain analysis, and producing the minimal patch (Dockerfile base bump or dependency upgrade) against the source — opens a PR/MR on GitHub or GitLab, or emits a .patch file when the user provides a local folder. Source access is mandatory. If an existing ticket key is passed in, updates that ticket with the PR link; this skill never creates new tickets — ticket creation lives in /sysdig-investigate. Persists image-to-repo mappings, PR reviewer history, and version chains across sessions.
Scans project dependencies for known CVEs across npm, pip, cargo, Go, and Java ecosystems. Reports vulnerable packages with severity, affected versions, and fixes.