Vibe Index
🎯

dependabot-security

🎯Skill

from bitsoex/bitso-java

VibeIndex|
What it does

Automates resolution of Dependabot security vulnerabilities in Java/Gradle projects using severity-based processing and dependency verification.

dependabot-security

Installation

Install skill:
npx skills add https://github.com/bitsoex/bitso-java --skill dependabot-security
5
AddedJan 27, 2026
View on GitHubBack to Skills

Skill Details

SKILL.md

>

Overview

# Dependabot Security

Fix Dependabot security vulnerabilities in Java/Gradle projects with proper verification.

When to use this skill

  • Resolving Dependabot security alerts
  • Fixing CVE vulnerabilities in dependencies
  • Verifying dependency graph for CI compliance
  • Choosing the right fix strategy for transitive dependencies
  • Understanding why dependency-review CI check fails

Skill Contents

Sections

  • [When to use this skill](#when-to-use-this-skill) (L25-L32)
  • [Quick Start](#quick-start) (L54-L91)
  • [Key Concepts](#key-concepts) (L92-L118)
  • [References](#references) (L119-L127)
  • [Related Rules](#related-rules) (L128-L132)
  • [Related Skills](#related-skills) (L133-L138)

Available Resources

πŸ“š references/ - Detailed documentation

  • [dependency graph](references/dependency-graph.md)
  • [fix strategies](references/fix-strategies.md)
  • [severity processing](references/severity-processing.md)
  • [troubleshooting](references/troubleshooting.md)

---

Quick Start

1. Create Jira ticket first

See global/rules/jira-ticket-workflow.md for ticket creation.

2. Get alerts by severity

```bash

REPO=$(gh repo view --json nameWithOwner -q '.nameWithOwner')

gh api --paginate repos/$REPO/dependabot/alerts --jq '.[] | select(.state == "open") | {

number, severity: .security_advisory.severity, package: .dependency.package.name,

patched_version: .security_vulnerability.first_patched_version.identifier,

cve: .security_advisory.cve_id

}'

```

3. Fix by severity (CRITICAL first, then HIGH, MEDIUM, LOW)

See [references/fix-strategies.md](references/fix-strategies.md) for strategy hierarchy.

4. Verify with dependency graph

```bash

./gradlew -I gradle/dependency-graph-init.gradle \

--dependency-verification=off \

:ForceDependencyResolutionPlugin_resolveAllDependencies

# Check ONLY patched versions appear

grep -i "package-name" build/reports/dependency-graph-snapshots/dependency-list.txt

```

5. Commit and create PR

```bash

git commit -m "πŸ€– πŸ›‘οΈ fix(security): [JIRA-KEY] resolve CRITICAL vulnerabilities"

```

Key Concepts

Severity-Based Processing

Process ONE severity level at a time, creating separate PRs for each:

| Priority | Severity | When to Process |

|----------|----------|-----------------|

| 1 | CRITICAL | Always first |

| 2 | HIGH | After no CRITICAL |

| 3 | MEDIUM | After no HIGH |

| 4 | LOW | After no MEDIUM |

Dependency Graph vs Runtime Resolution

The dependency graph plugin reports ALL versions to GitHub, not just the resolved version.

Force rules alone won't fix dependency-review failures - use substitution to remove old versions.

Fix Strategy Hierarchy

  1. BOM Update - Update Spring Boot, gRPC, Protobuf BOM versions
  2. Version Catalog - Update direct dependencies in libs.versions.toml
  3. Dependency Substitution - Replace transitive dependencies
  4. Constraints - Set minimum version floors
  5. Force Rules - Quick fix (combine with substitution)
  6. Exclude + Add - Last resort

References

| Reference | Description |

|-----------|-------------|

| [references/fix-strategies.md](references/fix-strategies.md) | Detailed fix strategies with examples |

| [references/severity-processing.md](references/severity-processing.md) | Severity-based workflow |

| [references/dependency-graph.md](references/dependency-graph.md) | Dependency graph plugin setup and verification |

| [references/troubleshooting.md](references/troubleshooting.md) | Common issues and solutions |

Related Rules

  • .cursor/rules/java-vulnerability-golden-paths.mdc - Proven fix patterns for common CVEs
  • .cursor/rules/java-versions-and-dependencies.mdc - Version management policies

Related Skills

| Skill | Purpose |

|-------|---------|

| [gradle-standards](../gradle-standards/SKILL.md) | Gradle configuration |

| [sonarqube-integration](../sonarqube-integration/SKILL.md) | Code quality checks |

More from this repository10

🎯
mcp-configuration🎯Skill

Configures and manages MCP (Model Context Protocol) server settings across multiple IDEs for seamless integration and development workflow.

🎯
rest-api🎯Skill

Standardizes REST API development in Java Spring by providing authentication, OpenAPI documentation, and RFC-37 service guidelines.

🎯
database-integration🎯Skill

Streamlines PostgreSQL database integration in Java projects by configuring jOOQ code generation, Flyway migrations, and version compatibility.

🎯
doc-sync🎯Skill

doc-sync skill from bitsoex/bitso-java

🎯
git-hooks🎯Skill

Manages and standardizes Git hooks across repositories, ensuring consistent code quality checks and team-wide hook compliance automatically.

🎯
sonarqube-integration🎯Skill

Integrates SonarQube with MCP to enable natural language querying of Java code quality issues, analysis, and quality gate checks.

🎯
gradle-standards🎯Skill

Centralizes and standardizes Gradle build configurations for Java projects, managing dependencies, version catalogs, and multi-module setups efficiently.

🎯
structured-logging🎯Skill

Implements RFC-34 structured logging standards for Java services, enabling JSON-formatted logs with required fields and contextual metadata.

🎯
java-coverage🎯Skill

Configures and generates JaCoCo code coverage reports for Java/Gradle projects, enabling comprehensive testing analysis and quality metrics.

🎯
gradle-9🎯Skill

Upgrades Gradle projects from version 8.x to 9.x, ensuring plugin compatibility and supporting Java 25 migration.