Add VEX auto-generator workflow for dismissed Dependabot alerts #22017
Description
Add VEX auto-generator workflow for dismissed Dependabot alerts
Use Case
When maintainers dismiss Dependabot alerts, they're making a security assessment — but that knowledge is lost. VEX (Vulnerability Exploitability eXchange) is the standard for communicating that a software product is NOT affected by a known vulnerability. This workflow captures Dependabot dismissal decisions as machine-readable OpenVEX v0.2.0 statements, making them consumable by downstream vulnerability scanners and SBOM tools.
Analysis
- No existing workflow in
.github/aw/covers VEX generation or Dependabot alert dismissal handling - The workflow fits naturally alongside the existing
dependabot.mdworkflow in.github/aw/ - Uses
workflow_dispatchwith structured inputs,safe-outputsfor PR creation, and thecopilotengine — all consistent with existing patterns - Minimal permissions:
contents: read,issues: read,pull-requests: read(PR creation via safe-outputs)
Implementation Plan
Please implement the following by adding a single new workflow file:
1. Add workflow file: .github/aw/vex-generator.md
Create a new agentic workflow markdown file with the following structure:
Frontmatter:
- Trigger:
workflow_dispatchwith these required inputs:alert_number(string) — Dependabot alert numberghsa_id(string) — GHSA ID (e.g.,GHSA-xvch-5gv4-984h)cve_id(string) — CVE ID (e.g.,CVE-2021-44906)package_name(string) — Affected package namepackage_ecosystem(string) — Ecosystem: npm, pip, maven, gem, golang, nugetseverity(string) — Vulnerability severity: low, medium, high, criticalsummary(string) — Brief vulnerability summarydismissed_reason(choice) — Options:not_used,inaccurate,tolerable_risk,no_bandwidth
- Description: "Auto-generates an OpenVEX statement for a dismissed Dependabot alert. Provide the alert details as inputs — the agent generates a standards-compliant OpenVEX document and opens a PR."
- Permissions:
contents: read,issues: read,pull-requests: read - Env vars: Map each input to an
ALERT_*environment variable - Tools:
bash: true,edit: - Safe-outputs:
create-pull-requestwith title-prefix"[VEX] ", labels[vex, automated], draftfalse - Engine:
copilot
Agent instructions (markdown body):
The agent should follow these 6 steps:
- Read alert details from env vars; verify all required fields are present; read package manifest to get project version
- Map dismissal reason to VEX status:
not_used→ status:not_affected, justification:vulnerable_code_not_presentinaccurate→ status:not_affected, justification:vulnerable_code_not_in_execute_pathtolerable_risk→ status:not_affected, justification:inline_mitigations_already_existno_bandwidth→ SKIP — post a comment explaining this isn't a security assessment, do not generate VEX
- Construct Package URL (purl) based on ecosystem (npm, pypi, maven, gem, golang, nuget)
- Generate OpenVEX v0.2.0 JSON document with proper
@context,@id,author,timestamp,statementsarray containing vulnerability, products, status, justification, and impact_statement - Write to
.vex/<ghsa-id>.json; create.vex/directory and.vex/README.mdif they don't exist - Create PR via
create-pull-requestsafe output with title"Add VEX statement for <CVE-ID> (<package>)"and body linking to the original alert
2. Recompile workflows
Run make recompile to ensure the new workflow is compiled correctly.
3. Run validation
Run make agent-finish to validate build, test, lint, and formatting.
Follow Guidelines
- Use
safe-outputsfor PR creation (consistent with other workflows) - Follow the agentic workflow
.mdformat used by existing workflows in.github/aw/ - Workflow file uses only
bashandedittools — no MCP servers needed - Validate generated JSON before creating the PR
- Handle each alert individually if multiple are dismissed
Reference Implementation
A working reference of this workflow is available at:
https://github.com/carlin-dependabot-testing/vex-auto-generator/blob/main/.github/workflows/vex-generator.md