Add zero-day dependency scanner workflow example

[kris-hansen]

PR Type:

Enhancement

---

PR Description:

• Introduces a new workflow for scanning dependencies for known vulnerabilities.
• Utilizes the OSV.dev API to detect vulnerabilities in real-time.
• Supports multiple ecosystems including npm, PyPI, Go, and crates.io.
• Generates a formatted security report with severity levels and remediation commands.

---

PR Main Files Walkthrough:

files:

• examples/security/zeroday-scanner.yaml: - Added a new YAML configuration for a zero-day dependency scanner.
• Defined a parse-deps step to extract dependencies from input files and output them as a JSON array.
• Implemented a query-osv step to query the OSV.dev API for each dependency and retrieve vulnerability data.
• Configured the generate-report step to analyze the vulnerability data and produce a security report with details such as package name, CVE/GHSA ID, severity, description, fixed version, and remediation command.
• Included usage instructions and example output format with severity emojis.

---

User Description:

Adds a security workflow that scans dependencies for known vulnerabilities using the OSV.dev API.

Features

• Parses dependencies from package.json, go.mod, requirements.txt, etc.
• Queries OSV.dev API in real-time for CVE/GHSA data
• Generates formatted report with severity levels and remediation commands

Usage

cat package.json | comanda process examples/security/zeroday-scanner.yaml

Example Output

# 🔒 Security Vulnerability Report

## 📦 lodash@4.17.20
### 🔴 CRITICAL GHSA-35jh-r3h4-6jhm
- Description: Command Injection in lodash
- Fixed: 4.17.21
- Remediation: npm install lodash@4.17.21

Notes

• Uses tool_config.allowlist: [curl, jq] to enable API queries
• Works with xAI Grok models (grok-4-1-fast-non-reasoning)

[preston-ai]

PR Analysis

• 🎯 Main theme: Introduce a zero-day dependency scanner workflow using the OSV.dev API.
• 📝 PR summary: This PR adds a new workflow to scan dependencies for known vulnerabilities using the OSV.dev API. It includes steps to parse dependencies, query the API for vulnerability data, and generate a formatted security report. The workflow supports multiple ecosystems like npm, PyPI, Go, and crates.io.
• 📌 Type of PR: Enhancement
• 🧪 Relevant tests added: No
• ✨ Focused PR: yes, because the changes are all related to implementing the zero-day dependency scanner workflow.
• ⏱️ Estimated effort to review [1-5]: 2, because the PR introduces a new workflow with a clear structure and purpose, but it involves multiple steps and external API interaction which requires careful review.
• 🔒 Security concerns: No security concerns found

PR Feedback

• 💡 General suggestions: The PR introduces a useful security enhancement by integrating a zero-day dependency scanner. Ensure that the workflow is thoroughly tested in different environments to confirm its reliability and compatibility with various dependency files.

How to use

Instructions

To invoke the Preston AI, add a comment using one of the following commands:
/review: Request a review of your Pull Request.
/describe: Update the PR title and description based on the contents of the PR.
/improve [--extended]: Suggest code improvements. Extended mode provides a higher quality feedback.
/ask <QUESTION>: Ask a question about the PR.
/add_docs: Generate docstring for new components introduced in the PR.
/generate_labels: Generate labels for the PR based on the PR's contents.