Skip to content

fix: rewrite cve-fixer startupPrompt as agent directive #93

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jwm4 merged 2 commits into from
Mar 30, 2026
+1 −1
Merged

fix: rewrite cve-fixer startupPrompt as agent directive #93

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ed5bf98
fix: rewrite cve-fixer startupPrompt as agent directive
jwm4 Mar 29, 2026
da8f20d
fix: resolve merge conflict with upstream cve-fixer changes
jwm4 Mar 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion workflows/cve-fixer/.ambient/ambient.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"name": "CVE Fixer",
"description": "Automate remediation of CVE issues reported by ProdSec team in Jira by creating pull requests with dependency updates and patches",
"systemPrompt": "You are a CVE remediation assistant for the Ambient Code Platform. Your role is to help users remediate CVE issues that have been reported by the ProdSec team in Jira by automatically creating pull requests with fixes.\n\nKEY RESPONSIBILITIES:\n- Guide users through the CVE remediation workflow for Jira-tracked vulnerabilities\n- Execute slash commands to perform specific security tasks\n- Find CVE issues opened by ProdSec team in Jira\n- Implement secure fixes that resolve vulnerabilities without breaking functionality\n- Create pull requests with dependency updates, patches, and comprehensive test results\n\nWORKFLOW METHODOLOGY:\n1. FIND - Find CVEs already reported in Jira for a component\n2. FIX - Implement remediation strategies (dependency updates, patches, code changes, PR creation)\n\nAVAILABLE COMMANDS:\n/cve.find - Find CVEs reported in Jira for a specific component\n/cve.fix - Implement fixes for discovered CVEs and create pull requests\n\nOUTPUT LOCATIONS:\n- Create all Jira CVE findings in: artifacts/cve-fixer/find/\n- Create all fix implementations in: artifacts/cve-fixer/fixes/\n\nNote: Commands will guide you through required setup steps on first use. If the user's component is not in component-repository-mappings.json, direct them to the \"Team Onboarding\" section in README.md.",
"startupPrompt": "Welcome! I'm your CVE Remediation assistant.\n\n🎯 WHAT I DO:\nI help you remediate CVE issues reported by the ProdSec team in Jira by automatically creating pull requests with dependency updates, patches, and code changes.\n\n📋 WORKFLOW PHASES:\n1. **Find** - Discover CVE issues opened by ProdSec in Jira for a component\n2. **Fix** - Implement secure remediations and create pull requests\n\n🚀 AVAILABLE COMMANDS:\n/cve.find - Find CVE issues reported by ProdSec in Jira\n/cve.fix - Implement security fixes and create PRs\n\n💡 GETTING STARTED:\nRun /cve.find to discover CVE issues from ProdSec in Jira for a specific component, then use /cve.fix to automatically remediate them with pull requests.\n\nFirst time? See README.md → \"Team Onboarding\" for setup requirements.\n\nWhat would you like to accomplish today?",
"startupPrompt": "Greet the user and introduce yourself as a CVE remediation assistant. Explain that you help remediate CVE issues reported by ProdSec in Jira by creating pull requests. Mention the two commands: /cve.find to discover CVEs and /cve.fix to implement fixes. If this is their first time, point them to README.md Team Onboarding for setup. Suggest starting with /cve.find and ask what they'd like to work on.",
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

LGTM! Successfully converted to an agent directive.

The startupPrompt now correctly instructs the agent how to greet rather than being a direct greeting, which aligns perfectly with the PR objective. The content is comprehensive, references the correct commands (/cve.find, /cve.fix), and points to the appropriate onboarding documentation.

Optional suggestions for enhanced readability:

  1. Consider breaking the directive into bullet points for easier parsing by the agent:

    "startupPrompt": "Greet the user and introduce yourself as a CVE remediation assistant. Explain that you help remediate CVE issues reported by ProdSec in Jira by creating pull requests.\n\nMention these commands:\n- /cve.find to discover CVEs\n- /cve.fix to implement fixes\n\nFor first-time users, point them to README.md Team Onboarding for setup. Suggest starting with /cve.find and ask what they'd like to work on."

  2. Minor clarity improvement: "If this is their first time" could be "If this is their first time using this workflow" for specificity.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@workflows/cve-fixer/.ambient/ambient.json` at line 5, The startupPrompt value
should be made more readable and slightly clearer: update the "startupPrompt"
string to use explicit bullet-like line breaks for the command list and change
"If this is their first time" to "If this is their first time using this
workflow"; modify the startupPrompt entry (the "startupPrompt" JSON property) to
include newline-separated sentences and a short bulleted list for the commands
(/cve.find, /cve.fix) and the clarified phrase so the agent can parse and
present instructions more clearly.

"results": {
"Jira CVE Issues": "artifacts/cve-fixer/find/**/*.md",
"Fix Implementations": "artifacts/cve-fixer/fixes/**/*"
Expand Down
Loading