Skip to content

Add PVR triage taskflow#58

Draft
anticomputer wants to merge 2 commits intomainfrom
anticomputer/pvr-triage
Draft

Add PVR triage taskflow#58
anticomputer wants to merge 2 commits intomainfrom
anticomputer/pvr-triage

Conversation

@anticomputer
Copy link
Contributor

@anticomputer anticomputer commented Mar 2, 2026
edited
Loading

Taskflow for triaging Private Vulnerability Reports arriving as draft GHSAs.

Fetches the advisory, verifies the vulnerability claim against source code at the affected version (not HEAD), and writes a structured markdown triage report.

New files

  • mcp_servers/pvr_ghsa.py - gh CLI-based MCP server; advisory fetch, version-to-SHA resolution, file fetch at ref, report save.
  • toolboxes/pvr_ghsa.yaml - stdio wiring for pvr_ghsa
  • personalities/pvr_analyst.yaml - triage analyst personality
  • taskflows/pvr_triage/pvr_triage.yaml - 5-task pipeline
  • configs/model_config_pvr_triage.yaml - claude-opus-4.6-1m (triage) + gpt-5-mini (extraction), temperature=1

Usage

python -m seclab_taskflow_agent \
  -t seclab_taskflows.taskflows.pvr_triage.pvr_triage \
  -g repo=owner/repo \
  -g ghsa=GHSA-xxxx-xxxx-xxxx

Requires GH_TOKEN (repo + security_events scope), AI_API_TOKEN, AI_API_ENDPOINT.

Copilot AI review requested due to automatic review settings March 2, 2026 19:19
Copilot AI reviewed Mar 2, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new “PVR triage” taskflow to triage Private Vulnerability Reports (draft repository GHSAs): fetch the advisory, verify claims against code at the affected version (not HEAD), and emit a structured markdown triage report.

Changes:

  • Introduces a new pvr_ghsa MCP server (gh CLI-based) to fetch draft advisories, resolve version tags to SHAs, fetch file contents at a ref, and save a triage report.
  • Adds a new 5-step pvr_triage taskflow plus a dedicated analyst personality and model configuration.
  • Wires the new MCP server via a toolbox YAML.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
src/seclab_taskflows/toolboxes/pvr_ghsa.yaml Adds toolbox wiring for the new PVR GHSA MCP server (stdio).
src/seclab_taskflows/taskflows/pvr_triage/pvr_triage.yaml Defines the end-to-end PVR triage pipeline (fetch → verify → report → save).
src/seclab_taskflows/personalities/pvr_analyst.yaml Adds a dedicated “PVR analyst” personality for evidence-based triage.
src/seclab_taskflows/mcp_servers/pvr_ghsa.py Implements the gh CLI-backed MCP tools for advisory fetch/version resolution/file fetch/report save.
src/seclab_taskflows/configs/model_config_pvr_triage.yaml Adds a taskflow-specific model mapping and temperatures.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@m-y-mo m-y-mo Awaiting requested review from m-y-mo m-y-mo will be requested when the pull request is marked ready for review m-y-mo is a code owner

@p- p- Awaiting requested review from p- p- will be requested when the pull request is marked ready for review p- is a code owner

@JarLob JarLob Awaiting requested review from JarLob JarLob will be requested when the pull request is marked ready for review JarLob is a code owner

@kevinbackhouse kevinbackhouse Awaiting requested review from kevinbackhouse kevinbackhouse will be requested when the pull request is marked ready for review kevinbackhouse is a code owner

@sylwia-budzynska sylwia-budzynska Awaiting requested review from sylwia-budzynska sylwia-budzynska will be requested when the pull request is marked ready for review sylwia-budzynska is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@anticomputer