feat(ci): Add security vulnerability skill action

[nicohrubec]

Closes #19368 (added automatically)

[github-actions]

Codecov Results 📊

✅ 147 passed | ⏭️ 1 skipped | Total: 148 | Pass Rate: 99.32% | Execution Time: 5m 51s

All tests are passing successfully.

---

Generated by Codecov Action

[github-actions]

Codecov Results 📊

✅ 23 passed | ⏭️ 7 skipped | Total: 30 | Pass Rate: 76.67% | Execution Time: 12.25s

📊 Comparison with Base Branch

Metric	Change
Total Tests	—
Passed Tests	—
Failed Tests	—
Skipped Tests	—

✨ No test changes detected

All tests are passing successfully.

---

Generated by Codecov Action

[github-actions]

size-limit report 📦

⚠️ Warning: Base artifact is not the latest one, because the latest workflow run is not done yet. This may lead to incorrect results. Try to re-run all tests to get up to date results.

Path	Size	% Change	Change
@sentry/browser	25.56 kB	-	-
@sentry/browser - with treeshaking flags	24.08 kB	-	-
@sentry/browser (incl. Tracing)	42.36 kB	-	-
@sentry/browser (incl. Tracing, Profiling)	47.03 kB	-	-
@sentry/browser (incl. Tracing, Replay)	81.18 kB	-	-
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags	70.8 kB	-	-
@sentry/browser (incl. Tracing, Replay with Canvas)	85.87 kB	-	-
@sentry/browser (incl. Tracing, Replay, Feedback)	98.03 kB	-	-
@sentry/browser (incl. Feedback)	42.29 kB	-	-
@sentry/browser (incl. sendFeedback)	30.23 kB	-	-
@sentry/browser (incl. FeedbackAsync)	35.22 kB	-	-
@sentry/browser (incl. Metrics)	26.74 kB	-	-
@sentry/browser (incl. Logs)	26.88 kB	-	-
@sentry/browser (incl. Metrics & Logs)	27.56 kB	-	-
@sentry/react	27.33 kB	-	-
@sentry/react (incl. Tracing)	44.72 kB	-	-
@sentry/vue	30.01 kB	-	-
@sentry/vue (incl. Tracing)	44.22 kB	-	-
@sentry/svelte	25.58 kB	-	-
CDN Bundle	28.11 kB	-	-
CDN Bundle (incl. Tracing)	43.2 kB	-	-
CDN Bundle (incl. Logs, Metrics)	28.95 kB	-	-
CDN Bundle (incl. Tracing, Logs, Metrics)	44.03 kB	-	-
CDN Bundle (incl. Replay, Logs, Metrics)	68.02 kB	-	-
CDN Bundle (incl. Tracing, Replay)	80.07 kB	-	-
CDN Bundle (incl. Tracing, Replay, Logs, Metrics)	80.94 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback)	85.5 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics)	86.4 kB	-	-
CDN Bundle - uncompressed	82.22 kB	-	-
CDN Bundle (incl. Tracing) - uncompressed	127.93 kB	-	-
CDN Bundle (incl. Logs, Metrics) - uncompressed	85.05 kB	-	-
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed	130.76 kB	-	-
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed	208.71 kB	-	-
CDN Bundle (incl. Tracing, Replay) - uncompressed	244.81 kB	-	-
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed	247.63 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	257.61 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed	260.42 kB	-	-
@sentry/nextjs (client)	47.12 kB	-	-
@sentry/sveltekit (client)	42.81 kB	-	-
@sentry/node-core	52.15 kB	+0.02%	+8 B 🔺
@sentry/node	166.53 kB	+0.01%	+6 B 🔺
@sentry/node - without tracing	93.95 kB	+0.02%	+12 B 🔺
@sentry/aws-serverless	109.45 kB	+0.01%	+8 B 🔺

View base workflow run

[github-actions]

node-overhead report 🧳

Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.
⚠️ Warning: Base artifact is not the latest one, because the latest workflow run is not done yet. This may lead to incorrect results. Try to re-run all tests to get up to date results.

Scenario	Requests/s	% of Baseline	Prev. Requests/s	Change %
GET Baseline	9,373	-	9,232	+2%
GET With Sentry	1,627	17%	1,616	+1%
GET With Sentry (error only)	5,999	64%	6,040	-1%
POST Baseline	1,201	-	1,165	+3%
POST With Sentry	580	48%	561	+3%
POST With Sentry (error only)	1,051	88%	1,016	+3%
MYSQL Baseline	3,208	-	3,220	-0%
MYSQL With Sentry	449	14%	444	+1%
MYSQL With Sentry (error only)	2,658	83%	2,596	+2%

View base workflow run

[chargome]

Just wondering what we should do in case the alert should be dismissed. Create an issue that informs us?

[nicohrubec]

Yeah right now it would create a PR with an explanation why the alert should be dismissed, an issue is probably more appropriate in that case

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Unsanitized input interpolated directly into AI prompt

Medium Severity

The workflow_dispatch input github.event.inputs.alert is directly interpolated into the Claude AI agent's prompt via ${{ }} expression without any validation or sanitization. Since the input accepts any free-form string (no type constraint), a user triggering this workflow via the API could inject arbitrary multi-line instructions into the prompt. The agent operates with contents: write and pull-requests: write permissions, so a successful prompt injection could cause it to create PRs with unintended code changes that appear to be legitimate automated security fixes. This rule was flagged because it was mentioned in the rules file under Security Vulnerabilities.

Additional Locations (1)

• .github/workflows/fix-security-vulnerability.yml#L14-L15

 

^{Triggered by project rule: PR Review Guidelines for Cursor Bot}