feat(vulnerability-remediation): Package as plugin with run-scan and fix-vulnerabilities skills

plugins/vulnerability-remediation/.plugin/plugin.json

@@ -0,0 +1,9 @@
+{
+  "name": "vulnerability-remediation",
+  "version": "1.0.0",
+  "description": "Automated security vulnerability scanning and AI-powered remediation using OpenHands agents with Trivy",
+  "author": "OpenHands",
+  "license": "MIT",
+  "repository": "https://github.com/OpenHands/extensions",
+  "entry_command": "Activate the run-scan skill to begin vulnerability scanning"
+}

plugins/vulnerability-remediation/README.md

@@ -34,24 +34,75 @@ That's it! The workflow will:
 - **Trivy Integration** — Comprehensive vulnerability detection
 - **AI-Powered Fixes** — OpenHands agents analyze and fix vulnerabilities
 - **Automatic PRs** — Creates PRs with detailed CVE references
+- **Agent Skills** — Two specialized skills that guide the remediation workflow
+- **Automatic Chaining** — Skills automatically trigger each other based on scan results
 
 ## Plugin Contents
 
 ```
 plugins/vulnerability-remediation/
+├── .plugin/                     # Plugin metadata
+│   └── plugin.json             # Plugin manifest with entry_command
 ├── README.md                    # This file
 ├── action.yml                   # Composite GitHub Action
 ├── scripts/                     # Python scripts for scan and remediation
 │   └── scan_and_remediate.py   # Main remediation agent script
-├── workflows/                   # Example GitHub workflow files
-│   └── vulnerability-scan.yml  # Thin wrapper workflow (copy this)
-└── skills/                      # Symbolic links to related skills
-    ├── security -> ../../../skills/security
-    └── github -> ../../../skills/github
+├── skills/                      # Agent skills for vulnerability workflow
+│   ├── run-scan/               # Trivy installation and scanning
+│   │   ├── SKILL.md           # Scanning instructions for agents
+│   │   └── README.md          # Human-readable documentation
+│   └── fix-vulnerabilities/    # Vulnerability remediation
+│       ├── SKILL.md           # Remediation instructions for agents
+│       └── README.md          # Human-readable documentation
+└── workflows/                   # Example GitHub workflow files
+    └── vulnerability-scan.yml  # Thin wrapper workflow (copy this)
 ```
 
 ## How It Works
 
+The plugin provides two agent skills that work together:
+
+### 1. **run-scan** Skill
+- Installs Trivy vulnerability scanner
+- Runs comprehensive security scans
+- Filters vulnerabilities by severity (HIGH/CRITICAL recommended)
+- Generates JSON results for analysis
+- **Automatically triggers** fix-vulnerabilities skill when fixable vulnerabilities are found
+
+### 2. **fix-vulnerabilities** Skill
+- Parses Trivy scan results
+- Prioritizes vulnerabilities by severity and fixability
+- Updates vulnerable dependencies across 8+ package ecosystems
+- Verifies fixes with tests and re-scans
+- Creates well-documented PRs with CVE references
+
+### Plugin Entry Point
+
+The plugin uses an `entry_command` in `.plugin/plugin.json` that automatically activates the `run-scan` skill when the plugin is loaded, starting the vulnerability remediation workflow.
+
+### Skill Workflow
+
+```
+Plugin Loaded (entry_command)
+    ↓
+[run-scan skill]
+    ├─→ Install Trivy
+    ├─→ Run security scan
+    ├─→ Generate trivy-results.json
+    └─→ Check for fixable vulnerabilities
+          ↓
+          └─→ If vulnerabilities found →
+                    ↓
+            [fix-vulnerabilities skill] (auto-triggered)
+                ├─→ Parse scan results
+                ├─→ Prioritize by severity
+                ├─→ Update dependencies
+                ├─→ Run tests & verify
+                └─→ Create PR with fix
+```
+
+### GitHub Action Workflow
+
 The action runs in two phases:
 
 1. **Scan Phase** — Runs Trivy to detect vulnerabilities (fast, no AI costs)
@@ -98,7 +149,38 @@ github-token: ${{ secrets.ALLHANDS_BOT_GITHUB_PAT || secrets.GITHUB_TOKEN }}
 
 ## Usage
 
-### Automatic Scheduled Scans
+### Using the Plugin with OpenHands SDK
+
+Load the plugin in your OpenHands agent:
+
+```python
+from openhands.sdk import LLM, Agent, Conversation
+from openhands.sdk.plugin import Plugin
+
+# Load the vulnerability-remediation plugin
+plugin = Plugin.load("/path/to/plugins/vulnerability-remediation")
+
+# Create agent with plugin skills
+agent = Agent(
+    llm=llm,
+    tools=tools,
+    agent_context=AgentContext(skills=plugin.skills)
+)
+
+# Create conversation
+conversation = Conversation(agent=agent)
+
+# The plugin's entry_command will trigger the run-scan skill automatically
+conversation.send_message("Start vulnerability scanning")
+conversation.run()
+```
+
+The plugin's `entry_command` instructs the agent to activate the `run-scan` skill, which will:
+1. Install Trivy
+2. Run a security scan
+3. Automatically trigger `fix-vulnerabilities` if fixable vulnerabilities are found
+
+### Automatic Scheduled Scans (GitHub Actions)
 
 Once configured, the workflow runs automatically on the specified schedule. It will:
 

plugins/vulnerability-remediation/skills/fix-vulnerabilities/README.md

@@ -0,0 +1,117 @@
+# Fix Vulnerabilities Skill
+
+This skill provides detailed instructions for analyzing Trivy scan results and remediating security vulnerabilities across multiple package ecosystems.
+
+## Purpose
+
+Guide agents through the process of:
+- Parsing Trivy JSON scan results
+- Prioritizing vulnerabilities by severity and fixability
+- Updating vulnerable dependencies per ecosystem
+- Verifying fixes with re-scans
+- Creating well-documented PRs with security context
+
+## Activation
+
+This skill is triggered:
+- **Automatically** after a successful `run-scan` that finds fixable vulnerabilities
+- **Manually** via keywords: "fix-vulnerabilities", "remediate vulnerabilities", "patch CVE"
+
+## Workflow
+
+1. **Parse Results** - Extract vulnerability details from `trivy-results.json`
+2. **Prioritize** - Focus on CRITICAL/HIGH severity with available fixes
+3. **Update Dependencies** - Apply ecosystem-specific update commands
+4. **Verify** - Run tests and re-scan to confirm fix
+5. **Create PR** - Submit fix with CVE references and security context
+
+## Supported Ecosystems
+
+The skill provides remediation instructions for:
+
+- **Node.js**: npm, yarn, pnpm
+- **Python**: pip, pipenv, poetry
+- **Java**: Maven, Gradle
+- **Go**: go modules
+- **Ruby**: bundler
+- **Rust**: cargo
+- **PHP**: composer
+- **.NET**: NuGet
+
+## Best Practices
+
+### One CVE per PR (Recommended)
+- Easier review process
+- Isolated testing
+- Clear rollback path
+- Better audit trail
+
+### Batch Updates (Alternative)
+- For low-risk updates
+- Multiple low-severity CVEs
+- Regular dependency maintenance
+
+## Example Workflow
+
+```bash
+# 1. Parse scan results
+python3 -c "import json; data = json.load(open('trivy-results.json')); print(len(data.get('Results', [])))"
+
+# 2. Update vulnerable package (Node.js example)
+npm install vulnerable-package@fixed-version
+
+# 3. Verify fix
+npm test
+trivy fs . --format json --output trivy-results-after.json
+
+# 4. Create fix branch
+git checkout -b fix/CVE-2023-12345
+git add .
+git commit -m "fix: Update package to fix CVE-2023-12345"
+
+# 5. Create PR
+gh pr create --title "Security: Fix CVE-2023-12345" --label security
+```
+
+## Security Context in PRs
+
+Each PR should include:
+- CVE ID and severity
+- Affected package and versions
+- Fix description
+- Links to security advisories
+- Test results
+- Verification that vulnerability is resolved
+
+## Troubleshooting
+
+### Fix Not Available
+- Wait for upstream patch
+- Apply workaround if documented
+- Consider alternative packages
+
+### Breaking Changes
+- Review migration guides
+- Update dependent code
+- Test incrementally
+- Consider intermediate versions
+
+### Transitive Dependencies
+- Update parent packages
+- Use override/resolution features
+- Check dependency tree
+
+## Integration
+
+This skill is part of the vulnerability-remediation plugin and works with:
+- `run-scan` skill - Source of vulnerability data
+- GitHub Actions - Automated remediation workflows
+- `scan_and_remediate.py` - Batch processing automation
+
+## Related Resources
+
+- [OWASP Dependency Check](https://owasp.org/www-project-dependency-check/)
+- [Snyk Vulnerability Database](https://security.snyk.io/)
+- [GitHub Security Advisories](https://github.com/advisories)
+- [npm audit](https://docs.npmjs.com/cli/v8/commands/npm-audit)
+- [pip-audit](https://pypi.org/project/pip-audit/)