Add VEX auto-generator workflow for dismissed Dependabot alerts

[carlincherry]

Add VEX auto-generator workflow for dismissed Dependabot alerts

Use Case

When maintainers dismiss Dependabot alerts, they're making a security assessment — but that knowledge is lost. VEX (Vulnerability Exploitability eXchange) is the standard for communicating that a software product is NOT affected by a known vulnerability. This workflow captures Dependabot dismissal decisions as machine-readable OpenVEX v0.2.0 statements, making them consumable by downstream vulnerability scanners and SBOM tools.

Analysis

• No existing workflow in .github/aw/ covers VEX generation or Dependabot alert dismissal handling
• The workflow fits naturally alongside the existing dependabot.md workflow in .github/aw/
• Uses workflow_dispatch with structured inputs, safe-outputs for PR creation, and the copilot engine — all consistent with existing patterns
• Minimal permissions: contents: read, issues: read, pull-requests: read (PR creation via safe-outputs)

Implementation Plan

Please implement the following by adding a single new workflow file:

1. Add workflow file: .github/aw/vex-generator.md

Create a new agentic workflow markdown file with the following structure:

Frontmatter:

• Trigger: workflow_dispatch with these required inputs:
  • alert_number (string) — Dependabot alert number
  • ghsa_id (string) — GHSA ID (e.g., GHSA-xvch-5gv4-984h)
  • cve_id (string) — CVE ID (e.g., CVE-2021-44906)
  • package_name (string) — Affected package name
  • package_ecosystem (string) — Ecosystem: npm, pip, maven, gem, golang, nuget
  • severity (string) — Vulnerability severity: low, medium, high, critical
  • summary (string) — Brief vulnerability summary
  • dismissed_reason (choice) — Options: not_used, inaccurate, tolerable_risk, no_bandwidth
• Description: "Auto-generates an OpenVEX statement for a dismissed Dependabot alert. Provide the alert details as inputs — the agent generates a standards-compliant OpenVEX document and opens a PR."
• Permissions: contents: read, issues: read, pull-requests: read
• Env vars: Map each input to an ALERT_* environment variable
• Tools: bash: true, edit:
• Safe-outputs: create-pull-request with title-prefix "[VEX] ", labels [vex, automated], draft false
• Engine: copilot

Agent instructions (markdown body):

The agent should follow these 6 steps:

1. Read alert details from env vars; verify all required fields are present; read package manifest to get project version
2. Map dismissal reason to VEX status:
   • not_used → status: not_affected, justification: vulnerable_code_not_present
   • inaccurate → status: not_affected, justification: vulnerable_code_not_in_execute_path
   • tolerable_risk → status: not_affected, justification: inline_mitigations_already_exist
   • no_bandwidth → SKIP — post a comment explaining this isn't a security assessment, do not generate VEX
3. Construct Package URL (purl) based on ecosystem (npm, pypi, maven, gem, golang, nuget)
4. Generate OpenVEX v0.2.0 JSON document with proper @context, @id, author, timestamp, statements array containing vulnerability, products, status, justification, and impact_statement
5. Write to .vex/<ghsa-id>.json; create .vex/ directory and .vex/README.md if they don't exist
6. Create PR via create-pull-request safe output with title "Add VEX statement for <CVE-ID> (<package>)" and body linking to the original alert

2. Recompile workflows

Run make recompile to ensure the new workflow is compiled correctly.

3. Run validation

Run make agent-finish to validate build, test, lint, and formatting.

Follow Guidelines

• Use safe-outputs for PR creation (consistent with other workflows)
• Follow the agentic workflow .md format used by existing workflows in .github/aw/
• Workflow file uses only bash and edit tools — no MCP servers needed
• Validate generated JSON before creating the PR
• Handle each alert individually if multiple are dismissed

Reference Implementation

A working reference of this workflow is available at:
https://github.com/carlin-dependabot-testing/vex-auto-generator/blob/main/.github/workflows/vex-generator.md

[pelikhan]

Let's move this to Agentics

[pelikhan]

Add please review.

[carlincherry]

@pelikhan I noticed this was added to the dependabot.md file! This was intended as a separate workflow for open source maintainers - not something that every dependabot alert dismissal in every repo needs. I'd like to ask if we could remove it from the dependabot.md and include it as its own separate workflow! (if you want it: context, proposal doc) Happy to chat more if you want.