dryrunsecurity/remediation
Helps fix security vulnerabilities identified by DryRunSecurity. Activates when the user shares a DryRunSecurity comment (from a GitHub PR or GitLab MR) or asks for help fixing any security finding including SQL injection, XSS, CSRF, SSRF, path traversal, command injection, authentication bypass, authorization flaws, and prompt injection. Researches authoritative sources and applies fixes grounded in the user's specific codebase context.
99
Quality
99%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
FINDING_FORMAT.md
DryRunSecurity Finding Format
DryRunSecurity findings follow this format:
<summary paragraph describing what the PR/MR introduces>
<details>
<summary>
[emoji] Vulnerability Title in <code>path/to/file.ext</code>
</summary>
| **Vulnerability** | Vulnerability Name |
|:---|:---|
| **Description** | Detailed explanation... |
<Permalink to affected lines>
</details>Key Elements to Extract
| Element | Location | Example |
|---|---|---|
| Vulnerability type | Table row | "Prompt Injection", "Cross-Site Scripting" |
| File path | <code> tag in summary | openhands/runtime/file_ops.py |
| Line numbers | Permalink | #L231-L232 → lines 231-232 |
| Description | Table row | Attack scenario and why it's vulnerable |
| Severity | Emoji | :yellow_circle: = needs attention, none = blocking |
Example Parsing
Summary: "Prompt Injection in <code>openhands/.../file_ops.py</code>"
→ Vulnerability: Prompt Injection
→ File: openhands/runtime/plugins/agent_skills/file_ops/file_ops.py
→ Lines: 231-232 (from permalink)
→ Issue: User input concatenated directly into LLM prompt without sanitizationInstall with Tessl CLI
npx tessl i dryrunsecurity/remediation@0.1.0