CVE fixer¶
There is a scheduled Ambient job that runs every night to detect CVEs in the repository.
If CVEs are detected then a PR is created and pushed to the repository.
These are the scanned repositories:
- https://github.com/eval-hub/eval-hub /
mainbranch withauto-pushenabled
These are the details of the scheduled job:
| Property | Value |
|---|---|
| Name | CVE fixer (nightly) |
| Workflow | cve-fxier |
| Schedule | 30 50 * * * |
| Inactivity Timeout | 36000 seconds (1 hour) |
| Runner Type | Claude Code |
| Model | Claude Opus 4.6 |
This is the initial prompt for the job:
Use the GitHub credentials that are provided in the integrations section. Find any CVEs in the repository dependencies and create a PR with the proposed fix in the repository. The PR should also update the major golang version, if needed, in the the file
Containerfile. If there are other files in the repository that require updaing due to new golang version then mention them in the PR.
github credentials¶
The github credentials that are used for this job is a fine-grained personal access token that
has the following characteristics:
Organization: eval-hub
Repositories: all
| Permission | Access |
|---|---|
| Metadata (Required) | Read-only |
| Contents | Read and write |
| Pull requests | Read and write |