Add compliance plugin with CVE analysis command

[chiragkyal]

Description

New compliance plugin providing AI-powered CVE vulnerability analysis for Go projects with multi-level confidence assessment.

Command: /compliance:analyze-cve <CVE-ID>

Key Features

• Fetches CVE details from NVD, MITRE, and Go Vulnerability Database
• Multi-level verification (dependency check → static analysis → govulncheck → call graph reachability)
• Generates reports with confidence levels (HIGH/MEDIUM/LOW)
• Provides exact remediation commands
• Optionally applies fixes with approval
• Falls back to user-provided info when CVE info can not be reached

Example

/compliance:analyze-cve CVE-2024-45338

Summary by CodeRabbit

• New Features

  • Introduced Compliance Plugin for Go security analysis
  • Added /compliance:analyze-cve command to analyze Go projects for CVE vulnerabilities with multi-level confidence verification and remediation guidance

• Documentation

  • Added comprehensive plugin documentation with usage examples and command specifications

[chiragkyal]

/cc @stbenjam

[chiragkyal]

An Example

> /compliance:analyse-cve is running… CVE-2025-53547

⏺ I'll analyze your Go codebase for CVE-2025-53547. Let me start by gathering information about this vulnerability and then checking if your code is affected.

⏺ Fetch(https://nvd.nist.gov/vuln/detail/CVE-2025-53547)
  ⎿  Received 67.3KB (200 OK)

⏺ Fetch(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53547)
  ⎿  Received 524 bytes (301 Moved Permanently)

⏺ Fetch(https://www.cve.org/CVERecord?id=CVE-2025-53547)
  ⎿  Received 861 bytes (200 OK)

⏺ Fetch(https://github.com/helm/helm/security/advisories/GHSA-557j-xg8c-q2mm)
  ⎿  Received 192.5KB (200 OK)

⏺ Good! I've gathered comprehensive information about CVE-2025-53547. Now let me analyze your codebase to determine if it's affected.

⏺ Read(go.mod)
  ⎿  Read 305 lines

⏺ Bash(go list -m all | grep -i helm)
  ⎿  go: can't compute 'all' using the vendor directory
     	(Use -mod=mod or -mod=readonly to bypass.)

⏺ Bash(go list -mod=mod -m all | grep -i helm)
  ⎿  helm.sh/helm/v3 v3.17.3

⏺ Perfect! I can see that your codebase uses helm.sh/helm/v3 v3.17.3, which is vulnerable to CVE-2025-53547. Now let me perform deeper analysis to check if the vulnerable code is
  actually being used.

⏺ Bash(command -v govulncheck)
  ⎿  /Users/ckyal/go/bin/govulncheck

⏺ Search(pattern: "helm\.sh/helm/v3", glob: "*.go")
  ⎿  Found 115 files (ctrl+o to expand)

⏺ Excellent! I can see Helm is extensively used in this codebase. Now let me run govulncheck to get a comprehensive vulnerability analysis, and then search for specific usage of the
   vulnerable functionality.

⏺ Bash(mkdir -p .work/compliance/analyse-cve/CVE-2025-53547)
  ⎿  (No content)

⏺ Bash(govulncheck -json ./... 2>&1 | tee .work/compliance/analyse-cve/CVE-2025-53547/govulncheck-output.json)
  ⎿  {
       "config": {
         "protocol_version": "v1.0.0",
     … +16 lines (ctrl+o to expand)

⏺ The govulncheck scan has an issue with C dependencies. Let me try an alternative approach and search for specific usage of the vulnerable Helm dependency management functionality.

⏺ Search(pattern: "downloader\.Manager|dependency\.Update|Chart\.lock", path: "internal", glob: "*.go", output_mode: "content")
  ⎿  Found 1 line (ctrl+o to expand)

⏺ Bash(go list -mod=mod -json -m helm.sh/helm/v3 | grep -E '(Version|Path|Replace)')
  ⎿  	"Path": "helm.sh/helm/v3"
     	"Version": "v3.17.3",
     	"GoVersion": "1.23.0",

⏺ Perfect! I found a critical usage of the vulnerable code. Let me examine that file more closely:

⏺ Read(internal/plugins/helm/v1/chartutil/chart.go)
  ⎿  Read 25 lines

⏺ This is critical! The code directly uses downloader.Manager and calls man.Build() which is the vulnerable function mentioned in the CVE. Let me search for where this function is
  called:

⏺ Search(pattern: "fetchChartDependencies", path: "~/go/src/github.com/chiragkyal/ocp-release-operator-sdk", glob: "*.go", output_mode: "content")
  ⎿  Found 2 lines (ctrl+o to expand)

⏺ Read(internal/plugins/helm/v1/chartutil/chart.go)
  ⎿  Read 50 lines

⏺ Let me find where this is called from and check the call chain:

⏺ Read(internal/plugins/helm/v1/chartutil/chart.go)
  ⎿  Read 35 lines

⏺ Search(pattern: "CreateChart", path: "internal", glob: "*.go")
  ⎿  Found 0 files

⏺ Search(pattern: "ScaffoldChart", path: "internal", glob: "*.go", output_mode: "content")
  ⎿  Found 4 lines (ctrl+o to expand)

⏺ Bash(command -v callgraph)
  ⎿  /Users/ckyal/go/bin/callgraph

⏺ Perfect! Now let me check the API scaffolding usage:

⏺ Read(internal/plugins/helm/v1/scaffolds/api.go)
  ⎿  Read 30 lines

⏺ Now I have enough evidence. Let me complete the analysis and generate the comprehensive report:

⏺ Write(.work/compliance/analyse-cve/CVE-2025-53547/report.md)
  ⎿  Wrote 579 lines to .work/compliance/analyse-cve/CVE-2025-53547/report.md
     # CVE-2025-53547 Security Analysis Report
     **Analysis Date:** 2025-10-31
     **Analyzed Project:** github.com/chiragkyal/ocp-release-operator-sdk
     **CVE ID:** CVE-2025-53547
     **Scanner:** Manual analysis + govulncheck v1.1.4
     ---
     ## Executive Summary
     … +569 lines (ctrl+o to expand)

⏺ Analysis Complete

  I've completed a comprehensive security analysis for CVE-2025-53547 affecting your codebase. Here's the summary:

  🚨 CRITICAL VULNERABILITY FOUND

  Verdict: Your codebase IS AFFECTED by CVE-2025-53547 with HIGH confidence.

  Key Findings

  1. Vulnerable Dependency Confirmed
    - Package: helm.sh/helm/v3 v3.17.3 (go.mod:34)
    - Vulnerable range: ≤ 3.17.3
    - Fixed versions: 3.17.4, 3.18.4+
  2. Vulnerable Code Path Identified
    - Location: internal/plugins/helm/v1/chartutil/chart.go:186-193
    - Function: fetchChartDependencies() directly calls downloader.Manager.Build()
    - This is the exact vulnerable function mentioned in the CVE
  3. Attack Vector
    - Triggered during operator-sdk create api --helm-chart=<chart> commands
    - Malicious chart with crafted Chart.yaml + symlinked Chart.lock → code execution
    - Affects development workflows and CI/CD pipelines

  CVE Details

  - CVSS Score: 8.5-8.6 (HIGH)
  - CWE: CWE-94 (Code Injection)
  - Impact: Local code execution
  - Requires: User interaction (running scaffolding command)

  Immediate Remediation

  # Update Helm to patched version
  go get helm.sh/helm/[email protected]
  go mod tidy

  # Verify update
  go list -m helm.sh/helm/v3
  # Expected: helm.sh/helm/v3 v3.17.4

  # Test compatibility
  go build ./...
  go test ./...

  Full Report

  A comprehensive report has been generated at:
  .work/compliance/analyse-cve/CVE-2025-53547/report.md

[bryan-cox]

/approve

[coderabbitai]

Walkthrough

Adds a new "compliance" plugin for Go security and CVE analysis: registers the plugin in marketplace and docs, and adds plugin manifest, README, and a detailed analyze-cve command specification with workflow and output artifacts.

Changes

Cohort / File(s)	Summary
Plugin registration & index .claude-plugin/marketplace.json, PLUGINS.md, docs/data.json	Adds a new compliance plugin entry (name, source ./plugins/compliance, description, version 0.0.1) and a command definition for analyze-cve with synopsis and argument hints.
Plugin manifest & docs plugins/compliance/.claude-plugin/plugin.json, plugins/compliance/README.md, plugins/compliance/commands/analyze-cve.md	Adds plugin manifest (author chiragkyal, version 0.0.1), README describing features, outputs, prerequisites, usage examples, and a comprehensive analyze-cve command specification detailing phases: intelligence gathering, codebase impact analysis, report generation, remediation guidance, and interactive fixes.

Sequence Diagram(s)

sequenceDiagram
    actor User
    participant Plugin as Compliance Plugin
    participant Sources as CVE Sources
    participant Analysis as Codebase Analysis
    participant Report as Report Generator

    User->>Plugin: /compliance:analyze-cve <CVE-ID>
    Plugin->>Sources: Gather CVE data (NVD, MITRE, Go vuln DB, GH advisories)
    Sources-->>Plugin: CVE metadata & details

    Plugin->>Analysis: Analyze repo (go.mod, govulncheck, static checks, callgraph)
    Analysis-->>Plugin: Evidence & confidence signals

    Plugin->>Report: Produce artifacts (report.md, callgraph.svg, govulncheck-output.txt)
    Report-->>Plugin: Artifacts ready

    Plugin-->>User: Present findings and remediation options

    alt User approves automated fix
        User->>Plugin: Approve remediation
        Plugin->>Analysis: Apply fixes (update go.mod, code changes)
        Analysis-->>Plugin: Verification results
        Plugin-->>User: Confirm remediation applied
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

• Mostly new configuration and documentation files; no production code changes.
• Pay attention to:
  • plugins/compliance/commands/analyze-cve.md — validate completeness and clarity of the multi-phase workflow and confidence levels.
  • Cross-file consistency of command name, synopsis, descriptions, and output artifact paths across PLUGINS.md, docs/data.json, and README.md.

Pre-merge checks and finishing touches

✅ Passed checks (7 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately describes the main change: adding a compliance plugin with a CVE analysis command, which is the primary focus of all file additions across the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
No Real People Names In Style References	✅ Passed	No real people's names found in plugin commands, documentation, examples, or style references.
No Assumed Git Remote Names	✅ Passed	The compliance plugin does not assume hardcoded git remote names; it focuses on CVE analysis without git remote operations.
Git Push Safety Rules	✅ Passed	Comprehensive search of all PR files found no git push commands, force push operations, or automated git workflows that violate Git Push Safety Rules.
No Untrusted Mcp Servers	✅ Passed	The pull request introduces no untrusted MCP server installations. All changes are documentation and metadata for a compliance plugin.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

plugins/compliance/README.md (1)

12-14: Fix markdown code block language specifications.

The fenced code blocks are missing language identifiers, which improves readability and enables syntax highlighting. Lines 12, 72, and 78 should specify the language (e.g., ```bash or ``` for plain output).

Apply these diffs to add language specifiers:

 **Example:**
-```
+```bash
 /compliance:analyze-cve CVE-2024-24783
-```
+```bash

 ### Basic usage
-```
+```bash
 /compliance:analyze-cve CVE-2024-24783
-```
+```bash

 ### High-confidence analysis
-```
+```bash
 /compliance:analyze-cve CVE-2024-45338
-```
+```bash

Also applies to: 72-74, 78-86

plugins/compliance/commands/analyze-cve.md (1)

10-12: Fix markdown formatting issues: bare URLs and missing language specifiers.

Several markdown linting issues should be addressed:

1. Bare URLs (lines 37, 41, 46): Wrap URLs in markdown link syntax [text](URL) for better readability and consistency.
2. Missing language specifiers on fenced code blocks (lines 10, 217, 300, 451): Add language identifiers like ```bash or ```shell to enable syntax highlighting.

Example fixes:

  - **NVD**: Search for "CVE-{ID} site:nvd.nist.gov"
-   - URL pattern: https://nvd.nist.gov/vuln/detail/{CVE-ID}
+   - URL pattern: https://nvd.nist.gov/vuln/detail/{CVE-ID} (replace {CVE-ID})

  ## Synopsis
-```
+```bash
  /compliance:analyze-cve <CVE-ID>
-```
+```bash

  **If searches fail or return insufficient results**:
-     - Request user input for any known fixes or workarounds
-     - Accept partial information and document gaps
-

For bare URLs, consider using standard markdown link format: [URL text](https://example.com) instead of plain https://example.com.

Also applies to: 37-37, 41-41, 46-46, 217-217, 300-300, 451-451

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 2157c19 and 6e6bd56.

📒 Files selected for processing (6)

• .claude-plugin/marketplace.json (1 hunks)
• PLUGINS.md (2 hunks)
• docs/data.json (1 hunks)
• plugins/compliance/.claude-plugin/plugin.json (1 hunks)
• plugins/compliance/README.md (1 hunks)
• plugins/compliance/commands/analyze-cve.md (1 hunks)

🧰 Additional context used

🪛 LanguageTool

plugins/compliance/commands/analyze-cve.md

[uncategorized] ~349-~349: Did you mean the formatting language “Markdown” (= proper noun)?
Context: ...is 2. Format Report - Use clear markdown formatting - Include severity badges...

(MARKDOWN_NNP)

🪛 markdownlint-cli2 (0.18.1)

plugins/compliance/README.md

12-12: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

72-72: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

78-78: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

plugins/compliance/commands/analyze-cve.md

10-10: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

37-37: Bare URL used

(MD034, no-bare-urls)

---

41-41: Bare URL used

(MD034, no-bare-urls)

---

46-46: Bare URL used

(MD034, no-bare-urls)

---

217-217: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

300-300: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

451-451: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🔇 Additional comments (8)

plugins/compliance/.claude-plugin/plugin.json (1)

1-8: Plugin manifest looks good.

The JSON structure is well-formed and all required fields are properly populated. Metadata aligns with other plugin entries.

PLUGINS.md (1)

7-7: Plugin index entry is well-structured and consistent.

The new Compliance plugin entry maintains alphabetical ordering in the TOC and follows the established format for all plugin documentation. Description and command syntax align with other metadata files.

Also applies to: 42-49

.claude-plugin/marketplace.json (1)

72-76: Marketplace entry properly configured.

The new plugin entry is correctly positioned with valid JSON formatting, appropriate source path, and consistent metadata.

docs/data.json (1)

395-409: Plugin metadata entry is complete and consistent.

All required fields are present with correct formatting. The command metadata (synopsis, argument_hint) aligns with documentation files, and the structure matches the existing plugin metadata pattern.

plugins/compliance/commands/analyze-cve.md (4)

25-106: CVE Intelligence Gathering phase is thorough and well-documented.

The multi-source lookup strategy with fallback handling is practical. The distinction between primary sources (NVD, MITRE), Go-specific sources, and general Go security resources is well-structured. The fallback mode for handling lookup failures is a good user experience consideration.

---

123-238: Codebase Impact Analysis is well-designed with progressive confidence levels.

The five-level verification approach (presence → imports → scanner → call graph → context) provides pragmatic depth and clear confidence assessment. Call graph reachability analysis offers the highest confidence, and the alternative methods are appropriate fallbacks. The distinction between confidence levels is clearly explained.

---

274-358: Report generation and evidence collection are comprehensive.

Clear section structure, evidence categorization, and the requirement to distinguish between verified sources and user-provided information are good practices. Markdown formatting guidance (badges, code blocks, links) helps ensure consistent, readable output.

---

359-431: Remediation guidance and fix application workflow are well-structured.

The distinction between affected/not-affected paths, preference for project Makefiles over standard Go commands, and the explicit user approval step for automatic fixes are all good security and UX practices. The verification steps (with fallback to standard Go commands) and post-fix validation are thorough.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

plugins/compliance/commands/analyze-cve.md (3)

37-37: Wrap bare URLs in markdown link syntax or inline code.

Lines 37, 41, and 46 contain bare URLs that should be wrapped for markdown compliance. Use either:

• Markdown link format: [description](url)
• Inline code format: `url`

Example fix for line 37:

-     - **NVD**: Search for "CVE-{ID} site:nvd.nist.gov"
+     - **NVD**: Search for "CVE-{ID} site:nvd.nist.gov"
-       - URL pattern: https://nvd.nist.gov/vuln/detail/{CVE-ID}
+       - URL pattern: [`https://nvd.nist.gov/vuln/detail/{CVE-ID}`](https://nvd.nist.gov/vuln/detail/{CVE-ID})

Apply similar fixes to lines 41 and 46.

Also applies to: 41-41, 46-46

---

10-12: Add language identifiers to all fenced code blocks.

Markdown linting requires language specifiers on code blocks:

-```
+```bash
 /compliance:analyze-cve <CVE-ID>
-```

Apply similar fixes to other code blocks:

• Lines 154-160, 451-453: Use bash (shell commands)
• Lines 217-219, 300-306: Use plaintext or text (output examples)

Also applies to: 154-160, 217-219, 300-306, 451-453

---

23-511: Consider separating implementation guide from command documentation.

The implementation phases (lines 23–511) provide extensive guidance that exceeds typical command documentation scope. This valuable detail might be better positioned as:

• Inline code comments in the actual implementation
• A separate implementation guide or ADR
• Developer-focused documentation distinct from user-facing docs

That said, given the complexity of CVE analysis, keeping this reference here is reasonable if intended as a deep implementation reference. The structure and clarity are excellent.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 6e6bd56 and 7ba2bec.

📒 Files selected for processing (6)

• .claude-plugin/marketplace.json (1 hunks)
• PLUGINS.md (2 hunks)
• docs/data.json (1 hunks)
• plugins/compliance/.claude-plugin/plugin.json (1 hunks)
• plugins/compliance/README.md (1 hunks)
• plugins/compliance/commands/analyze-cve.md (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• .claude-plugin/marketplace.json
• PLUGINS.md
• plugins/compliance/.claude-plugin/plugin.json

🧰 Additional context used

🪛 LanguageTool

plugins/compliance/commands/analyze-cve.md

[uncategorized] ~349-~349: Did you mean the formatting language “Markdown” (= proper noun)?
Context: ...is 2. Format Report - Use clear markdown formatting - Include severity badges...

(MARKDOWN_NNP)

🪛 markdownlint-cli2 (0.18.1)

plugins/compliance/README.md

12-12: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

72-72: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

78-78: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

plugins/compliance/commands/analyze-cve.md

10-10: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

37-37: Bare URL used

(MD034, no-bare-urls)

---

41-41: Bare URL used

(MD034, no-bare-urls)

---

46-46: Bare URL used

(MD034, no-bare-urls)

---

217-217: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

300-300: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

451-451: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🔇 Additional comments (4)

plugins/compliance/README.md (2)

12-14: Add language specifiers to fenced code blocks.

Markdown linting requires language identifiers on fenced code blocks. For command invocation examples, use bash.

-```
+```bash
 /compliance:analyze-cve CVE-2024-24783
-```
+```bash

Apply the same fix to lines 72-74 and 78-80.

Also applies to: 72-74, 78-80

---

1-86: Clear and comprehensive plugin documentation.

The README effectively communicates the plugin's purpose, features, and prerequisites. Verification levels are well-explained, and the fallback mode documentation addresses real operational needs. Examples are concrete and helpful for users.

docs/data.json (1)

619-633: Plugin entry is well-structured and consistent.

The compliance plugin entry follows the established schema and is consistent with other plugins in the file. All required fields are present and correct.

plugins/compliance/commands/analyze-cve.md (1)

1-511: Comprehensive implementation guide with sound methodology.

The documentation thoroughly describes the CVE analysis workflow, verification methods, confidence framework, and remediation process. The five-phase approach (Intelligence Gathering → Codebase Analysis → Report Generation → Remediation → Fix Application) is well-structured and aligns with the PR objectives. The confidence level framework provides clear decision criteria, and fallback modes appropriately handle offline/unreliable scenarios.

Markdown linting issues (bare URLs, missing code block language identifiers) should be addressed before merge.

[mytreya-rh]

/lgtm

In future, we can explore if a condensed version as in this AI generated example can be functionally equivalent, by testing various CVEs on both the elaborate and concise versions.

[openshift-ci]

@mytreya-rh: changing LGTM is restricted to collaborators

In response to this:

/lgtm

In future, we can explore if a condensed version as in this AI generated example can be functionally equivalent, by testing various CVEs on both the elaborate and concise versions.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[dgoodwin]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox, chiragkyal, dgoodwin, mytreya-rh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [bryan-cox,dgoodwin]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment