Ask Autohand Code to inspect dependency usage, vulnerable paths, lockfiles, and mitigation options.
Turn an advisory into a repo-specific plan
Security Quality and review Review Review
autohand -p "Review this dependency advisory against our repo and propose the safest mitigation"
A repo-specific risk assessment with upgrade, patch, or isolation steps.
Audit dependency incidents with Autohand Code is a security workflow that maps a dependency advisory to repo-specific usage, reachable paths, upgrade options, breaking changes, and mitigation tests. ### At a glance | Question | Answer | | --- | --- | | Best for | package advisories, CVEs, lockfile alerts, and dependency upgrade waves | | Primary inputs | Advisory link, CVE, package name, and affected version range; Package manager, lockfile, runtime, and deployment context; Whether the package is server-side, browser-side, dev-only, or transitive | | Autohand Code returns | A repo-specific risk assessment with upgrade, patch, or isolation steps. | | Avoid when | the advisory is unrelated to any package or runtime used by the repository | ### How Autohand Code handles this workflow 1. Finds direct and transitive dependency paths in the repo. 2. Checks whether vulnerable code is reachable in this application. 3. Compares upgrade, patch, isolation, or removal options. 4. Returns mitigation steps and tests that prove the risk changed. ### Best inputs - Advisory link, CVE, package name, and affected version range - Package manager, lockfile, runtime, and deployment context - Whether the package is server-side, browser-side, dev-only, or transitive ### Strong prompt autohand -p "Review this dependency advisory against our repo and propose the safest mitigation" ### Autohand Code CLI options - Run `autohand -p "Review this dependency advisory against our repo and propose the safest mitigation"` with the advisory link and lockfile context. - Use `--restricted` for reachability analysis before allowing package manager or filesystem mutations. - Use `--auto-mode` after the plan is approved when upgrade attempts, test reruns, and fallback fixes may take several passes. ### Review before accepting The answer should state reachability, runtime exposure, fixed version or mitigation, and validation commands. ### Source and validation signals Autohand AI maintains this workflow as first-party product guidance for Autohand Code. Use the [Autohand CLI Playbook](https://github.com/autohandai/code-cli/blob/main/docs/AUTOHAND_PLAYBOOK.md), [CLI reference](/docs/working-with-autohand-code/cli-reference.html), and [configuration reference](https://github.com/autohandai/code-cli/blob/main/docs/config-reference.md) when choosing between interactive mode, command mode, auto-mode, feature-enabled /goal, /settings, skills, MCP, and permission settings. The related resources below link to product docs and tutorials for the workflow, and the final answer should name repository-specific files, commands, outputs, or docs that a reviewer can verify. ### Frequently asked questions ### What is Audit dependency incidents with Autohand Code? Audit dependency incidents with Autohand Code is a security workflow that maps a dependency advisory to repo-specific usage, reachable paths, upgrade options, breaking changes, and mitigation tests. ### When should a team use Audit dependency incidents? Use it when a generic advisory needs application-specific risk judgment. ### What evidence should reviewers check for Audit dependency incidents? The answer should state reachability, runtime exposure, fixed version or mitigation, and validation commands.
Guide Enterprise Security and Compliance Review permissions, data handling, and organizational controls. /docs/guides/enterprise-security.html Guide Securely Deploying AI Agents Understand deployment risk, isolation, and secret handling. /docs/agent-sdk/deployments/securely-deploying-ai-agents.html Reference Configure Permissions Limit what agents can do while investigating risky changes. /docs/agent-sdk/observability/permissions.html