Merge pull request #1638 from forks-felickz/staged

VeVarunSharma · web-flow · commit f5355855528a · 2026-05-07T14:13:01.000-07:00
Add pre-commit dependency scanning via AI coding agents to dependabot
diff --git a/docs/README.skills.md b/docs/README.skills.md
@@ -135,7 +135,7 @@ See [CONTRIBUTING.md](../CONTRIBUTING.md#adding-skills) for guidelines on how to
 | [dataverse-python-usecase-builder](../skills/dataverse-python-usecase-builder/SKILL.md)<br />`gh skills install github/awesome-copilot dataverse-python-usecase-builder` | Generate complete solutions for specific Dataverse SDK use cases with architecture recommendations | None |
 | [debian-linux-triage](../skills/debian-linux-triage/SKILL.md)<br />`gh skills install github/awesome-copilot debian-linux-triage` | Triage and resolve Debian Linux issues with apt, systemd, and AppArmor-aware guidance. | None |
 | [declarative-agents](../skills/declarative-agents/SKILL.md)<br />`gh skills install github/awesome-copilot declarative-agents` | Complete development kit for Microsoft 365 Copilot declarative agents with three comprehensive workflows (basic, advanced, validation), TypeSpec support, and Microsoft 365 Agents Toolkit integration | None |
-| [dependabot](../skills/dependabot/SKILL.md)<br />`gh skills install github/awesome-copilot dependabot` | Comprehensive guide for configuring and managing GitHub Dependabot. Use this skill when users ask about creating or optimizing dependabot.yml files, managing Dependabot pull requests, configuring dependency update strategies, setting up grouped updates, monorepo patterns, multi-ecosystem groups, security update configuration, auto-triage rules, or any GitHub Advanced Security (GHAS) supply chain security topic related to Dependabot. | `references/dependabot-yml-reference.md`<br />`references/example-configs.md`<br />`references/pr-commands.md` |
+| [dependabot](../skills/dependabot/SKILL.md)<br />`gh skills install github/awesome-copilot dependabot` | Comprehensive guide for configuring and managing GitHub Dependabot. Use this skill when users ask about creating or optimizing dependabot.yml files, managing Dependabot pull requests, configuring dependency update strategies, setting up grouped updates, monorepo patterns, multi-ecosystem groups, security update configuration, auto-triage rules, or any GitHub Advanced Security (GHAS) supply chain security topic related to Dependabot. For pre-commit dependency vulnerability scanning in AI coding agents via the GitHub MCP Server, this skill references the Advanced Security plugin (`advanced-security@copilot-plugins`). Use this skill when an agent needs to scan dependencies for known vulnerabilities before committing. | `references/dependabot-yml-reference.md`<br />`references/example-configs.md`<br />`references/pr-commands.md` |
 | [devops-rollout-plan](../skills/devops-rollout-plan/SKILL.md)<br />`gh skills install github/awesome-copilot devops-rollout-plan` | Generate comprehensive rollout plans with preflight checks, step-by-step deployment, verification signals, rollback procedures, and communication plans for infrastructure and application changes | None |
 | [diagnose](../skills/diagnose/SKILL.md)<br />`gh skills install github/awesome-copilot diagnose` | Perform a systematic diagnostic scan of an AI workflow across 5 quality dimensions — prompt quality, context efficiency, tool health, architecture fitness, and safety — producing a scored report with prioritized remediation actions. | None |
 | [documentation-writer](../skills/documentation-writer/SKILL.md)<br />`gh skills install github/awesome-copilot documentation-writer` | Diátaxis Documentation Expert. An expert technical writer specializing in creating high-quality software documentation, guided by the principles and structure of the Diátaxis technical documentation authoring framework. | None |
diff --git a/skills/dependabot/SKILL.md b/skills/dependabot/SKILL.md
@@ -5,7 +5,10 @@ description: >-
   users ask about creating or optimizing dependabot.yml files, managing Dependabot pull requests,
   configuring dependency update strategies, setting up grouped updates, monorepo patterns,
   multi-ecosystem groups, security update configuration, auto-triage rules, or any GitHub
-  Advanced Security (GHAS) supply chain security topic related to Dependabot.
+  Advanced Security (GHAS) supply chain security topic related to Dependabot. For pre-commit
+  dependency vulnerability scanning in AI coding agents via the GitHub MCP Server, this skill
+  references the Advanced Security plugin (`advanced-security@copilot-plugins`). Use this skill
+  when an agent needs to scan dependencies for known vulnerabilities before committing.
 ---
 
 # Dependabot Configuration & Management
@@ -415,6 +418,34 @@ Use `groups` to batch updates, `directories` with globs for coverage, and `group
 **How do I handle dependencies outside the workspace?**
 Create a separate ecosystem entry with its own `directory` pointing to that location.
 
+## Pre-Commit Dependency Scanning via AI Coding Agents
+
+For scanning code changes for vulnerable dependencies inside an AI coding agent before committing, the GitHub MCP Server's `dependabot` toolset can check your dependency additions against the GitHub Advisory Database and return structured results with affected packages, severity, and recommended fixed versions. For more thorough post-commit checks, it can also run the Dependabot CLI locally to diff dependency graphs before and after your changes.
+
+Install the **Advanced Security plugin** which provides dedicated dependency scanning tools and the `/dependency-scanning` skill.
+
+**GitHub Copilot CLI (shell):**
+```bash
+# Enable the dependabot toolset for the GitHub MCP Server
+copilot --add-github-mcp-toolset dependabot
+```
+
+**GitHub Copilot CLI (inside `copilot`):**
+```text
+> /plugin install advanced-security@copilot-plugins
+```
+
+**Visual Studio Code:**
+- Add `"X-MCP-Toolsets": "dependabot"` to your GitHub MCP Server headers, or pick **Dependabot** from the toolset selector in Copilot Chat
+- Install the `advanced-security` plugin, then use `/dependency-scanning` in Copilot Chat
+
+**Example prompt:**
+> Scan the dependencies I added on this branch for known vulnerabilities and tell me which versions to upgrade to before I commit.
+
+See: [Advanced Security Plugin — Dependency Scanning Skill](https://github.com/github/copilot-plugins/blob/main/plugins/advanced-security/skills/dependency-scanning/SKILL.md)
+
+> Announced in [Dependency scanning with GitHub MCP Server is in public preview](https://github.blog/changelog/2026-05-05-dependency-scanning-with-github-mcp-server-is-in-public-preview/) (May 2026)
+
 ## Resources
 
 - `references/dependabot-yml-reference.md` — Complete YAML options reference
