Dependency remediation playbook

When a package has known vulnerabilities, you need to know which ones are reachable in your application, which dependencies carry them, and which versions fix them. This prompt drives an AI agent through that investigation and produces a structured remediation plan in a single conversation. Copy it into a session where the Develocity Provenance Governor MCP server is already configured.

Before You Start

Before pasting the prompt, confirm that you have:

  • The Package URL (PURL) of the artifact to remediate

  • Access to the Provenance Governor MCP server; see MCP Tools for server setup and authentication

  • Read access to the application source repository

  • At least one Policy Scan™ attestation for the artifact; the MCP server returns no gate topology or compliance results until a Policy Scan has evaluated the artifact

The Prompt

Copy the block below into your chat session. Replace {PACKAGE_URL} with the PURL of the artifact to remediate.

You are a dependency remediation agent.
Your tool is inspect-package-supply-chain, an MCP tool that uses progressive disclosure: each response includes hint lines with literal parameter values for your next call.
Your goal is to produce a structured remediation plan document for the package \{PACKAGE_URL}.

Complete every phase autonomously.
Do not ask for confirmation between calls.
The tool's response hints guide your next call.

## Gate selection

Identify the most recent gate for \{PACKAGE_URL}.
The gate topology provides dates; use the most recent.
All subsequent work targets this gate.

## Vulnerability assessment

For each vulnerability on the selected gate, retrieve its full advisory and trace whether the affected dependency is reachable in the application source.
Search for import statements, configuration references, and call sites.
Use an Abstract Syntax Tree (AST) tool when one is available; otherwise analyze the source directly.
Classify each finding with a confidence level (High, Medium, or Low) and one sentence of reasoning.

For each vulnerability, record:
- the dependency name and version
- the vulnerability identifier
- the advisory summary
- the advisory references
- the reachability finding
- a confidence level with one sentence of reasoning

## Upgrade planning

For each affected dependency, retrieve available upgrades and remediation recommendations.
The tool provides upgrade versions by strategy (patch, minor, major) and remediation confidence scores.
Research release notes for each candidate version, summarizing breaking API changes, deprecations that affect the call sites, and fixes that address the flagged vulnerabilities.
Produce an upgrade plan naming the current version, the target version, the rationale, affected call sites, and validation steps.

## Combined output

When a vulnerability has a patch upgrade available, combine the vulnerability assessment and upgrade plan into a single entry in the remediation plan document.

## Output format

Structure the remediation plan as a Markdown document using this template:

# Dependency Remediation Plan : <artifact PURL>

## Vulnerability findings

### <Vulnerability-ID>
* **Dependency**: <name>@<version>
* **ID**: <Vulnerability-ID>
* **Summary**: <Advisory summary>
* **References**: <Advisory references>
* **Reachability**: <Finding>
* **Confidence**: <High/Medium/Low>. <Reasoning sentence>

## Upgrade plan

### <dependency-name>
* **Current version**: <version>
* **Target version**: <version>
* **Rationale**: <Reasoning>
* **Required changes**: <Call sites or "None">
* **Validation**: <Test steps>

## Recommended actions
* **Act now**: High confidence, reachable findings, or available patches
* **Review**: Medium confidence findings
* **Defer**: Low confidence findings or unreachable dependencies

How the Prompt Works

The prompt states four goals. The agent pursues each goal autonomously, using the tool’s response hints to discover the parameters for each call.

Gate selection

The agent retrieves the gate topology for the target PURL and selects the most recent gate by date. All subsequent calls target that gate, so the remediation data reflects the latest Policy Scan™ evaluation.

Vulnerability assessment

The agent retrieves every vulnerability on the selected gate, fetches the full advisory for each one, and traces the affected dependency through the application source. It classifies each finding as reachable or not reachable and assigns a confidence level with one sentence of reasoning.

Upgrade planning

The agent retrieves available upgrades and remediation recommendations, researches release notes for each candidate version, and produces an upgrade plan. Each plan entry names the current version, the target version, the rationale, affected call sites, and validation steps. When a vulnerability has an available patch, the vulnerability assessment and upgrade plan combine into a single entry.

Worked example

This example shows a remediation plan for a package with one vulnerability and one available upgrade.

# Dependency Remediation Plan : pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1

## Vulnerability findings

### CVE-2021-44228
* **Dependency**: org.apache.logging.log4j:log4j-core@2.14.1
* **CVE ID**: CVE-2021-44228
* **Summary**: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints
* **References**: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
* **Reachability**: Reachable. The application uses `LogManager.getLogger()` in `com.example.App` which triggers the vulnerable code path
* **Confidence**: High. Direct call site identified in application source code

## Upgrade plan

### log4j-core
* **Current version**: 2.14.1
* **Target version**: 2.17.1
* **Rationale**: This upgrade fixes a critical remote code execution vulnerability (CVE-2021-44228)
* **Required changes**: None. The update is a binary-compatible patch
* **Validation**: Run `./gradlew test` and perform a manual smoke test of the logging output

## Recommended actions
* **Act now**: CVE-2021-44228 is reachable and has a high confidence finding. Upgrade to 2.17.1 immediately

Customizing the Prompt

This prompt is a starting point. Tailor it to your remediation workflow:

  • Change the output format to match your team’s documentation standards or to feed downstream tooling directly

  • Add internal ticketing integration: instruct the agent to open a JIRA or GitHub issue for each High confidence finding

  • Adjust confidence thresholds: for example, require the agent to treat Medium confidence findings as "Act now" when the dependency handles authentication or payment data

  • Restrict upgrade strategies to patch-only when your team policy prohibits MINOR or MAJOR upgrades without additional review