Scan, fix, and verify vulnerable dependencies with an agentic feedback loop.
dobbe vuln resolve [OPTIONS]
vuln resolve is dobbe’s flagship command. It orchestrates multiple AI agents in an iterative loop to:
The pipeline runs up to --max-iterations fix-verify cycles before reporting results.
┌─────────────────────────────────────────────────┐
│ dobbe vuln resolve [--repo org/repo] │
│ (auto-detects from CWD if no flags given) │
└──────────────────────┬──────────────────────────┘
│
v
┌─────────────────────────────────────────────────┐
│ 1. DISCOVER │
│ - Auto-detect repo from CWD git remote │
│ - Discover available MCP servers │
│ - Resolve repo: configured paths -> common │
│ dirs -> CWD remote match -> clone to tempdir │
└──────────────────────┬──────────────────────────┘
│
v
┌─────────────────────────────────────────────────┐
│ 2. BRANCH SETUP │
│ - Create feature branch from --base │
│ - Default branch name: dobbe/vuln-fix-YYYYMMDD │
└──────────────────────┬──────────────────────────┘
│
v
┌─────────────────────────────────────────────────┐
│ 3. SCAN AGENT │
│ - Fetch Dependabot alerts via MCP or gh CLI │
│ - Triage each alert: is code path affected? │
│ - Group alerts by package │
│ - Build scan summary with risk levels │
│ Tools: [Bash, Read, Grep, Glob] + MCP │
└──────────────────────┬──────────────────────────┘
│
┌─────┴──────┐
│ Dry run? │
└─────┬──────┘
yes | | no
v v
┌─────────┐ ┌────────────────────────┐
│ Report │ │ 4. FIX AGENT │<────────┐
│ scan │ │ - Read scan summary │ │
│ results │ │ - Apply PATCH/MINOR │ │
│ + exit │ │ bumps only │ │
└─────────┘ │ - Update lockfiles │ │
│ - Skip if no safe fix │ │
│ Tools: [Bash, Read, │ │
│ Grep, Glob, Edit, │ │
│ Write] + MCP │ │
└───────────┬─────────────┘ │
│ │
v │
┌───────────────────────┐ │
│ 5. GIT COMMIT │ │
│ - Stage all changes │ │
│ - Commit with message │ │
└───────────┬────────────┘ │
│ │
┌─────────┴──────────┐ │
│ Changes committed? │ │
└─────────┬──────────┘ │
yes | | no │
v v │
┌────────────────┐ Mark converged, │
│ --skip-verify? │ skip to report │
└───────┬────────┘ │
yes | | no │
v v │
Mark converged ┌─────────────────────┐ │
skip to report │ 6. VERIFY AGENT │ │
│ - git diff review │ │
│ - Check breaking │ │
│ changes │ │
│ - Run tests │ │
│ - Verify lockfiles │ │
│ Tools: [Bash, Read,│ │
│ Grep, Glob] │ │
└──────────┬──────────┘ │
│ │
┌─────┴─────┐ │
│ Passed? │ │
└─────┬─────┘ │
yes | | no │
│ v │
│ ┌─────────────┐ │
│ │ Iterations │ │
│ │ remaining? │ │
│ └──────┬──────┘ │
│ yes | | no │
│ v │ │
│ ┌────────┐ │ │
│ │ REVERT │ │ │
│ │ Reset │ │ │
│ │ branch │ │ │
│ │ to base│ │ │
│ │ Feed │ │ │
│ │ back ├─┼───────┘
│ │ errors │ │
│ └────────┘ │
│ │
v v
┌─────────────────────────────┐
│ 7. REPORT AGENT │
│ - Summarize what was fixed │
│ - What was skipped and why │
│ - Verification results │
│ - Risk assessment │
│ - Next steps │
│ Tools: [Read] │
└──────────────┬───────────────┘
│
v
┌─────────────────────────────┐
│ 8. CREATE PR │
│ - Push branch │
│ - Create PR via gh CLI │
│ - Include executive summary │
│ (skipped if --no-pr or │
│ not converged) │
└─────────────────────────────┘
| Option | Type | Default | Description |
|---|---|---|---|
--repo / -r |
str |
auto-detect | Repository to fix (org/repo). Auto-detected from current directory if omitted. |
--severity / -s |
str |
critical,high,medium,low |
Comma-separated severity filter |
--max-iterations |
int |
3 |
Max fix-verify iterations (1-10) |
--base |
str |
main |
Base branch to branch from |
--branch |
str |
auto | Branch name for fixes |
--create-pr / --no-pr |
bool |
True |
Create PR on convergence |
--dry-run |
bool |
False |
Scan only, no edits |
--skip-verify |
bool |
False |
Skip verification step |
--format / -f |
str |
table |
Output format: table, json, markdown |
--timeout |
int |
300 |
Claude subprocess timeout in seconds (envvar: DOBBE_TIMEOUT_CLAUDE) |
--yes / -y |
bool |
False |
Skip confirmation prompts |
--from-scan |
str |
- | Path to scan JSON from dobbe vuln scan --format json. Use '-' for stdin. |
When run from inside a git repository with no --repo flag, auto-detects the repo from the current directory’s git remote URL.
Each pipeline agent has scoped tool permissions:
| Agent | Tools | Why |
|---|---|---|
| Scan | Bash, Read, Grep, Glob + MCP |
Read-only analysis of alerts and code |
| Fix | Bash, Read, Grep, Glob, Edit, Write + MCP |
Needs to modify dependency files |
| Verify | Bash, Read, Grep, Glob |
Read + run tests, no edits allowed |
| Report | Read |
Read-only access to generate summary |
MCP tools (e.g., mcp__github__*) are added when available for the scan and fix agents.
Discovers available MCP servers from ~/.claude/settings.json and resolves the repository location:
--repo flag, auto-detect from current directory’s git remote URLlocal_paths in ~/.dobbe/config.toml~/projects, ~/code, ~/src, etc.)--repo sluggit clone --depth 1) into a temp directoryCreates a feature branch from the base branch. Default branch name follows the pattern dobbe/vuln-fix-YYYYMMDD. Custom names can be set with --branch.
The scan agent fetches Dependabot alerts and triages each one:
gh CLIcritical, high, medium, lowThe fix agent reads the scan summary and applies upgrades:
Stages all changes and creates a commit. If no changes were made (e.g., all packages skipped), the pipeline marks convergence and moves to the report stage.
The verify agent reviews the changes:
git diff against the base branchIf verification fails, the pipeline reverts the branch to the base, feeds the error details back to the fix agent, and starts the next iteration.
Generates a plain-text executive summary (under 500 words) covering:
If the pipeline converged (tests pass) and --create-pr is enabled, pushes the branch and creates a PR via gh pr create with the executive summary as the body.
Each pipeline run saves a full conversation log (all agent messages with timestamps) that can be reviewed for debugging or auditing. The conversation includes agent names, iteration numbers, and detailed summaries.
cd ~/projects/api
dobbe vuln resolve
dobbe vuln resolve --repo acme/web-app
dobbe vuln resolve --repo acme/web-app --dry-run
dobbe vuln resolve --repo acme/web-app --skip-verify --max-iterations 1
dobbe vuln resolve --repo acme/web-app --base develop --branch fix/security-march
dobbe vuln resolve --repo acme/web-app --format json
When you run dobbe vuln scan followed by dobbe vuln resolve on the same repo, the scan agent runs twice - the same expensive Claude invocation analyzing the same alerts. The --from-scan option lets you pass pre-computed scan results to resolve, skipping the redundant scan agent entirely.
┌──────────────────────────────────┐
│ Load scan JSON (file or stdin) │
└──────────────────┬───────────────┘
│
v
┌──────────────────────────────────┐
│ Match repo -> build summary │
└──────────────────┬───────────────┘
│
v
┌──────────────────────────────────┐
│ FIX AGENT (skip scan agent) │
│ ... rest of pipeline unchanged │
└──────────────────────────────────┘
dobbe vuln scan --repo acme/web-app --format json --output scan.json
dobbe vuln resolve --repo acme/web-app --from-scan scan.json
dobbe vuln scan --repo acme/web-app --format json | dobbe vuln resolve --repo acme/web-app --from-scan -
--from-scan and --dry-run can be combined to preview what the resolve pipeline would scan using pre-computed results.--severity is ignored when --from-scan is set - filtering already happened during the original scan.The pipeline converges (succeeds) when any of these conditions are met:
--skip-verify flag bypasses verificationIf the pipeline exhausts all iterations without converging, the report agent still generates a summary explaining what failed and why. No PR is created in this case.