Make CVE workflows more consistent

dfarrell07 · dfarrell07 · commit c691a6237b01 · 2025-10-23T18:01:52.000-04:00
Signed-off-by: Daniel Farrell &lt;dfarrell@redhat.com&gt;
diff --git a/.agents/workflows/cve-fix.md b/.agents/workflows/cve-fix.md
@@ -1,5 +1,7 @@
 #### Fixing CVEs
 
+**All commands should be run from the repository root directory.**
+
 **Before starting, user must:**
 
 Install grype:
@@ -117,7 +119,7 @@ Submodules may have different (non-vulnerable) versions. Check `git diff` for un
 - Go minor version (1.X => 1.Y)
 - K8s minor version (v0.A => v0.B)
 
-Revert changes. Low/Medium CVEs: skip to Step 9. High/Critical: consult team.
+Revert changes. Low/Medium CVEs: skip to step 9. High/Critical: consult team.
 
 Remove `toolchain` lines and extra blank lines added by `go mod tidy`:
 
@@ -160,7 +162,7 @@ CVE(s) for this package should no longer appear.
 make unit
 ```
 
-**Note**: When fixing multiple packages, skip this step for each package and run once at end.
+**Note**: When fixing multiple packages, skip for each and run once at end.
 
 Build errors may indicate incompatible dependency versions for this branch.
 
@@ -178,6 +180,25 @@ Expected: Only go.mod/go.sum files (for modules that changed).
 
 Follow commit templates in @.agents/commit-templates.md (CVE Fixes section). Use "in /[module]" format if only coredns or tools files changed.
 
+```bash
+# Single CVE:
+git commit -s -m "$(cat <<'EOF'
+Bump [abbreviated-package] for [CVE-ID]
+
+Full package: [full-package-path]
+EOF
+)"
+
+# Multiple CVEs:
+git commit -s -m "$(cat <<'EOF'
+Bump [abbreviated-package] for CVEs
+
+Full package: [full-package-path]
+Fixes: [CVE-ID-1], [CVE-ID-2]
+EOF
+)"
+```
+
 After each commit, rescan to check for newly introduced CVEs:
 ```bash
 grype . --config .grype.yaml -o table
@@ -266,7 +287,8 @@ EOF
 
 ##### Common Issues
 
-- **CVE persists after update**: Verify you used correct FIXED-IN version; replace directives should have been caught in Step 3
+- **CVE persists**: Verify you used correct FIXED-IN version; replace directives should have been caught in Step 3
 - **New CVE appears after fix**: Dependency downgrades can introduce CVEs; fix immediately (Step 8 rescan catches these)
 - **Tests fail**: Try different version; check CI logs
+- **Large dependency updates**: Some packages update many transitive deps; may break old branches; check Go/K8s compatibility
 - **make unit "no route to host"**: User must run `sudo systemctl restart docker` (agent can't use sudo)
