feat(vulnerability-remediation): Package as plugin with run-scan and fix-vulnerabilities skills

[jpelletier1]

• A human has tested these changes.

---

Why

The vulnerability-remediation plugin was missing the proper OpenHands plugin format structure. It lacked:

• A .plugin/plugin.json manifest file
• Structured agent skills for guiding the vulnerability remediation workflow
• An entry command to automatically initiate the scanning process

This PR restructures the plugin to follow the OpenHands plugin specification and provides comprehensive markdown-based skills for agents.

Summary

• Add .plugin/plugin.json with entry_command that auto-triggers the run-scan skill
• Create run-scan skill: Trivy installation and scanning instructions (markdown-based, no custom scripts)
• Create fix-vulnerabilities skill: Comprehensive remediation guide for 8+ package ecosystems
• Configure automatic skill chaining: run-scan → fix-vulnerabilities (when fixable vulnerabilities found)
• Remove old symlinks to shared skills, add self-contained skill documentation
• Update README with plugin structure, workflow diagrams, and SDK usage examples

Issue Number

N/A

How to Test

Test 1: Verify Plugin Structure

cd plugins/vulnerability-remediation
python3 << 'EOF'
import json
from pathlib import Path

# Verify plugin.json exists and has required fields
with open('.plugin/plugin.json') as f:
    manifest = json.load(f)
    assert 'entry_command' in manifest
    print(f"✓ Plugin manifest valid: {manifest['name']} v{manifest['version']}")

# Verify skills exist
for skill in ['run-scan', 'fix-vulnerabilities']:
    assert (Path('skills') / skill / 'SKILL.md').exists()
    assert (Path('skills') / skill / 'README.md').exists()
    print(f"✓ Skill {skill} complete")
EOF

Test 2: Load Plugin with SDK

from openhands.sdk.plugin import Plugin

# Load the plugin
plugin = Plugin.load("plugins/vulnerability-remediation")

# Verify skills are loaded
print(f"Plugin: {plugin.name}")
print(f"Skills: {[s.name for s in plugin.skills]}")

# Verify entry_command is present
with open(plugin.path / ".plugin" / "plugin.json") as f:
    manifest = json.load(f)
    print(f"Entry command: {manifest['entry_command']}")

Test 3: GitHub Action (existing workflow still works)

The existing GitHub Action workflow (action.yml) and scripts remain unchanged and continue to work as before.

Video/Screenshots

Plugin Structure:

plugins/vulnerability-remediation/
├── .plugin/
│   └── plugin.json              # NEW: Plugin manifest
├── skills/
│   ├── run-scan/                # NEW: Scanning skill
│   │   ├── SKILL.md
│   │   └── README.md
│   └── fix-vulnerabilities/     # NEW: Remediation skill
│       ├── SKILL.md
│       └── README.md
├── README.md                    # UPDATED
├── action.yml                   # UNCHANGED
└── scripts/                     # UNCHANGED

Skill Workflow:

Plugin Loaded (entry_command)
    ↓
[run-scan skill]
    ├─→ Install Trivy
    ├─→ Run security scan
    └─→ Auto-trigger fix-vulnerabilities (if vulnerabilities found)
            ↓
    [fix-vulnerabilities skill]
        ├─→ Parse scan results
        ├─→ Update dependencies
        └─→ Create PR with fix

Notes

• Backward compatibility: All existing GitHub Action workflows continue to work unchanged
• No breaking changes: The action.yml and scripts/ remain untouched
• Pure markdown skills: No custom scripts in skills (follows best practices)
• Automatic chaining: Skills automatically trigger each other based on scan results
• Comprehensive coverage: Supports 8+ package ecosystems (npm, pip, Maven, Go, Ruby, Rust, PHP, .NET)

This change makes the plugin fully compatible with the OpenHands SDK plugin loading system while maintaining backward compatibility with existing GitHub Actions usage.

@jpelletier1 can click here to continue refining the PR