fix: reopen closed Linear issues on recurring vulnerability findings

msukkari · claude · msukkari · commit 5c9e1924b3af · 2026-04-17T20:00:25.000-07:00
Instead of silently skipping completed/cancelled Linear issues or creating
duplicates, the vulnerability triage workflow now reopens them by moving
the issue back to Triage state.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/trivy-vulnerability-triage.yml b/.github/workflows/trivy-vulnerability-triage.yml
@@ -394,7 +394,7 @@ jobs:
           claude_args: |
             --allowedTools Bash,Read,Write,Edit,Glob,Grep,WebSearch,WebFetch
             --model claude-sonnet-4-6
-            --json-schema '{"type":"object","properties":{"cves":{"type":"array","items":{"type":"object","properties":{"cveId":{"type":"string","description":"CVE ID, GHSA ID, or codeql:<rule-id>"},"severity":{"type":"string","enum":["CRITICAL","HIGH","MEDIUM","LOW"]},"source":{"type":"string","enum":["trivy","dependabot","codeql","trivy+dependabot"],"description":"Which scanner(s) reported this finding"},"title":{"type":"string","description":"Short summary for the Linear issue title"},"description":{"type":"string","description":"Markdown analysis: affected packages, direct vs transitive, remediation steps, and references"},"affectedPackage":{"type":"string"},"linearIssueExists":{"type":"boolean"}},"required":["cveId","severity","source","title","description","affectedPackage","linearIssueExists"]}}},"required":["cves"]}'
+            --json-schema '{"type":"object","properties":{"cves":{"type":"array","items":{"type":"object","properties":{"cveId":{"type":"string","description":"CVE ID, GHSA ID, or codeql:<rule-id>"},"severity":{"type":"string","enum":["CRITICAL","HIGH","MEDIUM","LOW"]},"source":{"type":"string","enum":["trivy","dependabot","codeql","trivy+dependabot"],"description":"Which scanner(s) reported this finding"},"title":{"type":"string","description":"Short summary for the Linear issue title"},"description":{"type":"string","description":"Markdown analysis: affected packages, direct vs transitive, remediation steps, and references"},"affectedPackage":{"type":"string"},"linearIssueExists":{"type":"boolean"},"linearIssueId":{"type":"string","description":"The Linear issue UUID if a matching issue was found, empty string otherwise"},"linearIssueClosed":{"type":"boolean","description":"True if the matching Linear issue is in a completed or canceled state"}},"required":["cveId","severity","source","title","description","affectedPackage","linearIssueExists","linearIssueId","linearIssueClosed"]}}},"required":["cves"]}'
           prompt: |
             You are a security engineer triaging vulnerabilities and security findings for the Sourcebot Docker image.
             You have three data sources to analyze. Each is a JSON array where every entry has a pre-computed
@@ -444,17 +444,19 @@ jobs:
 
             7. **Check Linear for existing issues** for each finding:
                - For each `cveId`, run a GraphQL query against the Linear API to search for issues
-                 whose title contains that ID.
-               - **Important**: Exclude cancelled issues so that previously cancelled/rejected findings
-                 can be re-created. Use a state type filter to only match active issues.
+                 whose title contains that ID. Search ALL issues regardless of state (open, completed, cancelled).
                - Use the following curl command pattern:
                  ```
                  curl -s -X POST https://api.linear.app/graphql \
                    -H "Content-Type: application/json" \
                    -H "Authorization: $LINEAR_API_KEY" \
-                   -d '{"query": "query { issues(filter: { team: { id: { eq: \"'$LINEAR_TEAM_ID'\" } }, title: { contains: \"<ID>\" }, state: { type: { nin: [\"canceled\"] } } }) { nodes { id title } } }"}'
+                   -d '{"query": "query { issues(filter: { team: { id: { eq: \"'$LINEAR_TEAM_ID'\" } }, title: { contains: \"<ID>\" } }) { nodes { id title state { type } } } }"}'
                  ```
                - Set `linearIssueExists` to `true` if any matching issue is found, `false` otherwise.
+               - If multiple issues match, prefer the one with an open state (i.e., state type is NOT `"completed"` or `"canceled"`).
+                 Only use a closed issue if no open issue exists for that finding.
+               - Set `linearIssueId` to the `id` (UUID) of the selected matching issue, or `""` if none found.
+               - Set `linearIssueClosed` to `true` if the selected issue's `state.type` is `"completed"` or `"canceled"`, `false` otherwise.
 
             8. Return the structured JSON with all findings in the `cves` array.
 
@@ -473,7 +475,7 @@ jobs:
           echo "| ID | Source | Severity | Package | Linear Status |" >> "$GITHUB_STEP_SUMMARY"
           echo "|----|--------|----------|---------|---------------|" >> "$GITHUB_STEP_SUMMARY"
 
-          echo "$STRUCTURED_OUTPUT" | jq -r '.cves[] | "| \(.cveId) | \(.source) | \(.severity) | \(.affectedPackage) | \(if .linearIssueExists then "Existing" else "New" end) |"' >> "$GITHUB_STEP_SUMMARY"
+          echo "$STRUCTURED_OUTPUT" | jq -r '.cves[] | "| \(.cveId) | \(.source) | \(.severity) | \(.affectedPackage) | \(if .linearIssueExists then (if .linearIssueClosed then "Reopen" else "Existing") else "New" end) |"' >> "$GITHUB_STEP_SUMMARY"
 
           echo "" >> "$GITHUB_STEP_SUMMARY"
           echo "### Details" >> "$GITHUB_STEP_SUMMARY"
@@ -527,6 +529,7 @@ jobs:
 
           CREATED_COUNT=0
           SKIPPED_COUNT=0
+          REOPENED_COUNT=0
           FAILED_COUNT=0
 
           echo "## Linear Issue Creation" >> "$GITHUB_STEP_SUMMARY"
@@ -543,13 +546,49 @@ jobs:
             TITLE=$(echo "$cve" | jq -r '.title')
             DESCRIPTION=$(echo "$cve" | jq -r '.description')
             LINEAR_EXISTS=$(echo "$cve" | jq -r '.linearIssueExists')
+            LINEAR_ISSUE_ID=$(echo "$cve" | jq -r '.linearIssueId')
+            LINEAR_CLOSED=$(echo "$cve" | jq -r '.linearIssueClosed')
 
-            if [ "$LINEAR_EXISTS" = "true" ]; then
-              echo "Skipping $CVE_ID — Linear issue already exists."
+            if [ "$LINEAR_EXISTS" = "true" ] && [ "$LINEAR_CLOSED" = "false" ]; then
+              echo "Skipping $CVE_ID — Linear issue already exists and is open."
               SKIPPED_COUNT=$((SKIPPED_COUNT + 1))
               continue
             fi
 
+            if [ "$LINEAR_EXISTS" = "true" ] && [ "$LINEAR_CLOSED" = "true" ]; then
+              # Reopen the closed issue by setting its state back to Triage
+              if [ -z "$STATE_ID" ]; then
+                echo "::warning::Cannot reopen $CVE_ID — no Triage state found. Skipping."
+                SKIPPED_COUNT=$((SKIPPED_COUNT + 1))
+                continue
+              fi
+
+              REOPEN_MUTATION='mutation($issueId: String!, $stateId: String!) { issueUpdate(id: $issueId, input: { stateId: $stateId }) { success issue { id identifier url } } }'
+              REOPEN_VARIABLES=$(jq -n \
+                --arg issueId "$LINEAR_ISSUE_ID" \
+                --arg stateId "$STATE_ID" \
+                '{issueId: $issueId, stateId: $stateId}')
+              REOPEN_PAYLOAD=$(jq -n --arg query "$REOPEN_MUTATION" --argjson vars "$REOPEN_VARIABLES" '{query: $query, variables: $vars}')
+
+              REOPEN_RESPONSE=$(curl -s -X POST https://api.linear.app/graphql \
+                -H "Content-Type: application/json" \
+                -H "Authorization: $LINEAR_API_KEY" \
+                -d "$REOPEN_PAYLOAD")
+
+              REOPEN_URL=$(echo "$REOPEN_RESPONSE" | jq -r '.data.issueUpdate.issue.url // empty')
+              if [ -n "$REOPEN_URL" ]; then
+                echo "Reopened Linear issue for $CVE_ID: $REOPEN_URL"
+                echo "- Reopened [$CVE_ID]($REOPEN_URL) (moved back to Triage)" >> "$GITHUB_STEP_SUMMARY"
+                REOPENED_COUNT=$((REOPENED_COUNT + 1))
+              else
+                echo "::error::Failed to reopen Linear issue for $CVE_ID"
+                echo "$REOPEN_RESPONSE" | jq .
+                FAILED_COUNT=$((FAILED_COUNT + 1))
+              fi
+              continue
+            fi
+
+            # Create new issue
             PRIORITY=$(severity_to_priority "$SEVERITY")
             ISSUE_TITLE="[$REPOSITORY] $CVE_ID: $TITLE"
 
@@ -588,7 +627,7 @@ jobs:
           done < /tmp/cves.jsonl
 
           echo "" >> "$GITHUB_STEP_SUMMARY"
-          echo "**Summary:** Created $CREATED_COUNT issue(s), skipped $SKIPPED_COUNT existing issue(s), failed $FAILED_COUNT issue(s)." >> "$GITHUB_STEP_SUMMARY"
+          echo "**Summary:** Created $CREATED_COUNT issue(s), reopened $REOPENED_COUNT issue(s), skipped $SKIPPED_COUNT existing issue(s), failed $FAILED_COUNT issue(s)." >> "$GITHUB_STEP_SUMMARY"
 
           if [ "$FAILED_COUNT" -gt 0 ]; then
             echo "::error::Failed to create $FAILED_COUNT Linear issue(s)"
