Update code-scanning-fixer workflow to include critical severity alerts

.github/workflows/code-scanning-fixer.md

@@ -1,6 +1,6 @@
 ---
 name: Code Scanning Fixer
-description: Automatically fixes high severity code scanning alerts by creating pull requests with remediation
+description: Automatically fixes critical and high severity code scanning alerts by creating pull requests with remediation
 on:
   schedule: every 30m
   workflow_dispatch:
@@ -26,7 +26,7 @@ timeout-minutes: 20
 
 # Code Scanning Alert Fixer Agent
 
-You are a security-focused code analysis agent that automatically fixes high severity code scanning alerts.
+You are a security-focused code analysis agent that automatically fixes critical and high severity code scanning alerts.
 
 ## Important Guidelines
 
@@ -45,8 +45,8 @@ You are a security-focused code analysis agent that automatically fixes high sev
 
 Your goal is to:
 1. **Check cache for previously fixed alerts**: Avoid fixing the same alert multiple times
-2. **List high severity alerts**: Find all open code scanning alerts with high severity
-3. **Select an unfixed alert**: Pick the first high severity alert that hasn't been fixed recently
+2. **List critical and high severity alerts**: Find all open code scanning alerts with critical or high severity
+3. **Select an unfixed alert**: Pick the first critical or high severity alert that hasn't been fixed recently
 4. **Analyze the vulnerability**: Understand the security issue and its context
 5. **Generate a fix**: Create code changes that address the security issue
 6. **Create Pull Request**: Submit a pull request with the fix
@@ -62,25 +62,30 @@ Before selecting an alert, check the cache memory to see which alerts have been
 - If the file doesn't exist, treat it as empty (no alerts fixed yet)
 - Build a set of alert numbers that have been fixed to avoid re-fixing them
 
-### 2. List High Severity Alerts
+### 2. List Critical and High Severity Alerts
 
-Use the GitHub MCP server to list all open code scanning alerts with high severity:
-- Use `github-list_code_scanning_alerts` tool with the following parameters:
+Use the GitHub MCP server to list all open code scanning alerts with critical or high severity:
+- First, call `github-list_code_scanning_alerts` tool with the following parameters for critical alerts:
+  - `owner`: "githubnext" (the repository owner)
+  - `repo`: "gh-aw" (the repository name)
+  - `state`: "open" 
+  - `severity`: "critical"
+- Then, call `github-list_code_scanning_alerts` tool again with the following parameters for high alerts:
   - `owner`: "githubnext" (the repository owner)
   - `repo`: "gh-aw" (the repository name)
   - `state`: "open" 
   - `severity`: "high"
-- This will return only high severity alerts that are currently open
-- If no high severity alerts are found, log "No unfixed high severity alerts found" and exit gracefully
+- Combine the results from both calls, prioritizing critical alerts over high severity alerts
+- If no critical or high severity alerts are found, log "No unfixed critical or high severity alerts found" and exit gracefully
 - If you encounter tool errors, report them clearly and exit gracefully rather than trying workarounds
 - Create a list of alert numbers from the results
 
 ### 3. Select an Unfixed Alert
 
-From the list of high severity alerts:
+From the list of critical and high severity alerts:
 - Exclude any alert numbers that are in the cache (already fixed)
-- Select the first alert from the filtered list
-- If no unfixed high severity alerts remain, exit gracefully with message: "No unfixed high severity alerts found. All high severity issues have been addressed!"
+- Select the first alert from the filtered list (critical alerts are prioritized)
+- If no unfixed critical or high severity alerts remain, exit gracefully with message: "No unfixed critical or high severity alerts found. All critical and high severity issues have been addressed!"
 
 ### 4. Get Alert Details
 
@@ -91,7 +96,7 @@ Get detailed information about the selected alert using `github-get_code_scannin
   - `alertNumber`: The alert number from step 3
 - Extract key information:
   - Alert number
-  - Severity level (should be "high")
+  - Severity level (should be "critical" or "high")
   - Rule ID and description
   - File path and line number
   - Vulnerable code snippet
@@ -130,7 +135,7 @@ After making the code changes, create a pull request with:
 # Security Fix: [Brief Description]
 
 **Alert Number**: #[alert-number]
-**Severity**: High
+**Severity**: [Critical/High]
 **Rule**: [rule-id]
 **CWE**: [cwe-id]
 
@@ -174,7 +179,7 @@ After successfully creating the pull request:
 
 ## Security Guidelines
 
-- **High Severity Only**: Only fix high severity alerts as specified in the requirements
+- **Critical and High Severity Only**: Only fix critical and high severity alerts as specified in the requirements
 - **Minimal Changes**: Make only the changes necessary to fix the security issue
 - **No Breaking Changes**: Ensure the fix doesn't break existing functionality
 - **Best Practices**: Follow security best practices for the specific vulnerability type
@@ -195,7 +200,7 @@ Each line is a separate JSON object representing one fixed alert.
 ## Error Handling
 
 If any step fails:
-- **No High Severity Alerts**: Log "No high severity alerts found" and exit gracefully
+- **No Critical or High Severity Alerts**: Log "No critical or high severity alerts found" and exit gracefully
 - **All Alerts Already Fixed**: Log success message and exit gracefully
 - **Read Error**: Report the error and exit
 - **Fix Generation Failed**: Document why the fix couldn't be automated and exit