--- name: managing-vulnerabilities description: Implementing multi-layer security scanning (container, SAST, DAST, SCA, secrets), SBOM generation, and risk-based vulnerability prioritization in CI/CD pipelines. Use when building DevSecOps workflows, ensuring compliance, or establishing security gates for container deployments. --- # Vulnerability Management Implement comprehensive vulnerability detection and remediation workflows across containers, source code, dependencies, and running applications. This skill covers multi-layer scanning strategies, SBOM generation (CycloneDX and SPDX), risk-based prioritization using CVSS/EPSS/KEV, and CI/CD security gate patterns. ## When to Use This Skill Invoke this skill when: - Building security scanning into CI/CD pipelines - Generating Software Bills of Materials (SBOMs) for compliance - Prioritizing vulnerability remediation using risk-based approaches - Implementing security gates (fail builds on critical vulnerabilities) - Scanning container images before deployment - Detecting secrets, misconfigurations, or code vulnerabilities - Establishing DevSecOps practices and automation - Meeting regulatory requirements (SBOM mandates, Executive Order 14028) ## Multi-Layer Scanning Strategy Vulnerability management requires scanning at multiple layers. Each layer detects different types of security issues. ### Layer Overview **Container Image Scanning** - Detects vulnerabilities in OS packages, language dependencies, and binaries - Tools: Trivy (comprehensive), Grype (accuracy-focused), Snyk Container (commercial) - When: Every container build, base image selection, registry admission control **SAST (Static Application Security Testing)** - Analyzes source code for security flaws before runtime - Tools: Semgrep (fast, semantic), Snyk Code (developer-first), SonarQube (enterprise) - When: Every commit, PR checks, main branch protection **DAST (Dynamic Application Security Testing)** - Tests running applications for vulnerabilities (black-box testing) - Tools: OWASP ZAP (open-source), StackHawk (CI/CD native), Burp Suite (manual + automated) - When: Staging environment testing, API validation, authentication testing **SCA (Software Composition Analysis)** - Analyzes third-party dependencies for known vulnerabilities - Tools: Dependabot (GitHub native), Renovate (advanced), Snyk Open Source (commercial) - When: Every build, dependency updates, license audits **Secret Scanning** - Prevents secrets from being committed to source code - Tools: Gitleaks (fast, configurable), TruffleHog (entropy detection), GitGuardian (commercial) - When: Pre-commit hooks, repository scanning, CI/CD artifact checks ### Quick Tool Selection ``` Container Image → Trivy (default choice) OR Grype (accuracy focus) Source Code → Semgrep (open-source) OR Snyk Code (commercial) Running Application → OWASP ZAP (open-source) OR StackHawk (CI/CD native) Dependencies → Dependabot (GitHub) OR Renovate (advanced automation) Secrets → Gitleaks (open-source) OR GitGuardian (commercial) ``` For detailed tool selection guidance, see `references/tool-selection.md`. ## SBOM Generation Software Bills of Materials (SBOMs) provide a complete inventory of software components and dependencies. Required for compliance and security transparency. ### CycloneDX vs. SPDX **CycloneDX** (Recommended for DevSecOps) - Security-focused, OWASP-maintained - Native vulnerability references - Fast, lightweight (JSON/XML/ProtoBuf) - Best for: DevSecOps pipelines, vulnerability tracking **SPDX** (Recommended for Legal/Compliance) - License compliance focus, ISO standard (ISO/IEC 5962:2021) - Comprehensive legal metadata - Government/defense preferred format - Best for: Legal teams, compliance audits, federal requirements ### Generating SBOMs **With Trivy (CycloneDX or SPDX):** ```bash # CycloneDX format (recommended for security) trivy image --format cyclonedx --output sbom.json myapp:latest # SPDX format (for compliance) trivy image --format spdx-json --output sbom-spdx.json myapp:latest # Scan SBOM (faster than re-scanning image) trivy sbom sbom.json --severity HIGH,CRITICAL ``` **With Syft (high accuracy):** ```bash # Generate CycloneDX syft myapp:latest -o cyclonedx-json=sbom.json # Generate SPDX syft myapp:latest -o spdx-json=sbom-spdx.json # Pipe to Grype for scanning syft myapp:latest -o json | grype ``` For comprehensive SBOM patterns and storage strategies, see `references/sbom-guide.md`. ## Vulnerability Prioritization Not all vulnerabilities require immediate action. Prioritize based on actual risk using CVSS, EPSS, and KEV. ### Modern Risk-Based Prioritization **Step 1: Gather Metrics** | Metric | Source | Purpose | |--------|--------|---------| | CVSS Base Score | NVD, vendor advisories | Vulnerability severity (0-10) | | EPSS Score | FIRST.org API | Exploitation probability (0-1) | | KEV Status | CISA KEV Catalog | Actively exploited CVEs | | Asset Criticality | Internal CMDB | Business impact if compromised | | Exposure | Network topology | Internet-facing vs. internal | **Step 2: Calculate Priority** ``` Priority Score = (CVSS × 0.3) + (EPSS × 100 × 0.3) + (KEV × 50) + (Asset × 0.2) + (Exposure × 0.2) KEV: 1 if in KEV catalog, 0 otherwise Asset: 1 (Critical), 0.7 (High), 0.4 (Medium), 0.1 (Low) Exposure: 1 (Internet-facing), 0.5 (Internal), 0.1 (Isolated) ``` **Step 3: Apply SLA Tiers** | Priority | Criteria | SLA | Action | |----------|----------|-----|--------| | P0 - Critical | KEV + Internet-facing + Critical asset | 24 hours | Emergency patch immediately | | P1 - High | CVSS ≥ 9.0 OR (CVSS ≥ 7.0 AND EPSS ≥ 0.1) | 7 days | Prioritize in sprint, patch ASAP | | P2 - Medium | CVSS 7.0-8.9 OR EPSS ≥ 0.05 | 30 days | Normal sprint planning | | P3 - Low | CVSS 4.0-6.9, EPSS < 0.05 | 90 days | Backlog, maintenance windows | | P4 - Info | CVSS < 4.0 | No SLA | Track, address opportunistically | **Example: Log4Shell (CVE-2021-44228)** ``` CVSS: 10.0 EPSS: 0.975 (97.5% exploitation probability) KEV: Yes (CISA catalog) Asset: Critical (payment API) Exposure: Internet-facing Priority Score = (10 × 0.3) + (97.5 × 0.3) + 50 + (1 × 0.2) + (1 × 0.2) = 82.65 Result: P0 - Critical (24-hour SLA) ``` For complete prioritization framework and automation scripts, see `references/prioritization-framework.md`. ## CI/CD Integration Patterns ### Multi-Stage Security Pipeline Implement progressive security gates across pipeline stages: **Stage 1: Pre-Commit (Developer Workstation)** ```yaml Tools: Secret scanning (Gitleaks), SAST (Semgrep) Threshold: Block high-confidence secrets, critical SAST findings Speed: < 10 seconds ``` **Stage 2: Pull Request (CI Pipeline)** ```yaml Tools: SAST, SCA, Secret scanning Threshold: No Critical/High vulnerabilities, no secrets Speed: < 5 minutes Action: Block PR merge until fixed ``` **Stage 3: Build (CI Pipeline)** ```yaml Tools: Container scanning (Trivy), SBOM generation Threshold: No Critical vulnerabilities in production dependencies Artifacts: SBOM stored, scan results uploaded Speed: < 2 minutes Action: Fail build on Critical findings ``` **Stage 4: Pre-Deployment (Staging)** ```yaml Tools: DAST, Integration tests Threshold: No Critical/High DAST findings Speed: 10-30 minutes Action: Gate deployment to production ``` **Stage 5: Production (Runtime)** ```yaml Tools: Continuous scanning, runtime monitoring Threshold: Alert on new CVEs in deployed images Action: Alert security team, plan patching ``` ### Example: GitHub Actions Multi-Stage Scan ```yaml name: Security Scan Pipeline on: [push, pull_request] jobs: secrets: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: trufflesecurity/trufflehog@main with: path: ./ extra_args: --only-verified sast: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: semgrep/semgrep-action@v1 with: config: p/security-audit container: runs-on: ubuntu-latest needs: [secrets, sast] steps: - uses: actions/checkout@v4 - run: docker build -t myapp:${{ github.sha }} . - uses: aquasecurity/trivy-action@master with: image-ref: myapp:${{ github.sha }} format: sarif output: trivy-results.sarif severity: HIGH,CRITICAL exit-code: 1 - name: Generate SBOM run: | trivy image --format cyclonedx \ --output sbom.json myapp:${{ github.sha }} - uses: actions/upload-artifact@v3 with: name: sbom path: sbom.json ``` For complete CI/CD patterns (GitLab CI, Jenkins, Azure Pipelines), see `references/ci-cd-patterns.md`. ## Container Scanning with Trivy Trivy is the recommended default for container scanning: comprehensive, fast, and CI/CD native. ### Basic Usage ```bash # Scan container image trivy image alpine:latest # Scan with severity filter trivy image --severity HIGH,CRITICAL alpine:latest # Fail on findings (CI/CD) trivy image --exit-code 1 --severity HIGH,CRITICAL myapp:latest # Generate SBOM trivy image --format cyclonedx --output sbom.json alpine:latest # Scan filesystem trivy fs /path/to/project # Scan Kubernetes manifests trivy config deployment.yaml ``` ### Configuration (.trivy.yaml) ```yaml severity: HIGH,CRITICAL exit-code: 1 ignore-unfixed: true # Only fail on fixable vulnerabilities vuln-type: os,library skip-dirs: - node_modules - vendor ignorefile: .trivyignore ``` ### Ignoring False Positives (.trivyignore) ``` # False positive CVE-2023-12345 # Accepted risk with justification CVE-2023-67890 # Risk accepted: Not exploitable in our use case # Development dependency (not in production) CVE-2023-11111 # Dev dependency only ``` ### GitHub Actions Integration ```yaml - name: Trivy Scan uses: aquasecurity/trivy-action@master with: image-ref: myapp:${{ github.sha }} format: sarif output: trivy-results.sarif severity: HIGH,CRITICAL exit-code: 1 - name: Upload to GitHub Security uses: github/codeql-action/upload-sarif@v2 if: always() with: sarif_file: trivy-results.sarif ``` ## Alternative: Grype for Accuracy Grype focuses on minimal false positives and works with Syft for SBOM generation. **Important:** Use Grype v0.104.1 or later (credential disclosure CVE-2025-65965 patched in earlier versions). ### Basic Usage ```bash # Scan container image grype alpine:latest # Scan with severity threshold grype alpine:latest --fail-on high # Scan SBOM (faster) grype sbom:./sbom.json # Syft + Grype workflow syft alpine:latest -o json | grype --fail-on critical ``` ### When to Use Grype - Projects sensitive to false positives - SBOM-first workflows (generate with Syft, scan with Grype) - Need second opinion validation - Anchore ecosystem users For complete tool comparisons and selection criteria, see `references/tool-selection.md`. ## Security Gates and Thresholds ### Progressive Threshold Strategy Balance security and development velocity with progressive gates. Configure different thresholds for PR checks (fast, HIGH+CRITICAL), builds (comprehensive), and deployments (strict, CRITICAL only). ### Policy-as-Code Use OPA (Open Policy Agent) for automated policy enforcement. Create policies to deny Critical vulnerabilities, enforce KEV catalog checks, and implement environment-specific rules. For complete policy patterns, baseline detection, and OPA examples, see `references/policy-as-code.md`. ## Remediation Workflows ### Automated Remediation Set up automated workflows to scan daily, extract fixable vulnerabilities, update dependencies, and create remediation pull requests automatically. ### SLA Tracking Track vulnerability remediation against SLA targets (P0: 24 hours, P1: 7 days, P2: 30 days, P3: 90 days). Monitor overdue vulnerabilities and escalate as needed. ### False Positive Management Maintain suppression files (.trivyignore) with documented justifications, review dates, and approval tracking. Implement workflows for false positive triage and approval. For complete remediation workflows, SLA trackers, and automation scripts, see `references/remediation-workflows.md`. ## Integration with Related Skills **building-ci-pipelines** - Add security stages to pipeline definitions - Configure artifacts for SBOM storage - Implement quality gates with vulnerability thresholds **secret-management** - Integrate secret scanning (Gitleaks, TruffleHog) - Automate secret rotation on detection - Use pre-commit hooks for prevention **infrastructure-as-code** - Scan Terraform and Kubernetes manifests with Trivy config - Detect misconfigurations before deployment - Enforce policy-as-code with OPA **security-hardening** - Apply remediation guidance from scan results - Select secure base images - Implement security best practices **compliance-frameworks** - Generate SBOMs for SOC2, ISO 27001 audits - Track vulnerability metrics for compliance reporting - Provide evidence for security controls ## Quick Reference ### Essential Commands ```bash # Trivy: Scan image with severity filter trivy image --severity HIGH,CRITICAL myapp:latest # Trivy: Generate SBOM trivy image --format cyclonedx --output sbom.json myapp:latest # Trivy: Scan SBOM trivy sbom sbom.json # Grype: Scan image grype myapp:latest --fail-on high # Syft + Grype: SBOM workflow syft myapp:latest -o json | grype # Gitleaks: Scan for secrets gitleaks detect --source . --verbose ``` ### Common Patterns ```bash # CI/CD: Fail build on Critical trivy image --exit-code 1 --severity CRITICAL myapp:latest # Ignore unfixed vulnerabilities trivy image --ignore-unfixed --severity HIGH,CRITICAL myapp:latest # Scan only OS packages trivy image --vuln-type os myapp:latest # Skip specific directories trivy fs --skip-dirs node_modules,vendor . ``` ## Progressive Disclosure This skill provides foundational vulnerability management patterns. For deeper topics: - **Tool Selection:** `references/tool-selection.md` - Complete decision frameworks - **SBOM Patterns:** `references/sbom-guide.md` - Generation, storage, consumption - **Prioritization:** `references/prioritization-framework.md` - CVSS/EPSS/KEV automation - **CI/CD Integration:** `references/ci-cd-patterns.md` - GitLab CI, Jenkins, Azure Pipelines - **Remediation:** `references/remediation-workflows.md` - SLA tracking, false positives - **Policy-as-Code:** `references/policy-as-code.md` - OPA examples, security gates **Working Examples:** - `examples/trivy/` - Trivy scanning patterns - `examples/grype/` - Grype + Syft workflows - `examples/ci-cd/` - Complete pipeline configurations - `examples/sbom/` - SBOM generation and management - `examples/prioritization/` - EPSS and KEV integration scripts **Automation Scripts:** - `scripts/vulnerability-report.sh` - Generate executive reports - `scripts/sla-tracker.sh` - Track remediation SLAs - `scripts/false-positive-manager.sh` - Manage suppression rules