---
name: vulnerability-management
description: Vulnerability scanning, assessment, prioritization, and remediation processes following NIST and CIS Controls
license: Apache-2.0
---

# Vulnerability Management Skill

## Purpose
Defines vulnerability management processes for identifying, assessing, prioritizing, and remediating security vulnerabilities.

## Vulnerability Sources
- **Dependabot** — Dependency vulnerability alerts
- **CodeQL** — Static analysis security findings
- **Secret Scanning** — Exposed credentials detection
- **npm audit** — Node.js dependency vulnerabilities
- **Manual Review** — Code review and penetration testing

## Severity Classification (CVSS)
| Score | Rating | SLA |
|-------|--------|-----|
| 9.0-10.0 | Critical | 24 hours |
| 7.0-8.9 | High | 7 days |
| 4.0-6.9 | Medium | 30 days |
| 0.1-3.9 | Low | 90 days |

## Remediation Process
1. **Identify** — Automated scanning and alerting
2. **Assess** — Determine severity and impact
3. **Prioritize** — Risk-based prioritization
4. **Remediate** — Patch, upgrade, or mitigate
5. **Verify** — Confirm fix is effective
6. **Document** — Record actions taken

## GitHub Integration
- Enable Dependabot alerts and security updates
- Configure CodeQL analysis in CI/CD
- Enable secret scanning with push protection
- Pin GitHub Actions to SHA hashes
- Use step-security/harden-runner

## CIS Controls Mapping
- CIS Control 7 — Continuous Vulnerability Management
- CIS Control 16 — Application Software Security

## ISO 27001 Mapping
- A.8.8 — Management of technical vulnerabilities
- A.8.9 — Configuration management

## Related Policies
- [Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md)