managing-vulnerabilities_skill

This skill helps you integrate multi-layer vulnerability scanning, SBOM generation, and risk-based prioritization into CI/CD for DevSecOps security gates.
  • Python

291

GitHub Stars

2

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill ancoleman/ai-design-components --skill managing-vulnerabilities

  • outputs.yaml6.4 KB
  • SKILL.md14.7 KB

Overview

This skill implements multi-layer vulnerability scanning, SBOM generation, and risk-based prioritization integrated into CI/CD pipelines. It helps teams detect container, code, dependency, runtime, and secret risks, generate CycloneDX/SPDX SBOMs, and enforce security gates to meet compliance and DevSecOps objectives. The focus is practical automation and measurable SLAs for remediation.

How this skill works

The skill applies layered scanners: container image scanners (Trivy/Grype), SAST (Semgrep/Snyk Code), DAST (OWASP ZAP/StackHawk), SCA (Dependabot/Renovate), and secret scanners (Gitleaks/GitGuardian). It generates SBOMs (CycloneDX or SPDX) and combines CVSS, EPSS, KEV, asset criticality, and exposure into a priority score to classify and route findings into SLA-based remediation tiers and CI/CD gates.

When to use it

  • When adding security gates to CI/CD pipelines and pull requests
  • When generating SBOMs for compliance, audits, or supply-chain transparency
  • When prioritizing remediation using exploitation likelihood and asset impact
  • When scanning container images before registry push and deployment
  • When detecting secrets, misconfigurations, or code-level vulnerabilities

Best practices

  • Scan at multiple stages: pre-commit, PR, build, staging DAST, and continuous production monitoring
  • Use Trivy as default container scanner and Syft+Grype for SBOM-first accuracy or second-opinion scans
  • Generate CycloneDX for DevSecOps workflows and SPDX when legal/license metadata is required
  • Enforce progressive thresholds: fast PR checks for HIGH/CRITICAL, stricter build/deploy gates for CRITICAL
  • Maintain ignore/suppression files with documented justification and periodic review
  • Automate daily scans, create remediation PRs for fixable issues, and track SLAs for P0–P4

Example use cases

  • Block PR merges if Semgrep finds critical SAST issues or secret scanning detects credentials
  • Fail CI build when Trivy detects CRITICAL container vulnerabilities and upload a CycloneDX SBOM artifact
  • Run DAST in staging to validate authentication and gate deployment when high-impact issues appear
  • Automate SBOM generation and scan SBOMs with Grype for supply-chain audits
  • Prioritize fixes using CVSS, EPSS, KEV, and asset criticality to meet defined remediation SLAs

FAQ

Use CycloneDX for DevSecOps and vulnerability tracking; choose SPDX when legal or license metadata and formal compliance are primary.

When should I use Grype instead of Trivy?

Prefer Grype for SBOM-first workflows, lower false positives, or as a second-opinion scanner; use Trivy for fast, CI-native container scans and SBOM generation.

How do I avoid blocking development with noisy findings?

Apply progressive thresholds: fast, conservative PR checks; stricter build/deploy gates only for CRITICAL issues; use suppression files with review dates for known false positives.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
managing-vulnerabilities skill by ancoleman/ai-design-components | VeilStrat