- Home
- Skills
- Ancoleman
- Ai Design Components
- Managing Vulnerabilities
managing-vulnerabilities_skill
- Python
291
GitHub Stars
2
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill ancoleman/ai-design-components --skill managing-vulnerabilities- outputs.yaml6.4 KB
- SKILL.md14.7 KB
Overview
This skill implements multi-layer vulnerability scanning, SBOM generation, and risk-based prioritization integrated into CI/CD pipelines. It helps teams detect container, code, dependency, runtime, and secret risks, generate CycloneDX/SPDX SBOMs, and enforce security gates to meet compliance and DevSecOps objectives. The focus is practical automation and measurable SLAs for remediation.
How this skill works
The skill applies layered scanners: container image scanners (Trivy/Grype), SAST (Semgrep/Snyk Code), DAST (OWASP ZAP/StackHawk), SCA (Dependabot/Renovate), and secret scanners (Gitleaks/GitGuardian). It generates SBOMs (CycloneDX or SPDX) and combines CVSS, EPSS, KEV, asset criticality, and exposure into a priority score to classify and route findings into SLA-based remediation tiers and CI/CD gates.
When to use it
- When adding security gates to CI/CD pipelines and pull requests
- When generating SBOMs for compliance, audits, or supply-chain transparency
- When prioritizing remediation using exploitation likelihood and asset impact
- When scanning container images before registry push and deployment
- When detecting secrets, misconfigurations, or code-level vulnerabilities
Best practices
- Scan at multiple stages: pre-commit, PR, build, staging DAST, and continuous production monitoring
- Use Trivy as default container scanner and Syft+Grype for SBOM-first accuracy or second-opinion scans
- Generate CycloneDX for DevSecOps workflows and SPDX when legal/license metadata is required
- Enforce progressive thresholds: fast PR checks for HIGH/CRITICAL, stricter build/deploy gates for CRITICAL
- Maintain ignore/suppression files with documented justification and periodic review
- Automate daily scans, create remediation PRs for fixable issues, and track SLAs for P0–P4
Example use cases
- Block PR merges if Semgrep finds critical SAST issues or secret scanning detects credentials
- Fail CI build when Trivy detects CRITICAL container vulnerabilities and upload a CycloneDX SBOM artifact
- Run DAST in staging to validate authentication and gate deployment when high-impact issues appear
- Automate SBOM generation and scan SBOMs with Grype for supply-chain audits
- Prioritize fixes using CVSS, EPSS, KEV, and asset criticality to meet defined remediation SLAs
FAQ
Use CycloneDX for DevSecOps and vulnerability tracking; choose SPDX when legal or license metadata and formal compliance are primary.
When should I use Grype instead of Trivy?
Prefer Grype for SBOM-first workflows, lower false positives, or as a second-opinion scanner; use Trivy for fast, CI-native container scans and SBOM generation.
How do I avoid blocking development with noisy findings?
Apply progressive thresholds: fast, conservative PR checks; stricter build/deploy gates only for CRITICAL issues; use suppression files with review dates for known false positives.