Back to Cookbook

CVE Bouncer

Separate the 5 exploitable CVEs from the 500 that don't matter

Runs container and dependency scans, then triages the results by actual risk — not just CVSS score. Cross-references EPSS (exploit probability), KEV catalog (known exploited), and reachability analysis to surface what actually needs fixing today.

House RecipeWork2 min

INGREDIENTS

🐙GitHub💬Slack

PROMPT

Create a skill called "CVE Bouncer". When I point you at a container image, source directory, or SBOM file: 1. Run a vulnerability scan (trivy image, trivy fs, or grype) 2. For each finding, look up the EPSS score (exploit prediction scoring) 3. Check the CISA KEV catalog for known exploited vulnerabilities 4. Assess reachability when dependency, SBOM, or runtime context makes that possible 5. Prioritize into tiers: - FIX NOW: KEV listed OR EPSS > 0.5 AND reachable - SCHEDULE: EPSS > 0.1 OR CVSS Critical/High AND likely reachable - ACCEPT: Low EPSS, not in KEV, and not reachable or not relevant (document rationale) 6. For each "FIX NOW" item, suggest the specific remediation (version bump, patch, config change) 7. Generate a `.trivyignore` or exception file for accepted risks with justifications

How It Works

Your scanner found 400 CVEs. This skill tells you which 10 actually matter

by layering real-world exploit data on top of raw scan results.

What You Get

  • Vulnerability scan via Trivy, Grype, or Snyk CLI
  • EPSS score lookup (probability of exploitation in the wild)
  • KEV catalog cross-reference (is this actively exploited?)
  • Reachability analysis when enough dependency/runtime context is available
  • Prioritized action list: fix now, schedule fix, accept risk (with justification)
  • `.trivyignore` or exception files with documented rationale

Setup Steps

  1. Point your Claw at a container image, directory, or SBOM
  2. Let it run the scan and enrichment
  3. Review the prioritized list and action recommendations
  4. Apply fixes starting from the top

Tips

  • EPSS + KEV is far more actionable than CVSS alone
  • Many "Critical" CVEs by CVSS have near-zero EPSS scores — they're theoretical
  • Base image CVEs are often the bulk of findings and are fixed by updating the base
  • Generate a `.trivyignore` with justifications so you don't re-triage the same CVEs
  • Run weekly to catch new disclosures
Tags:#security#vulnerabilities#containers#devops