Vulnerability management in CI/CD
Vulnerability management in CI/CD is what happens after scanners produce findings: prioritize, remediate, defer with cause, and prove governance. This page complements Security scanning (DevSecOps) (where tools and shift-left patterns live).
SLAs and waiver policy are organizational decisions. This page describes common patterns, not a universal standard.
Triage workflow
Section titled “Triage workflow”- Ingest — Normalize scanner output (CVE ID, package, path, CVSS, reachability hints if available).
- Deduplicate — Same CVE across transitive paths; pick one ticket per logical dependency upgrade.
- Classify — Exploitable in your runtime context? Internet-facing? Build-time only?
- Route — App owner vs platform vs security for fixes; block release only when policy says so.
SLAs without drowning the org
Section titled “SLAs without drowning the org”Many teams tier SLAs by severity and exposure:
| Tier (example) | Typical SLA driver | CI/CD angle |
|---|---|---|
| Critical / known exploited | Patch or isolate fast | Block promote to prod until mitigated or formally waived |
| High / network edge | Days to weeks | Gate prod; may allow staging with compensating controls |
| Medium / internal only | Backlog with capacity | Warn in CI; aggregate in dashboards |
| Low / dev-only | Best effort | Document “accepted risk” if scanners are noisy |
Practices: Publish SLAs in a single security doc; automate ticket creation from CI with dedupe keys; avoid “every CVE is P0.”
Waivers and exceptions
Section titled “Waivers and exceptions”A waiver (exception) should answer: what is accepted, until when, who approved, what compensates (network policy, feature flag, removal path).
Practices:
- Time-bound waivers with owner and re-review date.
- Link waiver to scanner finding ID + artifact version so audits can trace decisions.
- Prefer dependency upgrade or config hardening over permanent waivers.
EPSS, CVSS, and noise
Section titled “EPSS, CVSS, and noise”- CVSS — Base severity score; widely used but not the same as “will we get exploited tomorrow.”
- EPSS (Exploit Prediction Scoring System) — Probability of exploitation in the wild; useful to rank among many CVEs with similar CVSS.
- Reachability / call graph tools — Reduce noise when the vulnerable symbol is not used.
Practices: Combine EPSS + exposure (edge vs batch) for triage queues; do not treat EPSS as a compliance substitute.
Related
Section titled “Related”- Security scanning (DevSecOps) — SCA, SAST, container scanning, gates.
- Supply chain security — SBOM, signing, provenance.
- Compliance and audit — Evidence for how findings were handled.
- DevSecOps overview