managing-vulnerabilitieslisted

# Vulnerability Management Implement comprehensive vulnerability detection and remediation workflows across containers, source code, dependencies, and running applications. This skill covers multi-layer scanning strategies, SBOM generation (CycloneDX and SPDX), risk-based prioritization using CVSS/EPSS/KEV, and CI/CD security gate patterns. ## When to Use This Skill Invoke this skill when: - Building security scanning into CI/CD pipelines - Generating Software Bills of Materials (SBOMs) for compliance - Prioritizing vulnerability remediation using risk-based approaches - Implementing security gates (fail builds on critical vulnerabilities) - Scanning container images before deployment - Detecting secrets, misconfigurations, or code vulnerabilities - Establishing DevSecOps practices and automation - Meeting regulatory requirements (SBOM mandates, Executive Order 14028) ## Multi-Layer Scanning Strategy Vulnerability management requires scanning at multiple layers. Each layer detects different types of security issues. ### Layer Overview **Container Image Scanning** - Detects vulnerabilities in OS packages, language dependencies, and binaries - Tools: Trivy (comprehensive), Grype (accuracy-focused), Snyk Container (commercial) - When: Every container build, base image selection, registry admission control **SAST (Static Application Security Testing)** - Analyzes source code for security flaws before runtime - Tools: Semgrep (fast, semantic), Snyk Code (developer-first),