cve-triagelisted

# CVE Triage ## Purpose Query vulnerability databases (osv.dev primary, GHSA secondary) against the project's locked dependency set, and classify each finding as **exploitable** (the project uses the vulnerable code path), **theoretical** (the dep is present but the affected function isn't called), or **not-applicable** (CVE filed against a different ecosystem / version / platform). Primary consumer: `supply-chain-auditor`. Output feeds `sbom-generate --include-vex`. ## Scope - Reads the lockfile, queries osv.dev's batch API and (optionally) GHSA via `gh api`, deduplicates findings. - For each CVE, attempts to determine reachability — is the vulnerable function actually called from the project's code? Reachability analysis is best-effort; the skill notes its confidence level. - Emits both a markdown triage report (for humans) and a VEX-shaped JSON file at `.claude/cve-triage-latest.json` (for `sbom-generate`). - Tracks decisions across runs via a baseline so previously-triaged CVEs don't re-litigate. ## When to use - On every dep-update PR, as a CI gate (block on critical / exploitable; warn on high). - Weekly against the current `main` lockfile, to catch CVEs filed after the last update. - Before a release, with the release's locked deps. - After a public CVE announcement that mentions a dep the project uses (run on-demand with `--severity-min critical`). ## When NOT to use - For zero-day discovery — this skill triages published CVEs only. Use `re