cve-triagelisted

# CVE Triage ## When to use This skill begins where the scan ends. It receives a list of CVE hits and decides per item: what's this worth, when do we fix, or do we not? Running the scan and building the SBOM happen elsewhere; this is the filter that separates noise from signal. Triggers: - An inbox of Dependabot/Snyk/Mend/osv-scanner/grype/Trivy findings to walk through. - A new public vulnerability (Log4Shell-style, XZ-style, regreSSHion-style) with the question "does this hit us?". - A CI dependency scan fails on a merge and someone has to decide: block or pass with rationale. - Periodic (quarterly or release-gate) review of the open CVE portfolio, including reopening "accept-risk" decisions whose expiry is up. - A `security-review` phase-3 handoff for dep-vulns. ### When NOT to use (handoff) - Run a scan or build an SBOM → `supply-chain` (SBOM, SLSA, provenance) and `sast-orchestrator` (SCA-tool configuration). - Code-level dep hygiene (pinning, dedupe, lockfile discipline) → `secure-coding` phase 6. - Active exploitation or PoC construction → `web-exploit-triage` or `payload-crafter`. - Container/image vulns where the base image is the source → `container-hardening` for the image part, then back here for per-CVE triage. - Secrets in dependencies → `secrets-scanner`. - IR when an exploited vuln is in production → `ir-runbook`. Triage is then too late; response comes first. ## Approach Six phases. Phase 3 is the heart: a decision tree you walk per CVE. The phases be