Vulnerability Management Skill

Purpose

Defines vulnerability management processes for identifying, assessing, prioritizing, and remediating security vulnerabilities.

Vulnerability Sources

• Dependabot — Dependency vulnerability alerts

• CodeQL — Static analysis security findings

• Secret Scanning — Exposed credentials detection

• npm audit — Node.js dependency vulnerabilities

• Manual Review — Code review and penetration testing

Severity Classification (CVSS)

Score Rating SLA

9.0-10.0 Critical 24 hours

7.0-8.9 High 7 days

4.0-6.9 Medium 30 days

0.1-3.9 Low 90 days

Remediation Process

• Identify — Automated scanning and alerting

• Assess — Determine severity and impact

• Prioritize — Risk-based prioritization

• Remediate — Patch, upgrade, or mitigate

• Verify — Confirm fix is effective

• Document — Record actions taken

GitHub Integration

• Enable Dependabot alerts and security updates

• Configure CodeQL analysis in CI/CD

• Enable secret scanning with push protection

• Pin GitHub Actions to SHA hashes

• Use step-security/harden-runner

CIS Controls Mapping

• CIS Control 7 — Continuous Vulnerability Management

• CIS Control 16 — Application Software Security

ISO 27001 Mapping

• A.8.8 — Management of technical vulnerabilities

• A.8.9 — Configuration management

Related Policies

• Secure Development Policy