KiloClawPowered by OpenClaw
Back to Cookbook

CVE Vulnerability Risk-Based Prioritizer

aka “CVE Bouncer

Separate the 5 exploitable CVEs from the 500 that don't matter

Runs container and dependency scans, then triages the results by actual risk — not just CVSS score. Cross-references EPSS (exploit probability), KEV catalog (known exploited), and reachability analysis to surface what actually needs fixing today.

House RecipeWork2 min
Try in KiloClawFree 7-day trial

INGREDIENTS

🐙GitHub💬Slack

PROMPT

Create a skill called "CVE Bouncer". When I point you at a container image, source directory, or SBOM file: 1. Run a vulnerability scan (trivy image, trivy fs, or grype) 2. For each finding, look up the EPSS score (exploit prediction scoring) 3. Check the CISA KEV catalog for known exploited vulnerabilities 4. Assess reachability when dependency, SBOM, or runtime context makes that possible 5. Prioritize into tiers: - FIX NOW: KEV listed OR EPSS > 0.5 AND reachable - SCHEDULE: EPSS > 0.1 OR CVSS Critical/High AND likely reachable - ACCEPT: Low EPSS, not in KEV, and not reachable or not relevant (document rationale) 6. For each "FIX NOW" item, suggest the specific remediation (version bump, patch, config change) 7. Generate a `.trivyignore` or exception file for accepted risks with justifications

How It Works

Your scanner found 400 CVEs. This skill tells you which 10 actually matter

by layering real-world exploit data on top of raw scan results.

What You Get

  • Vulnerability scan via Trivy, Grype, or Snyk CLI
  • EPSS score lookup (probability of exploitation in the wild)
  • KEV catalog cross-reference (is this actively exploited?)
  • Reachability analysis when enough dependency/runtime context is available
  • Prioritized action list: fix now, schedule fix, accept risk (with justification)
  • `.trivyignore` or exception files with documented rationale

Setup Steps

  1. Point your Claw at a container image, directory, or SBOM
  2. Let it run the scan and enrichment
  3. Review the prioritized list and action recommendations
  4. Apply fixes starting from the top

Tips

  • EPSS + KEV is far more actionable than CVSS alone
  • Many "Critical" CVEs by CVSS have near-zero EPSS scores — they're theoretical
  • Base image CVEs are often the bulk of findings and are fixed by updating the base
  • Generate a `.trivyignore` with justifications so you don't re-triage the same CVEs
  • Run weekly to catch new disclosures
Tags:#security#vulnerabilities#containers#devops

Related Recipes

Dep Wrangler

Tame the Dependabot PR flood — auto-merge the safe ones, flag the risky ones

Reviews dependency update PRs by reading changelogs, checking for breaking changes, running tests, and auto-merging patch updates that pass CI. Turns 50 Dependabot PRs per week into 3 that need your attention.

Work3 min

Audit Armor

Generate SOC2 evidence in minutes, not weeks

Runs infrastructure compliance checks using open-source tools (checkov, tfsec, kube-bench, prowler) and generates formatted evidence mapped to compliance framework controls. Turns weeks of screenshot-taking into an automated evidence package.

Work5 min

Scam Shield & Identity Theft Response

A calm checklist when fraud hits

Immediate steps, reporting sequences, and long-term hardening for scams and identity theft. Organized by urgency so you know what to do first.

Personal2 min

Scam Sponsorship Screener

Verify brand offers before you click anything

Screens incoming partnership offers for phishing and scam patterns: suspicious domains, attachments, fake checks, requests to "connect your account," and vague contracts. Outputs a risk rating and safe verification steps.

Personal4 min