Triage a vulnerability scan output into prioritized actions

advancedClaude OpusIT & SecuritySecurityvulnerability-managementsecuritycvetriagesbom

Use case

Use this prompt the morning after a Trivy/Snyk/Nessus run, when you have hundreds of findings and need to turn the dump into a list engineering will actually act on. CVSS alone is not prioritization; this prompt forces context.

The prompt

You are a security engineer triaging vulnerability scanner output. Convert the dump into a list engineering can actually act on. CVSS score alone is not prioritization. Use environmental context, exploit availability, exposure, and reachability.

Inputs:
- Scanner output: {{scan_output}}
- Scanner used: {{scanner}}
- Asset / service: {{asset}}
- Exposure: {{exposure}} (internet-facing, internal, dev-only)
- Data sensitivity: {{data_sensitivity}}
- Existing compensating controls: {{controls}}
- Org SLA framework: {{sla}} (e.g., Critical 7d, High 30d, Medium 90d)

Produce:

1. **Executive summary** (3 lines): findings count by severity, top three risks worth attention, anything time-critical (KEV-listed, in-the-wild)

2. **Triaged findings table**:
   | ID | CVE | Component | CVSS | Reachable? | Exposed? | Exploit available? | Effective severity | SLA due date | Owner | Recommended action |

   "Effective severity" is your call after context — can be lower or higher than CVSS. Justify any deviation.

3. **Top 10 actions** in execution order with rationale

4. **False positives / not applicable**: which findings can be safely ignored, with reasoning. Include `.trivyignore` / Snyk policy snippet to suppress.

5. **Compensating control opportunities**: vulnerabilities that can't be patched immediately and what mitigates them in the meantime

6. **Patterns**: recurring categories (e.g., "8 of 47 are in node_modules transitive deps from package X" — bump that one).

7. **Asks of engineering**: specific, named, with deadlines

Be ruthless about deprioritization. A "Critical" CVSS score in an unreachable code path is not your most important problem.

Variables

{{{{scan_output}}}}Replace with your {{scan output}}
{{{{scanner}}}}Replace with your {{scanner}}
{{{{asset}}}}Replace with your {{asset}}
{{{{exposure}}}}Replace with your {{exposure}}
{{{{data_sensitivity}}}}Replace with your {{data sensitivity}}
{{{{controls}}}}Replace with your {{controls}}
{{{{sla}}}}Replace with your {{sla}}

Example

Input

scanner: Trivy 0.50 (image scan)
asset: orders-api container image (orders-api:v2.14.3)
exposure: Internet-facing via ALB → mTLS Istio → service
data_sensitivity: PII + payment metadata (tokenized cards only)
controls: WAF (managed rules + OWASP CRS), egress-limited via NetworkPolicy, RuntimeDefault seccomp, read-only rootfs
sla: Critical 7d, High 30d, Medium 90d, Low best-effort
scan_output: |
  CVE-2024-21626 (runc, runtime escape) — CVSS 8.6 (HIGH) — fixed in runc 1.1.12 — in our base image (alpine:3.18)
  CVE-2024-3094 (xz-utils backdoor) — CVSS 10.0 (CRITICAL) — versions 5.6.0/5.6.1 — in image: xz 5.2.5 — NOT VULNERABLE
  CVE-2023-45288 (golang.org/x/net HTTP/2 CONTINUATION flood) — CVSS 7.5 (HIGH) — fixed in 0.23.0 — in image: 0.20.0 — used by gin
  CVE-2024-28849 (follow-redirects) — CVSS 6.5 (MEDIUM) — fixed in 1.15.6 — in image: 1.15.4 — only used by axios in build tooling, not at runtime
  CVE-2024-28182 (golang.org/x/net HTTP/2 rapid reset variant) — CVSS 7.5 (HIGH) — fixed in 0.23.0 — same dep as 45288
  CVE-2024-1737 (bind9 large rdata) — CVSS 7.5 (HIGH) — in image: bind-libs 9.16 — pulled in via curl deps; not used at runtime
  CVE-2023-7008 (systemd) — CVSS 5.9 (MEDIUM) — in image: systemd 252 — we don't run systemd in container
  CVE-2024-4577 (PHP CGI argument injection) — CVSS 9.8 (CRITICAL) — KEV listed — in image: PHP not installed — false positive flagged by Trivy due to filename match
  CVE-2024-2961 (glibc iconv) — CVSS 8.8 (HIGH) — in image: glibc 2.36 — fix not yet in alpine 3.18
  CVE-2023-39325 (golang HTTP/2 rapid reset) — CVSS 7.5 (HIGH) — fixed in 0.17.0 — already at 0.20.0 — false positive
  CVE-2024-26130 (cryptography Python lib) — CVSS 7.5 (HIGH) — in image: not installed (Python tooling stripped in prod stage of multi-stage build) — false positive on build stage
  CVE-2024-27319 (sqlite3) — CVSS 5.9 (MEDIUM) — in image: 3.41 — used by gorm SQLite driver in tests only

Output

# Vulnerability Triage: orders-api:v2.14.3

Triage by: AppSec. Date: 2026-05-07. Scanner: Trivy 0.50.

## Executive summary

- Findings: 12 total — 1 Critical (FP), 6 High, 3 Medium, 2 informational/FP
- Three findings warrant action this sprint: **CVE-2024-21626 runc escape** (highest exploitable), **CVE-2023-45288/2024-28182 golang.org/x/net** (one bump fixes both, internet-facing path), **CVE-2024-2961 glibc iconv** (no upstream fix; compensating-control plan needed)
- No KEV-listed exploitable findings active. CVE-2024-4577 (KEV) flagged as FP — verified PHP not installed.

## Triaged findings table

| ID | CVE | Component | CVSS | Reachable? | Exposed? | Exploit available? | Effective severity | SLA due | Owner | Action |
|---|---|---|---|---|---|---|---|---|---|---|
| F-1 | CVE-2024-21626 | runc (base image) | 8.6 | Yes (container runtime) | Yes (internet-facing) | PoC public | **High** | 2026-06-06 | Platform | Bump base image to alpine:3.19 with runc ≥1.1.12 |
| F-2 | CVE-2023-45288 | golang.org/x/net | 7.5 | Yes (HTTP/2 server path) | Yes | PoC public | **High** | 2026-06-06 | Orders team | Bump x/net to 0.23.0 (covers F-3 too) |
| F-3 | CVE-2024-28182 | golang.org/x/net | 7.5 | Yes | Yes | PoC public | **High** | 2026-06-06 | Orders team | Same bump as F-2 |
| F-4 | CVE-2024-2961 | glibc 2.36 (alpine 3.18) | 8.8 | Conditional — only via iconv calls; we don't call iconv | Yes (image runs internet-facing) | PoC public | **Medium** (downgraded — not reachable) | 2026-08-05 | Platform | Watch for alpine 3.19 upgrade; compensating control = WAF + seccomp limits exploit surface |
| F-5 | CVE-2024-1737 | bind-libs 9.16 | 7.5 | No (we don't run a DNS server; libs pulled by curl, never used to resolve) | n/a | PoC for DNS server | **Low** (downgraded — unreachable) | 2026-08-05 | Platform | Resolve at next base image bump |
| F-6 | CVE-2024-28849 | follow-redirects | 6.5 | No (build-time tooling only, not in prod stage) | No | Theoretical | **Informational** (FP for prod image — see false-positives) | n/a | n/a | Suppress in prod stage scan |
| F-7 | CVE-2024-27319 | sqlite3 3.41 | 5.9 | Conditional — gorm sqlite driver only used in unit tests | No (tests don't run in prod image — actually present in image because test binary not stripped) | n/a | **Low** | 2026-08-05 | Orders team | Strip test binaries from prod image (separate ticket) |
| F-8 | CVE-2023-7008 | systemd 252 | 5.9 | No (systemd not running in container) | No | n/a | **Informational** | n/a | n/a | Suppress |
| F-9 | CVE-2023-39325 | golang.org/x/net | 7.5 | n/a (already patched at 0.20.0 ≥ 0.17.0 fix) | n/a | n/a | **False positive** | n/a | n/a | Suppress |
| F-10 | CVE-2024-3094 | xz 5.2.5 | 10.0 | n/a (vulnerable versions are 5.6.0/5.6.1; we're at 5.2.5) | n/a | n/a | **Not applicable** | n/a | n/a | Suppress |
| F-11 | CVE-2024-4577 | PHP CGI | 9.8 (KEV) | n/a (PHP not installed) | n/a | n/a | **False positive** | n/a | n/a | Suppress (filename collision) |
| F-12 | CVE-2024-26130 | cryptography (Python) | 7.5 | n/a (Python tooling not in prod image — multi-stage strips it) | n/a | n/a | **False positive (prod stage)** | n/a | n/a | Suppress on prod image; track on build image |

## Top 10 actions in order

1. **Bump golang.org/x/net to 0.23.0** in orders-api `go.mod` — fixes F-2 and F-3 in one PR. Owner: Orders team. ETA this sprint.
2. **Bump base image alpine:3.18 → 3.19** to address F-1 runc + future-proof glibc track. Owner: Platform. Coordinate across all services using shared base. ETA next sprint.
3. **Strip test binaries from prod image stage** to remove SQLite footprint and reduce attack surface generally. Owner: Orders team. ETA this sprint.
4. **Suppress confirmed false positives** in `.trivyignore` with expiry dates (see §4). Owner: AppSec. Today.
5. **Document compensating controls for CVE-2024-2961** in service security profile until alpine 3.19 lands. Owner: AppSec + Platform.
6. **Add Trivy ignore rules for build-stage-only deps** (F-6 follow-redirects, F-12 cryptography) so they don't recur on every scan. Owner: Platform.
7. **Set Trivy to scan prod stage only** (`--target prod`) by default in CI to reduce noise from build-tooling dependencies. Owner: Platform.
8. **Audit other services for the same x/net pinning** — likely fleet-wide issue. Owner: AppSec, this week.
9. **Verify WAF rules cover HTTP/2 CONTINUATION flood** (mitigates residual F-2/F-3 risk during patch window). Owner: AppSec + Platform.
10. **Schedule next base-image refresh cadence** (every 30 days, with security exception for KEV-listed findings). Owner: Platform.

## False positives / not applicable

Add to `.trivyignore` with expiry:

```
# F-9 already patched at runtime version 0.20.0 ≥ 0.17.0 fix
CVE-2023-39325
# F-10 vulnerable xz versions 5.6.0/5.6.1 not present (we have 5.2.5)
CVE-2024-3094
# F-11 PHP CGI not installed — Trivy false match on similar filename
CVE-2024-4577
# F-8 systemd not running in container
CVE-2023-7008
# F-6, F-12 build-stage only, suppressed by --target prod going forward
CVE-2024-28849
CVE-2024-26130
```

Set expiry dates on each suppression (90d) and re-evaluate at scan refresh.

## Compensating controls (for findings we can't immediately patch)

- **CVE-2024-2961 glibc iconv**: no upstream fix in alpine 3.18 yet. Compensating: code does not call `iconv` directly; egress NetworkPolicy limits arbitrary outbound; seccomp profile blocks ptrace. Risk acceptable for ~30 days. Re-check on alpine 3.19 release.
- **CVE-2024-21626 runc** in interim: rolling out base image bump takes ~5 days fleet-wide. Compensating: container has `readOnlyRootFilesystem: true`, `runAsNonRoot`, drop ALL caps — escape vector substantially narrowed. Risk acceptable during 5-day window.

## Patterns observed

- 2 of 6 High findings are the same dependency (golang.org/x/net) — single bump resolves. Consider Renovate/Dependabot for x/net specifically.
- 4 of 12 findings are from build-stage-only dependencies. Switching Trivy to scan `--target prod` in CI eliminates this noise without losing coverage.
- 3 of 12 are from base-image OS packages where we don't use the binary at all — points to base-image hardening (distroless or even more minimal alpine variant).

## Asks of engineering

- **Orders team**: PR by 2026-05-14 to bump x/net to 0.23.0 and strip test binaries from prod image
- **Platform**: PR by 2026-05-21 to bump shared base image to alpine:3.19 and switch Trivy to prod-stage scan
- **AppSec**: confirm WAF coverage for HTTP/2 CONTINUATION flood by 2026-05-09; audit other services for x/net pinning by 2026-05-12

Tips for best results

1CVSS is the start of triage, not the end. Reachability and exposure routinely move a CVE up or down two severity levels — a Critical in dead code is not your problem.
2False positives are most of the dump. The first hour with a new scanner is suppression hygiene; it pays back every subsequent scan.
3When suppressing, always add an expiry. A suppression without an expiry becomes a permanent blind spot. 90 days is a reasonable default.
4Look for patterns. One bump that closes 6 findings is more valuable than triaging the 6 separately.
5AI assistance is not a replacement for security review by qualified professionals. Have a senior security engineer validate any 'effective severity' downgrades, especially for KEV-listed CVEs — getting a downgrade wrong is how breaches start.

Related prompts

Run a STRIDE threat model on a system description

advanced

Apply the STRIDE methodology to a system architecture and produce a prioritized list of threats with mitigations.

IT & Securitythreat-modelingstrideappsec

Review a Dockerfile for security and best practices

intermediate

Audit a Dockerfile for security vulnerabilities, image bloat, layer inefficiency, and production-readiness issues.

IT & Securitydockercontainer-securitydevops

Risk-assess a third-party SaaS vendor

advanced

Conduct a structured third-party risk assessment of a SaaS vendor — security posture, data handling, contractual gaps, and recommendations.

IT & Securityvendor-risktprmsecurity

Need help implementing this prompt in your workflow?

Book a call

You are a security engineer triaging vulnerability scanner output. Convert the dump into a list engineering can actually act on. CVSS score alone is not prioritization. Use environmental context, exploit availability, exposure, and reachability. Inputs: - Scanner output: {{scan_output}} - Scanner used: {{scanner}} - Asset / service: {{asset}} - Exposure: {{exposure}} (internet-facing, internal, dev-only) - Data sensitivity: {{data_sensitivity}} - Existing compensating controls: {{controls}} - Org SLA framework: {{sla}} (e.g., Critical 7d, High 30d, Medium 90d) Produce: 1. **Executive summary** (3 lines): findings count by severity, top three risks worth attention, anything time-critical (KEV-listed, in-the-wild) 2. **Triaged findings table**: | ID | CVE | Component | CVSS | Reachable? | Exposed? | Exploit available? | Effective severity | SLA due date | Owner | Recommended action | "Effective severity" is your call after context — can be lower or higher than CVSS. Justify any deviation. 3. **Top 10 actions** in execution order with rationale 4. **False positives / not applicable**: which findings can be safely ignored, with reasoning. Include `.trivyignore` / Snyk policy snippet to suppress. 5. **Compensating control opportunities**: vulnerabilities that can't be patched immediately and what mitigates them in the meantime 6. **Patterns**: recurring categories (e.g., "8 of 47 are in node_modules transitive deps from package X" — bump that one). 7. **Asks of engineering**: specific, named, with deadlines Be ruthless about deprioritization. A "Critical" CVSS score in an unreachable code path is not your most important problem.

Variables

{{{{scan_output}}}}Replace with your {{scan output}}

{{{{scanner}}}}Replace with your {{scanner}}

{{{{asset}}}}Replace with your {{asset}}

{{{{exposure}}}}Replace with your {{exposure}}

{{{{data_sensitivity}}}}Replace with your {{data sensitivity}}

{{{{controls}}}}Replace with your {{controls}}

{{{{sla}}}}Replace with your {{sla}}

Example

Input

scanner: Trivy 0.50 (image scan)
asset: orders-api container image (orders-api:v2.14.3)
exposure: Internet-facing via ALB → mTLS Istio → service
data_sensitivity: PII + payment metadata (tokenized cards only)
controls: WAF (managed rules + OWASP CRS), egress-limited via NetworkPolicy, RuntimeDefault seccomp, read-only rootfs
sla: Critical 7d, High 30d, Medium 90d, Low best-effort
scan_output: |
  CVE-2024-21626 (runc, runtime escape) — CVSS 8.6 (HIGH) — fixed in runc 1.1.12 — in our base image (alpine:3.18)
  CVE-2024-3094 (xz-utils backdoor) — CVSS 10.0 (CRITICAL) — versions 5.6.0/5.6.1 — in image: xz 5.2.5 — NOT VULNERABLE
  CVE-2023-45288 (golang.org/x/net HTTP/2 CONTINUATION flood) — CVSS 7.5 (HIGH) — fixed in 0.23.0 — in image: 0.20.0 — used by gin
  CVE-2024-28849 (follow-redirects) — CVSS 6.5 (MEDIUM) — fixed in 1.15.6 — in image: 1.15.4 — only used by axios in build tooling, not at runtime
  CVE-2024-28182 (golang.org/x/net HTTP/2 rapid reset variant) — CVSS 7.5 (HIGH) — fixed in 0.23.0 — same dep as 45288
  CVE-2024-1737 (bind9 large rdata) — CVSS 7.5 (HIGH) — in image: bind-libs 9.16 — pulled in via curl deps; not used at runtime
  CVE-2023-7008 (systemd) — CVSS 5.9 (MEDIUM) — in image: systemd 252 — we don't run systemd in container
  CVE-2024-4577 (PHP CGI argument injection) — CVSS 9.8 (CRITICAL) — KEV listed — in image: PHP not installed — false positive flagged by Trivy due to filename match
  CVE-2024-2961 (glibc iconv) — CVSS 8.8 (HIGH) — in image: glibc 2.36 — fix not yet in alpine 3.18
  CVE-2023-39325 (golang HTTP/2 rapid reset) — CVSS 7.5 (HIGH) — fixed in 0.17.0 — already at 0.20.0 — false positive
  CVE-2024-26130 (cryptography Python lib) — CVSS 7.5 (HIGH) — in image: not installed (Python tooling stripped in prod stage of multi-stage build) — false positive on build stage
  CVE-2024-27319 (sqlite3) — CVSS 5.9 (MEDIUM) — in image: 3.41 — used by gorm SQLite driver in tests only

Output

# Vulnerability Triage: orders-api:v2.14.3

Triage by: AppSec. Date: 2026-05-07. Scanner: Trivy 0.50.

## Executive summary

- Findings: 12 total — 1 Critical (FP), 6 High, 3 Medium, 2 informational/FP
- Three findings warrant action this sprint: **CVE-2024-21626 runc escape** (highest exploitable), **CVE-2023-45288/2024-28182 golang.org/x/net** (one bump fixes both, internet-facing path), **CVE-2024-2961 glibc iconv** (no upstream fix; compensating-control plan needed)
- No KEV-listed exploitable findings active. CVE-2024-4577 (KEV) flagged as FP — verified PHP not installed.

## Triaged findings table

| ID | CVE | Component | CVSS | Reachable? | Exposed? | Exploit available? | Effective severity | SLA due | Owner | Action |
|---|---|---|---|---|---|---|---|---|---|---|
| F-1 | CVE-2024-21626 | runc (base image) | 8.6 | Yes (container runtime) | Yes (internet-facing) | PoC public | **High** | 2026-06-06 | Platform | Bump base image to alpine:3.19 with runc ≥1.1.12 |
| F-2 | CVE-2023-45288 | golang.org/x/net | 7.5 | Yes (HTTP/2 server path) | Yes | PoC public | **High** | 2026-06-06 | Orders team | Bump x/net to 0.23.0 (covers F-3 too) |
| F-3 | CVE-2024-28182 | golang.org/x/net | 7.5 | Yes | Yes | PoC public | **High** | 2026-06-06 | Orders team | Same bump as F-2 |
| F-4 | CVE-2024-2961 | glibc 2.36 (alpine 3.18) | 8.8 | Conditional — only via iconv calls; we don't call iconv | Yes (image runs internet-facing) | PoC public | **Medium** (downgraded — not reachable) | 2026-08-05 | Platform | Watch for alpine 3.19 upgrade; compensating control = WAF + seccomp limits exploit surface |
| F-5 | CVE-2024-1737 | bind-libs 9.16 | 7.5 | No (we don't run a DNS server; libs pulled by curl, never used to resolve) | n/a | PoC for DNS server | **Low** (downgraded — unreachable) | 2026-08-05 | Platform | Resolve at next base image bump |
| F-6 | CVE-2024-28849 | follow-redirects | 6.5 | No (build-time tooling only, not in prod stage) | No | Theoretical | **Informational** (FP for prod image — see false-positives) | n/a | n/a | Suppress in prod stage scan |
| F-7 | CVE-2024-27319 | sqlite3 3.41 | 5.9 | Conditional — gorm sqlite driver only used in unit tests | No (tests don't run in prod image — actually present in image because test binary not stripped) | n/a | **Low** | 2026-08-05 | Orders team | Strip test binaries from prod image (separate ticket) |
| F-8 | CVE-2023-7008 | systemd 252 | 5.9 | No (systemd not running in container) | No | n/a | **Informational** | n/a | n/a | Suppress |
| F-9 | CVE-2023-39325 | golang.org/x/net | 7.5 | n/a (already patched at 0.20.0 ≥ 0.17.0 fix) | n/a | n/a | **False positive** | n/a | n/a | Suppress |
| F-10 | CVE-2024-3094 | xz 5.2.5 | 10.0 | n/a (vulnerable versions are 5.6.0/5.6.1; we're at 5.2.5) | n/a | n/a | **Not applicable** | n/a | n/a | Suppress |
| F-11 | CVE-2024-4577 | PHP CGI | 9.8 (KEV) | n/a (PHP not installed) | n/a | n/a | **False positive** | n/a | n/a | Suppress (filename collision) |
| F-12 | CVE-2024-26130 | cryptography (Python) | 7.5 | n/a (Python tooling not in prod image — multi-stage strips it) | n/a | n/a | **False positive (prod stage)** | n/a | n/a | Suppress on prod image; track on build image |

## Top 10 actions in order

1. **Bump golang.org/x/net to 0.23.0** in orders-api `go.mod` — fixes F-2 and F-3 in one PR. Owner: Orders team. ETA this sprint.
2. **Bump base image alpine:3.18 → 3.19** to address F-1 runc + future-proof glibc track. Owner: Platform. Coordinate across all services using shared base. ETA next sprint.
3. **Strip test binaries from prod image stage** to remove SQLite footprint and reduce attack surface generally. Owner: Orders team. ETA this sprint.
4. **Suppress confirmed false positives** in `.trivyignore` with expiry dates (see §4). Owner: AppSec. Today.
5. **Document compensating controls for CVE-2024-2961** in service security profile until alpine 3.19 lands. Owner: AppSec + Platform.
6. **Add Trivy ignore rules for build-stage-only deps** (F-6 follow-redirects, F-12 cryptography) so they don't recur on every scan. Owner: Platform.
7. **Set Trivy to scan prod stage only** (`--target prod`) by default in CI to reduce noise from build-tooling dependencies. Owner: Platform.
8. **Audit other services for the same x/net pinning** — likely fleet-wide issue. Owner: AppSec, this week.
9. **Verify WAF rules cover HTTP/2 CONTINUATION flood** (mitigates residual F-2/F-3 risk during patch window). Owner: AppSec + Platform.
10. **Schedule next base-image refresh cadence** (every 30 days, with security exception for KEV-listed findings). Owner: Platform.

## False positives / not applicable

Add to `.trivyignore` with expiry:

```
# F-9 already patched at runtime version 0.20.0 ≥ 0.17.0 fix
CVE-2023-39325
# F-10 vulnerable xz versions 5.6.0/5.6.1 not present (we have 5.2.5)
CVE-2024-3094
# F-11 PHP CGI not installed — Trivy false match on similar filename
CVE-2024-4577
# F-8 systemd not running in container
CVE-2023-7008
# F-6, F-12 build-stage only, suppressed by --target prod going forward
CVE-2024-28849
CVE-2024-26130
```

Set expiry dates on each suppression (90d) and re-evaluate at scan refresh.

## Compensating controls (for findings we can't immediately patch)

- **CVE-2024-2961 glibc iconv**: no upstream fix in alpine 3.18 yet. Compensating: code does not call `iconv` directly; egress NetworkPolicy limits arbitrary outbound; seccomp profile blocks ptrace. Risk acceptable for ~30 days. Re-check on alpine 3.19 release.
- **CVE-2024-21626 runc** in interim: rolling out base image bump takes ~5 days fleet-wide. Compensating: container has `readOnlyRootFilesystem: true`, `runAsNonRoot`, drop ALL caps — escape vector substantially narrowed. Risk acceptable during 5-day window.

## Patterns observed

- 2 of 6 High findings are the same dependency (golang.org/x/net) — single bump resolves. Consider Renovate/Dependabot for x/net specifically.
- 4 of 12 findings are from build-stage-only dependencies. Switching Trivy to scan `--target prod` in CI eliminates this noise without losing coverage.
- 3 of 12 are from base-image OS packages where we don't use the binary at all — points to base-image hardening (distroless or even more minimal alpine variant).

## Asks of engineering

- **Orders team**: PR by 2026-05-14 to bump x/net to 0.23.0 and strip test binaries from prod image
- **Platform**: PR by 2026-05-21 to bump shared base image to alpine:3.19 and switch Trivy to prod-stage scan
- **AppSec**: confirm WAF coverage for HTTP/2 CONTINUATION flood by 2026-05-09; audit other services for x/net pinning by 2026-05-12

Tips for best results

1CVSS is the start of triage, not the end. Reachability and exposure routinely move a CVE up or down two severity levels — a Critical in dead code is not your problem.

2False positives are most of the dump. The first hour with a new scanner is suppression hygiene; it pays back every subsequent scan.

3When suppressing, always add an expiry. A suppression without an expiry becomes a permanent blind spot. 90 days is a reasonable default.

4Look for patterns. One bump that closes 6 findings is more valuable than triaging the 6 separately.

5AI assistance is not a replacement for security review by qualified professionals. Have a senior security engineer validate any 'effective severity' downgrades, especially for KEV-listed CVEs — getting a downgrade wrong is how breaches start.