How do I get EPSS and KEV into my pipeline?

Pull EPSS via FIRST.org’s API and KEV from CISA’s JSON feed during CI or as a nightly job enriching your vulnerability database. Cache locally to avoid rate limits, and merge by CVE ID before computing risk.

What scanners should I start with if we have nothing?

Keep it simple: Trivy or Grype for images, OSV-Scanner for dependencies, tfsec or Checkov for IaC. Add SAST once you’re catching obvious issues. The differentiator isn’t the tool; it’s the risk model and automation.

How do we avoid blocking every deploy in a regulated environment?

Classify services and data. Only apply hard gates to high-sensitivity, internet-exposed, or tier-1 services. Everyone else gets warnings and tickets. Use canaries and short rollback SLOs to manage risk while shipping.

What counts as an automated proof for auditors?

Signed SBOMs, vulnerability scan results, SLSA provenance, and in-toto attestations tied to the artifact digest. Store in an immutable bucket or OCI registry and reference from your change record or ticket.

Our codebase has AI-generated vibe code—does this change anything?

Yes—enable SAST and secret scanning on PRs, bump static analysis for unsafe patterns, and enforce policy-as-code in IaC. AI code increases the rate of risky patterns; the risk gating and automated proofs keep shipping safe.

Security-compliance · Nov 25, 2025 · 9 minute read

Stop Chasing CVEs: Build Vulnerability Workflows That Rank by Business Risk

If your vuln backlog is just CVSS scores sorted descending, you’re losing. Tie findings to asset value, exposure, and data sensitivity, and automate guardrails and proofs so engineers can ship without security playing hall monitor.

Back to all posts

Stop Chasing CVEs: Build Vulnerability Workflows That Rank by Business Risk

Key takeaways

Implementation checklist