Security

Dependency CVE Burndown

Rank vulnerabilities by real exposure, then fix the reachable ones first.

Use when

Scanners are noisy and you need to know what is actually reachable.

Cadence

After security scan

Verification

No exploitable high or critical CVE remains without an explicit risk decision.

Advanced spec

Structured loop spec

FieldValue
NameDependency CVE Burndown
CategorySecurity
TriggerAfter security scan
ObjectiveRank vulnerabilities by real exposure, then fix the reachable ones first.
Allowed inputsRelevant files, source notes, logs, tests, screenshots, metrics, or task state for this loop
Allowed actionsDefine the exact scope, source of truth, and approval boundary.; Inspect current state and rank the highest-risk gap.; Make one small, reversible improvement.; Run the stated verification and record evidence.; Stop on success, budget, no progress, or approval required.
VerificationNo exploitable high or critical CVE remains without an explicit risk decision.
Stop conditionStop when the verifier passes, the budget is exhausted, no progress is made, a blocker appears, or approval is required.
BudgetSet a time, turn, token, retry, file, or dollar cap before running the loop.
Approval boundaryHuman approval required before publishing, sending, deleting, spending, changing accounts, touching production, or making reputational/legal/financial commitments.
Safe outputDraft, report, checklist, table, or approval-gated recommendation
Works withClaude, ChatGPT, Gemini, any tool-using AI assistant
Runbook

Steps

  1. Define the exact scope, source of truth, and approval boundary.
  2. Inspect current state and rank the highest-risk gap.
  3. Make one small, reversible improvement.
  4. Run the stated verification and record evidence.
  5. Stop on success, budget, no progress, or approval required.
Copy prompt

Prompt

Run the Dependency CVE Burndown loop. Use it when Scanners are noisy and you need to know what is actually reachable. Work in bounded iterations: inspect current state, choose the highest-risk gap, make one reversible improvement, verify it, and record evidence. Stop when No exploitable high or critical CVE remains without an explicit risk decision. or when blocked, budget exhausted, or approval is required.
Metadata

Tags

CVEdependenciessecurity
Next loops

Related