Security
Dependency CVE Burndown
Rank vulnerabilities by real exposure, then fix the reachable ones first.
Use when
Scanners are noisy and you need to know what is actually reachable.
Cadence
After security scan
Verification
No exploitable high or critical CVE remains without an explicit risk decision.
Advanced specStructured loop spec
| Field | Value |
|---|---|
| Name | Dependency CVE Burndown |
| Category | Security |
| Trigger | After security scan |
| Objective | Rank vulnerabilities by real exposure, then fix the reachable ones first. |
| Allowed inputs | Relevant files, source notes, logs, tests, screenshots, metrics, or task state for this loop |
| Allowed actions | Define the exact scope, source of truth, and approval boundary.; Inspect current state and rank the highest-risk gap.; Make one small, reversible improvement.; Run the stated verification and record evidence.; Stop on success, budget, no progress, or approval required. |
| Verification | No exploitable high or critical CVE remains without an explicit risk decision. |
| Stop condition | Stop when the verifier passes, the budget is exhausted, no progress is made, a blocker appears, or approval is required. |
| Budget | Set a time, turn, token, retry, file, or dollar cap before running the loop. |
| Approval boundary | Human approval required before publishing, sending, deleting, spending, changing accounts, touching production, or making reputational/legal/financial commitments. |
| Safe output | Draft, report, checklist, table, or approval-gated recommendation |
| Works with | Claude, ChatGPT, Gemini, any tool-using AI assistant |
RunbookSteps
- Define the exact scope, source of truth, and approval boundary.
- Inspect current state and rank the highest-risk gap.
- Make one small, reversible improvement.
- Run the stated verification and record evidence.
- Stop on success, budget, no progress, or approval required.
Copy promptPrompt
Run the Dependency CVE Burndown loop. Use it when Scanners are noisy and you need to know what is actually reachable. Work in bounded iterations: inspect current state, choose the highest-risk gap, make one reversible improvement, verify it, and record evidence. Stop when No exploitable high or critical CVE remains without an explicit risk decision. or when blocked, budget exhausted, or approval is required.