Respond to Vulnerabilites

Respond to Vulnerabilities (RV) CI/CD Steps

Respond to Vulnerabilities (RV)

Task: Identify and Respond to Vulnerabilities How to Achieve: Organizations should identify residual vulnerabilities in their software releases and respond appropriately to address those vulnerabilities and prevent similar ones from occurring in the future.

RV.1 Identify and Confirm Vulnerabilities on an Ongoing Basis

Open-Source Tools to Achieve:

Identify Vulnerabilities

Static Application Security Testing (SAST):

Semgrep
SonarQube
CodeQL

Dynamic Application Security Testing (DAST):

OWASP ZAP
w3af

Software Composition Analysis (SCA):

OWASP Dependency-Check
Trivy
Grype

RV.2 Assess, Prioritize, and Remediate Vulnerabilities

OWASP Defectdojo
GitLab Security Scanning
Tsunami Security Scanner

RV.3 Identify Root Cause and help to reduce frequency of vulnerabilities in the future

Open Policy Agent (OPA)
Sigstore
in-toto

Last modified April 1, 2025