Respond to Vulnerabilites

Respond to Vulnerabilities (RV) Code and Prebuild CI/CD Steps

Respond to Vulnerabilities (RV)

Respond to Vulnerabilities (RV): Organizations should identify residual vulnerabilities in their software releases and respond appropriately to address those vulnerabilities and prevent similar ones from occurring in the future.

RV.1

Identify and Confirm Vulnerabilities on an Ongoing Basis: Help ensure that vulnerabilities are identified more quickly so that they can be remediated more quickly in accordance with risk, reducing the window of opportunity for attackers.

To satisfy SSDF RV.1 in a code and prebuild context using open-source tools, the focus shifts to detecting and remediating vulnerabilities before any artifact is built, so fixes happen in code/manifest PRs, not after packaging.

Tasks	Tools
RV.1.1: Gather information from software acquirers, users, and public sources on potential vulnerabilities in the software and third-party components that the software uses, and investigate all credible reports. RV.1.2: Review, analyze, and/or test the software’s code to identify or confirm the presence of previously undetected vulnerabilities. RV.1.3: Have a policy that addresses vulnerability disclosure and remediation, and implement the roles, responsibilities, and processes needed to support that policy.
	OSV-Scanner Scans source trees and manifest/lock files against OSV for known vulnerabilities for discovery early in development.
	Ortelius Evidence Store Continuously synchronizes Software Bill of Material versions of built artifacts to OSV.dev reporting on vulnerabilities discovered post-build.
	Semgrep Rule-based SAST in PRs/CI for previously undetected vulnerabilities. Static analysis tool used for searching code, finding bugs, and enforcing code standards at various stages of the development cycle (editor, commit, and continuous integration - CI).
	OWASP Dependency Check SCA for many ecosystems; runs in CI, outputs SARIF/HTML. CVE-based dependency matching for code-time feedback.
	Trivy Can source/lockfiles and IaC before build. All-in-one SCA + IaC misconfig checks pre-build.
	Syft Generate SBOMs (CycloneDX/SPDX) directly from source. Composition/provenance data to power RV.1 discovery.
	Grype Scan source directories or Software Bill of Materials (from Syft) for vulnerabilities. Accurate matching via SBOM + flexible CI integration.
	SonarQube Community Developers can continuously inspect code quality to detect bugs, code smells, and security vulnerabilities without executing the code.
	CodeQL Developed by GitHub, developers and security researchers can analyze codebases for security vulnerabilities, bugs, and other code quality issues.
	Bandit (Python) A static analysis tool designed to identify common security vulnerabilities in Python code.
	Brakeman (Rails) Vulnerability scanner specifically designed for Ruby on Rails applications.
	FindSecBugs (Java) Static code analysis tool designed for Java applications, used to identify potential security vulnerabilities within the code.
	Gitleaks Prevent hardcoded secrets in code and configs.
	Conftest Conftest is a utility to help you write tests against structured configuration data.

RV.2

Assess, Prioritize, and Remediate Vulnerabilities: Help ensure that vulnerabilities are remediated in accordance with risk to reduce the window of opportunity for attackers.

To satisfy SSDF RV.2 in a code and prebuild context using open-source tools, the focus shifts to:

Recording each vulnerability
Analyze risk (exploitability & impact)
Choose responses, publish advisories, and deliver remediations via trusted mechanisms; include temporary mitigations where needed.

Tasks	Tools
RV.2.1: Analyze each vulnerability to gather sufficient information about risk to plan its remediation or other risk response. RV.2.2: Plan and implement risk responses for vulnerabilities.
	GUAC Aggregates SBOMs, attestations, and vulns to understand blast radius and prioritize fixes.
	Renovate Automates dependency upgrades/patch PRs with risk-aware policies.
	OWASP DefectDojo Ingest scanner results (Semgrep/Grype/Trivy/etc.) for de-dupe, severity, ownership, and workflow. Central vulnerability triage and risk tracking tied to repos.
	Ortelius Evidence Store Exposes the blast radius of each vulnerability across live environments.
	Vulns Agentless vulnerability scanner that analyzes installed packages and maps to CVE data with CVSS scoring. Provides severity, exploitability, and remediation recommendations; can integrate with patch workflows.
	Dependency-Track Continuous SBOM-based component analysis platform. Enriches vulnerabilities with metadata (severity, exploitability, policy impact).
	VEX VEX bridges the gap between identifying potential vulnerabilities (SBOM) and determining their actual risk in a specific environment. Allows organizations to prioritize remediation efforts by focusing on vulnerabilities that are truly exploitable and require immediate attention.

RV.3

Analyze Vulnerabilities to Identify Their Root Causes: Help reduce the frequency of vulnerabilities in the future.

To satisfy SSDF RV.3 in a code and prebuild context using open-source tools, the focus shifts to:

Identify vulnerabilities in source code and dependency manifests before building, using SBOM generation, SCA, and SAST
Confirming findings by removing false positives and documenting minimal evidence for remediation
Enforcing early guardrails such as version pinning, deny-lists, and secret scanning to block known risks
Normalize, de-duplicate, and prioritize findings based on severity, exploitability, and usage context
Apply policy-driven gates in PRs to block high-risk vulnerabilities and automate safe dependency updates
Assign ownership, require disposition for each finding, and govern exceptions with time-bound waivers or VEX records

Tasks	Tools
RV.3.1: Analyze identified vulnerabilities to determine their root causes. RV.3.2: Analyze the root causes over time to identify patterns, such as a particular secure coding practice not being followed consistently. RV.3.3: Review the software for similar vulnerabilities to eradicate a class of vulnerabilities, and proactively fix them rather than waiting for external reports. RV.3.4: Review the SDLC process, and update it if appropriate to prevent (or reduce the likelihood of) the root cause recurring in updates to the software or in new software that is created.
	SpotBugs + FindSecBugs Maintains a “guardrail” ruleset for historical issues. Provides pattern-class eradication across modules.
	Semgrep Encode RCAs as rules (e.g., ban insecure APIs, enforce sanitizers) and run in PRs. Catches the class of bug that caused the incident.
	OpenSSF Scorecard Monitor repo hygiene signals (Branch protection, dependency-pinning, fuzzing, etc.) and bake improvements into SDLC. Preventative controls aligned to root-cause themes.
	Codeql Query codebases to trace vulnerability origins (e.g., find all injection points).
	SonarQube Community Identifies code quality/security rule violations that may indicate systemic coding issues.
	DefectDojo Aggregates scanner results so patterns in vulnerability types are easier to spot.
	Dependency-Track Tracks vulnerable components and shows recurring dependency-related issues.
	Grype A vulnerability scanner for container images and file systems.
	Syft Correlates SBOMs across releases to identify repeated dependency issues.
	Bandit (Python) Language-specific security scanner to identify same flaw across multiple files.
	Brakeman (Rails) Finds repeated insecure coding practices in Rails apps.
	pre-commit Enforces code quality/security hooks before commits.
	Husky Git hook automation for JavaScript/TypeScript projects to enforce checks.
	Checkov Prevents misconfigurations from being deployed by embedding into existing developer workflows.
	tfsec Adds IaC guardrails to prevent insecure configurations at commit time.
	kics Finds security vulnerabilities, compliance issues, and infrastructure misconfigurations.

Last modified August 15, 2025