Respond to Vulnerabilities (RV)

Respond to Vulnerabilities (RV) for Build and Deploy CI/CD Steps

Respond to Vulnerabilities (RV)

Respond to Vulnerabilities (RV): Organizations should identify residual vulnerabilities in their software releases and respond appropriately to address those vulnerabilities and prevent similar ones from occurring in the future.

RV.1

Identify and Confirm Vulnerabilities on an Ongoing Basis: Help ensure that vulnerabilities are identified more quickly so that they can be remediated more quickly in accordance with risk, reducing the window of opportunity for attackers.

To satisfy SSDF RV.1 in a build and deploy context using open-source tools, the focus shifts to continuously gathering vulnerability intel (VDP + public sources), monitor components, and confirm issues across supported releases.

Tasks	Tools
RV.1.1: Gather information from software acquirers, users, and public sources on potential vulnerabilities in the software and third-party components that the software uses, and investigate all credible reports. RV.1.2: Review, analyze, and/or test the software’s code to identify or confirm the presence of previously undetected vulnerabilities. RV.1.3: Have a policy that addresses vulnerability disclosure and remediation, and implement the roles, responsibilities, and processes needed to support that policy.
	OSV-Scanner Continuously scans manifests/locks against OSV; great for confirming new disclosures across all supported releases..
	Ortelius Continuously synchronizes Software Bill of Material versions of built artifacts to OSV.dev reporting on vulnerabilities discovered post-build.
	OSV Vulnerability Database Queries the OSV.dev vulnerability database for open-source package CVEs.
	Grype Scans container images and SBOMs for known vulnerabilities.
	Vulners CLI/API Aggregates multiple public vulnerability feeds.
	cve-bin-tool Checks installed binaries for known CVEs.
	Semgrep SAST for multiple languages; customizable rules. Run on merge to main branch.
	Bandit Python security linting. Add to Python project build stage.
	SonarQube Community Edition SAST & quality checks. Run in build step; block deploy if high-severity issues found.
	OWASP ZAP DAST; quick passive scan on deployed staging app.
	GitHub Security Policy Public policy location for reporters.
	Disclose.io templates Vulnerability Disclosure Program.
	OpenSSF Vulnerability Disclosure Guide Playbook for implementing disclosure.

RV.2

Assess, Prioritize, and Remediate Vulnerabilities: Help ensure that vulnerabilities are remediated in accordance with risk to reduce the window of opportunity for attackers.

To satisfy SSDF RV.2 in a build and deploy context using open-source tools, the focus shifts to:

Recording each vulnerability
Analyze risk (exploitability & impact)
Choose responses, publish advisories, and deliver remediations via trusted mechanisms; include temporary mitigations where needed.\

Tasks	Tools
RV.2.1: Analyze each vulnerability to gather sufficient information about risk to plan its remediation or other risk response. RV.2.2: Plan and implement risk responses for vulnerabilities.
	GUAC Aggregates SBOMs, attestations, and vulns to understand blast radius and prioritize fixes.
	Renovate Automates dependency upgrades/patch PRs with risk-aware policies.
	Ortelius Exposes the blast radius of each vulnerability across live environments.
	DefectDojo Centralizes vulnerabilities from SAST/DAST/SCA tools; adds risk scoring.
	OWASP Dependency-Track SBOM-based vuln tracking, includes CVSS scoring and metadata.
	EPSS (Exploit Prediction Scoring System) Rates probability of exploitation for CVEs (risk-based prioritization).
	Vulners API Provides exploit links, PoCs, and additional context per CVE.
	CVSS Calculator (FIRST) Standardized impact scoring to support triage decisions.
	Sigstore / Cosign Sign remediated builds before deploying (trusted delivery mechanism).
	OWASP ModSecurity CRS Temporary WAF rules to mitigate unpatched web vulns.
	Falco Runtime detection and mitigation for unpatched container/Kubernetes issues.

RV.3

Analyze Vulnerabilities to Identify Their Root Causes: Help reduce the frequency of vulnerabilities in the future.

To satisfy SSDF RV.3 in a build and deploy context using open-source tools, the focus shifts to:

Capturing root causes & lessons learned
Detecting recurring patterns over time

Tasks	Tools
RV.3.1: Analyze identified vulnerabilities to determine their root causes. RV.3.2: Analyze the root causes over time to identify patterns, such as a particular secure coding practice not being followed consistently RV.3.3: Review the software for similar vulnerabilities to eradicate a class of vulnerabilities, and proactively fix them rather than waiting for external reports. RV.3.4: Review the SDLC process, and update it if appropriate to prevent (or reduce the likelihood of) the root cause recurring in updates to the software or in new software that is created.
	Semgreps Write org-specific rules to detect the root-cause pattern; scan repos to eradicate classes of bugs.
	CodeQL Deep code queries to identify the precise coding constructs leading to vulns.
	SonarQube CE Provides issue traces, rule violations, and hotspots including root cause indicators.
	DefectDojo Tracks vulns + metadata, allows attaching root cause notes per issue.
	Dependency-Track Long-term tracking of vulnerable components to see recurring dependency issues.
	Grafeas Metadata API for tracking security events across builds/releases.
	cwe-checker Detects weakness patterns (CWEs) in binaries, useful for compiled artifacts.
	Joern Open-source code analysis platform for hunting bug patterns at scale.
	OpenSAMM (OWASP Software Assurance Maturity Model) Framework to improve secure dev lifecycle practices.
	OpenSSF Scorecards Automates repo security health checks (branch protection, dependency pinning, CI hardening).
	OSCAL (NIST) Standard for documenting compliance + SDLC security improvements.
	Allstar (by OpenSSF) Enforces security policies across GitHub orgs/repos.

Last modified August 18, 2025