漏洞掃描與修補
Security8 個節點 · 8 條連接security
視覺化
ex-vulnerability-scan.osop.yaml
# Vulnerability Scanning and Remediation Workflow
# Scan, triage, assign, fix, verify, and close security vulnerabilities
osop_version: "2.0"
id: vulnerability-scan
name: "漏洞掃描與修補"
nodes:
- id: scan_infrastructure
type: cli
purpose: Run vulnerability scanners across containers, dependencies, and infrastructure
runtime:
command: |
trivy image --severity HIGH,CRITICAL --format json -o scan-containers.json ${IMAGE_LIST} &&
trivy fs --severity HIGH,CRITICAL --format json -o scan-deps.json . &&
nuclei -t cves/ -target ${TARGET_URL} -json -o scan-network.json
outputs: [container_findings, dependency_findings, network_findings, total_vulnerabilities]
timeout_sec: 1800
retry_policy:
max_retries: 2
backoff_sec: 30
security:
credentials: [NUCLEI_TEMPLATES_TOKEN]
- id: deduplicate_and_enrich
type: cli
purpose: Deduplicate findings, enrich with EPSS scores and exploit availability data
runtime:
command: |
python enrich_vulns.py \
--input scan-containers.json scan-deps.json scan-network.json \
--epss-api https://api.first.org/data/v1/epss \
--cisa-kev \
--output enriched-findings.json
inputs: [container_findings, dependency_findings, network_findings]
outputs: [enriched_findings, critical_count, high_count, exploitable_count]
timeout_sec: 120
- id: triage
type: agent
purpose: AI-assisted triage to prioritize vulnerabilities by exploitability and blast radius
runtime:
provider: anthropic
model: claude-sonnet-4-20250514
config:
system_prompt: |
You are a security analyst. Prioritize vulnerabilities by:
1. CISA KEV listed (highest priority)
2. EPSS score > 0.5
3. Network-reachable services
4. Blast radius (data exposure, lateral movement)
inputs: [enriched_findings]
outputs: [prioritized_findings, risk_matrix, recommended_actions]
timeout_sec: 60
- id: create_tickets
type: api
purpose: Create Jira tickets for each prioritized finding with remediation guidance
runtime:
endpoint: /rest/api/3/issue/bulk
method: POST
url: https://jira.internal
inputs: [prioritized_findings, recommended_actions]
outputs: [ticket_ids, assignment_map]
security:
auth: bearer_token
secret_ref: JIRA_API_TOKEN
timeout_sec: 30
- id: assign_owners
type: cli
purpose: Auto-assign tickets to code owners based on CODEOWNERS and git blame
runtime:
command: |
python assign_vuln_owners.py \
--findings enriched-findings.json \
--codeowners .github/CODEOWNERS \
--jira-tickets ${ticket_ids}
inputs: [ticket_ids, prioritized_findings]
outputs: [assigned_count, owner_notifications]
timeout_sec: 30
- id: fix_and_patch
type: human
purpose: Engineers apply patches, update dependencies, or implement mitigations
role: developer
inputs: [ticket_ids, recommended_actions]
outputs: [fix_commits, remaining_tickets]
timeout_sec: 604800
explain: "SLA: Critical 48h, High 7 days. Tracked via Jira workflow transitions."
- id: verify_fixes
type: cli
purpose: Re-scan fixed components to confirm vulnerabilities are resolved
runtime:
command: |
python verify_fixes.py \
--tickets ${ticket_ids} \
--rescan \
--output verification-report.json
inputs: [fix_commits]
outputs: [verified_count, still_open_count, verification_report]
timeout_sec: 600
- id: close_and_report
type: api
purpose: Close resolved tickets and generate executive vulnerability report
runtime:
endpoint: /rest/api/3/issue/bulk/transition
method: POST
url: https://jira.internal
inputs: [verification_report, ticket_ids]
outputs: [closed_tickets, executive_report_url]
security:
auth: bearer_token
secret_ref: JIRA_API_TOKEN
edges:
- from: scan_infrastructure
to: deduplicate_and_enrich
mode: sequential
- from: deduplicate_and_enrich
to: triage
mode: sequential
- from: triage
to: create_tickets
mode: sequential
- from: create_tickets
to: assign_owners
mode: sequential
- from: assign_owners
to: fix_and_patch
mode: sequential
- from: fix_and_patch
to: verify_fixes
mode: sequential
- from: verify_fixes
to: close_and_report
mode: conditional
condition: "still_open_count == 0"
- from: verify_fixes
to: fix_and_patch
mode: fallback
label: "Some fixes failed verification, return to remediation"