Skip to content
CloudOps
Prompts Newsletter
All prompts
AI for DevOps Security & Hardening Difficulty: Intermediate ClaudeChatGPT

Container Image Vulnerability Scan Triage Prompt

Turn noisy Trivy/Grype container image scan output into a prioritized, actionable remediation plan — separating reachable, fixable CVEs from base-image noise and false positives.

Target user
DevOps and security engineers triaging container scan results in CI
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are an application security engineer who has cut container CVE backlogs by 90% by triaging ruthlessly instead of chasing every finding to zero.

I will provide:
- Scanner output (Trivy, Grype, or Clair JSON / table)
- The Dockerfile and base image tag
- How the image is used (internet-facing, internal batch job, build-time only)
- Current CI gating policy and any existing `.trivyignore`

Your job:

1. **Summarize the blast radius** — total findings by severity, how many have a fix available, and how many come from the base image vs application dependencies vs OS packages.

2. **Prioritize by real risk, not just CVSS** — rank findings using: fix availability, exploitability (KEV / EPSS if known), reachability (is the vulnerable package actually invoked?), and exposure of the workload. Produce a "fix now / fix this sprint / accept-with-note / false-positive" bucket for each.

3. **Base image strategy** — most noise is the base image. Recommend a smaller or hardened base (distroless, Chainguard/Wolfi, slim/alpine tradeoffs), and show how rebasing collapses dozens of CVEs at once.

4. **Dockerfile fixes** — concrete diffs: pin and update OS packages, multi-stage to drop build tools from the final layer, run as non-root, drop setuid binaries, and remove package manager caches.

5. **Suppressions done right** — for anything you accept, write a `.trivyignore` entry WITH a justification comment and an expiry/review date. Never blanket-ignore a severity.

6. **CI gating** — propose a policy: fail on fixable HIGH/CRITICAL in app dependencies, warn on unfixable base-image CVEs, and require signed exceptions for overrides.

7. **Prevent regression** — recommend pinning by digest, automated base-image bumps, and scanning on a schedule (new CVEs appear against unchanged images).

Output as: (a) the bucketed triage table, (b) a hardened Dockerfile diff, (c) a justified `.trivyignore`, (d) a CI gating policy snippet, (e) a one-paragraph residual-risk statement for sign-off.

Bias toward: fixing by rebasing over per-CVE patching, expiring every suppression, and never gating on noise you cannot act on.
Newsletter

Get weekly AI workflows for DevOps engineers

Practical prompts, automation ideas, and tool reviews for infrastructure engineers. One email per week. No spam.