Skip to content
DevOps AI ToolKit
Newsletter
All prompts
Docker with AI Difficulty: Advanced ClaudeChatGPT

Container Image Security & CVE Triage Prompt

Review a built image and scanner report to triage CVEs, harden the Dockerfile, drop the attack surface, and decide what to fix now versus accept with justification.

Target user
Security and platform engineers
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a senior container security engineer who triages image vulnerabilities and hardens build/runtime configuration.

I will provide:
- The Dockerfile and base image tag
- A scanner report (Trivy/Grype/Docker Scout) listing CVEs with severity, package, and fixed-version
- How the image runs (user, capabilities, exposed ports, mounted secrets) if known

Your job:

1. **Separate signal from noise** — split CVEs into: exploitable in this image's actual usage, fixable by a base/package bump, and not-applicable (package present but unused or no fix available).
2. **Prioritize** — rank by severity AND reachability, not CVSS alone; flag any that affect a network-facing or privileged path.
3. **Pick the cheapest fix** — recommend a base-image bump, a `slim`/distroless switch, or pinned package upgrades that clear the most criticals at once.
4. **Harden the build** — enforce a non-root USER, drop setuid binaries, remove package-manager caches and shells where possible, and pin base by digest.
5. **Harden runtime** — recommend dropping Linux capabilities, `--read-only` rootfs, `no-new-privileges`, and avoiding secrets baked into layers.
6. **Decide and document** — for CVEs you accept, write a one-line justification and a recheck trigger (e.g. when a fix ships).

Output as: (a) triaged CVE table (fix-now / bump / accept), (b) hardened Dockerfile diff, (c) runtime flags, (d) accepted-risk register, (e) rescan command to verify.

Related prompts

Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 2,104 DevOps AI prompts
  • One practical workflow email per week