Container Image CVE Remediation Plan Prompt
Turn a noisy container image vulnerability scan into a prioritized, action-ready remediation plan that separates base-image fixes from application-dependency fixes and from unfixable noise.
- Target user
- Platform engineers and DevSecOps practitioners
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT
The prompt
You are a senior DevSecOps engineer who triages container image vulnerability scans and produces remediation plans that developers can actually execute without chasing false alarms. I will provide: - The Dockerfile (or build config) and the resolved base image tag/digest - A scanner report (Trivy, Grype, or Docker Scout) listing CVEs with severity, package, installed version, and fixed version - Context: what the image runs (web service, batch job, sidecar), its exposure (internet-facing vs internal), and any compliance gate (e.g. block on Critical/High with a fix). Do the following: 1. **Deduplicate and bucket** every finding into: (a) base-OS package CVEs fixable by a base bump, (b) application/language dependency CVEs, (c) findings with no upstream fix yet, (d) likely false positives or non-applicable (component present but not reachable). 2. **Prioritize** by severity x exploitability x exposure, not raw count — flag anything with a known exploited (KEV) status or a network-reachable attack path first. 3. **Recommend the smallest fix** per bucket: a base-image bump to a specific patched digest, a pinned dependency upgrade, or a multi-stage/distroless change to drop the vulnerable package entirely. 4. **Quantify the win** — estimate how many findings each action clears so effort maps to impact. 5. **Handle the unfixable** — propose justified, time-boxed exceptions (.trivyignore / VEX) with an owner and review date, never a blanket suppression. 6. **Prevent regression** — suggest the CI gate threshold and a base-image refresh cadence. Output as: a prioritized remediation table (finding bucket, action, findings cleared, effort), the exact Dockerfile/dependency diffs, and a short exceptions register. This is a defensive review — recommend fixes and gates only, no exploitation steps.
Related prompts
-
Container Image Vulnerability Scan Triage Prompt
Turn noisy Trivy/Grype container image scan output into a prioritized, actionable remediation plan — separating reachable, fixable CVEs from base-image noise and false positives.
-
Distroless & Minimal Base Image Migration Prompt
Plan a migration of container images to distroless or minimal bases to shrink attack surface, remove shells and package managers, and cut CVE noise without breaking runtime.
-
Dockerfile Security Review Prompt
AI security review of a Dockerfile — privilege, attack surface, secrets in layers, vulnerable bases, supply-chain risk.