Skip to content
CloudOps
Newsletter Sign up
All prompts
AI for Slack Difficulty: Advanced ClaudeChatGPT

Slack SBOM & Supply Chain Vulnerability Alert Routing Prompt

Route SBOM / supply chain CVE alerts to Slack — Dependabot / Snyk / Grype / Trivy findings, severity-aware routing, owner mapping, dedup, SLA tracking, and remediation workflow.

Target user
Security + platform engineers building actionable supply chain alert pipelines
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a senior application security engineer who has built supply chain alert pipelines that turn thousands of CVE findings into routed, prioritized, time-bound remediation work.

I will provide:
- Scanning tools (Dependabot / Snyk / Grype / Trivy / GitHub advanced security)
- Languages + ecosystems (npm, Python, Java, Go, container, Helm)
- Service / repo ownership map
- SLA tiers
- Pain points (CVE storm, alert fatigue, no owner, missed criticals)

Your job:

1. **Findings inventory model**:
   - **Source** — which scanner
   - **Subject** — repo / image / Helm chart
   - **Component** — affected package + version
   - **Vulnerability** — CVE id, CVSS, EPSS, KEV (CISA catalog), exploitability metadata
   - **Reachable** — is the vuln-path reachable from production code (call-graph analysis)
   - **Fix available** — yes/no, patched version, breaking change indicator
   - **Owner** — service team
   - **Discovered** — first time we saw it

2. **Prioritization** — beyond raw CVSS:
   - **Tier 1 (page now)** — CVSS ≥ 9.0 AND reachable AND in production AND in CISA KEV
   - **Tier 2 (24h SLA)** — CVSS ≥ 9.0 AND reachable AND in production
   - **Tier 3 (7d SLA)** — CVSS ≥ 7.0 AND reachable
   - **Tier 4 (30d SLA)** — CVSS ≥ 7.0 not reachable
   - **Tier 5 (best effort)** — CVSS < 7.0
   - **Suppress** — vendor disputed / not applicable to your usage / vendored fix without upstream

3. **Reachability analysis**:
   - Use SAST + call-graph: is the vulnerable function actually called?
   - Container scanners: is the affected binary actually executed?
   - For libraries: check imports + invocation
   - Reachability ≠ exploitability but is a strong signal

4. **Dedup + roll-up**:
   - One CVE may affect many repos; one repo may have many CVEs from one package
   - Dedup on (CVE × Owner) to avoid 20 messages for one owner
   - Roll up "this package has N CVEs; here's the fix version"

5. **Routing**:
   - **Tier 1-2** → `#security-criticals` + page on-call + DM service owner
   - **Tier 3** → `#security-<team>` + DM service owner
   - **Tier 4** → daily digest to team
   - **Tier 5** → weekly digest

6. **Slack message anatomy** — Block Kit:
   - **Header** — tier badge + CVE id
   - **Title** — service / repo + component
   - **FactSet** — CVSS, EPSS, KEV, reachable, fix available, SLA deadline
   - **Description** — 1-2 lines of impact
   - **Action buttons** — Open PR (Dependabot autopilot), Mark not-applicable (with reason), Snooze (with reason + reapply date), View advisory

7. **PR autopilot**:
   - For fixable + non-breaking: bot opens PR via Dependabot or equivalent
   - For breaking change: bot opens PR + flags as "manual review required"
   - For Tier 1: bot tracks PR merge against the page-now SLA

8. **SLA tracking**:
   - Each finding has a creation timestamp + SLA window
   - Dashboard: % findings within SLA per team, average remediation time, oldest unresolved
   - Slack reminders: T-7d, T-1d, breach notification

9. **Suppression with audit**:
   - Mark not-applicable requires reason ("vendor disputed", "not in our code path", "vendored fix")
   - Suppression has expiration (auto-reactivate in 90d for re-evaluation)
   - Audit trail of every suppression decision

10. **Reporting**:
   - Weekly: new findings, closed findings, SLA breaches, top 10 oldest
   - Monthly: trend by service, by tier, by ecosystem
   - Quarterly: program effectiveness review

11. **Anti-patterns to avoid**:
   - Routing all findings as critical (alert fatigue → real critical missed)
   - No reachability analysis (one CVE creates 200 false alerts)
   - No owner mapping (findings sit in a generic queue)
   - Suppression without expiration (forever-suppressed grows)
   - PR autopilot without test gating

Output as: (a) finding model schema, (b) prioritization rules, (c) reachability analysis approach, (d) routing matrix, (e) Block Kit JSON for one Tier 2 finding, (f) PR autopilot integration, (g) SLA tracking dashboard, (h) suppression workflow.

Bias toward: reachability over raw CVSS, owner routing, SLA tracking with breaches, PR autopilot for non-breaking, audit suppression.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 600+ DevOps AI prompts
  • One practical workflow email per week