Vulnerability Scanning and AI Triage

Use AI to scan code, dependencies, and containers for vulnerabilities, then prioritize fixes by actual risk — not just CVSS score.

Premium Course Content

This lesson is part of a premium course. Upgrade to Pro to unlock all premium courses and content.

Access all premium courses
1000+ AI skill templates included
New content added weekly

← Back to course overview

Your scanner found 500 vulnerabilities. Time to fix them all? Not quite. AI triage separates the 50 that could actually hurt you from the 450 that are noise.

🔄 Quick Recall: In the previous lesson, you learned how AI transforms the DevSecOps equation — making security faster instead of slower. Vulnerability scanning is where this starts: finding issues early, and more importantly, knowing which ones to fix first.

Types of Security Scanning

Scan Type	What It Checks	AI Enhancement
SAST (Static Analysis)	Source code for security flaws	AI reduces false positives by understanding framework context
SCA (Software Composition Analysis)	Dependencies for known CVEs	AI adds reachability analysis — is the vulnerable function called?
DAST (Dynamic Analysis)	Running application for exploitable vulnerabilities	AI correlates findings with SAST results for higher confidence
Container Scanning	Docker images for vulnerable packages	AI prioritizes by runtime exposure and network access
IaC Scanning	Terraform/K8s configs for misconfigurations	AI suggests specific fixes (covered in Lesson 3)

AI-Powered Vulnerability Triage

The Triage Prompt

Analyze this vulnerability finding and assess the real risk
to our application:

Finding: CVE-2024-XXXX in [library] version [X.Y.Z]
CVSS: [score]
Description: [paste CVE description]

Our context:
- Application type: [web API / microservice / batch job]
- Is this internet-facing? [yes/no]
- Framework: [Express.js / Django / Spring Boot / etc.]
- Do we use the affected function? [yes/no/unknown]
- Data sensitivity: [PII / financial / public / internal]

Assess:
1. Is the vulnerable code path reachable in our application?
2. What's the actual exploitability given our architecture?
3. What's the business impact if exploited?
4. Recommended priority: Critical / High / Medium / Low / False Positive
5. Suggested remediation and estimated effort

Batch Triage

Here are 15 vulnerability findings from our latest scan.
Triage them by actual risk, not just CVSS score:

[Paste findings with: CVE ID, library, CVSS, affected function]

Our application is a Node.js REST API deployed on Kubernetes,
internet-facing, processing payment data (PCI scope).

For each finding, classify as:
- FIX NOW: Reachable, exploitable, high business impact
- FIX SOON: Reachable but lower exploitability or impact
- SCHEDULE: Unreachable or very low risk — next maintenance window
- ACCEPT: False positive or irrelevant to our architecture

✅ Quick Check: Your container scan finds 120 vulnerabilities in your base image (node:18-alpine). You switch to node:18-alpine-slim and the count drops to 35. Of those 35, AI triage classifies 5 as FIX NOW and 30 as SCHEDULE. What’s the lesson? (Answer: Two things. First, base image selection dramatically affects your vulnerability surface — slimmer images have fewer packages and fewer CVEs. Second, AI triage of the remaining 35 focuses your team on the 5 that matter. Without AI, all 35 look equally urgent. With AI, you know where to spend your time.)

Scanning Tools with AI

Tool	Type	AI Feature	Free Tier
Snyk	SCA + SAST	Fix suggestions, priority scoring	Yes (limited)
Aikido	All-in-one	85% noise reduction via AI triage	Yes (limited)
SonarQube	SAST	AI code quality + security rules	Community edition
Trivy	Container + IaC	Vulnerability DB, fast scanning	Open source
Semgrep	SAST	Custom rules with AI pattern matching	Open source

Remediation with AI

Understanding a CVE

Explain this CVE in plain language for a development team:

CVE: [ID]
Affected: [library and version]
CVSS: [score]

Explain:
1. What the vulnerability allows an attacker to do
2. How it would be exploited (attack vector)
3. What our code would need to do to be vulnerable
4. The fix (upgrade version or code change)
5. Is there a workaround if we can't upgrade immediately?

Keep it concise — this goes in our team Slack channel.

Generating Fix PRs

Generate a fix for this vulnerability:

Finding: [description]
File: [path]
Current code: [paste vulnerable code]
Language: [language]
Framework: [framework]

Generate:
1. The fixed code
2. Explanation of what changed and why
3. Any tests that should be added to prevent regression
4. Related patterns to search for in the codebase

Practice Exercise

Run a dependency scan on a project (use npm audit, pip-audit, or Snyk free tier)
Take the top 10 findings and triage them with AI — classify by actual risk
For the highest-priority finding, generate a fix using the remediation prompt

Key Takeaways

CVSS scores measure theoretical severity — AI triage measures real-world risk to YOUR application
Reachability analysis is the key differentiator: is the vulnerable function actually called in your code?
AI reduces scanner noise by 85%, turning 500 alerts into 50 actionable findings
Always provide context to AI triage: application type, exposure, framework, data sensitivity
Zero-day response: AI can assess impact before your scanner’s database updates

Up Next

In the next lesson, you’ll learn to secure your infrastructure — Terraform configurations, Kubernetes manifests, and cloud environments — with AI-assisted review.

Knowledge Check

1. Your SCA scanner finds a critical vulnerability (CVSS 9.8) in lodash, a JavaScript utility library in your dependencies. The vulnerable function is `template()`, which can allow code injection. Your application never uses `lodash.template()`. How should you prioritize this?

Fix immediately — CVSS 9.8 is critical Deprioritize. The vulnerability is in `template()` which your code never calls. AI reachability analysis confirms the vulnerable code path is unreachable. Update lodash in your next scheduled dependency update, but don't treat it as an emergency. A CVSS 7.0 in a function you actually use is more urgent Remove lodash entirely

2. You run SAST on your Python codebase and get 200 findings. 150 are 'possible SQL injection' warnings. You use an ORM (SQLAlchemy) throughout the codebase. How many of those 150 are likely real issues?

All 150 — SQL injection is serious Very few, possibly zero. ORMs parameterize queries by default, preventing SQL injection. SAST tools flag any string that looks like it could be a query, even if the ORM handles it safely. AI triage understands framework context: 'These queries use SQLAlchemy's parameterized methods — the injection risk is neutralized by the ORM.' You check the 3-5 where raw SQL is actually used None — ORMs are immune to SQL injection

3. A new zero-day CVE is announced for a library you use. The CVE was published 2 hours ago. Your security scanner hasn't updated its database yet. How can AI help?

Wait for the scanner to update Paste the CVE details into AI and ask: 'Does our codebase use the affected function? Here's our dependency tree and the relevant code sections.' AI can analyze whether you're impacted before your scanner even knows about the vulnerability — buying you hours of response time Upgrade the library immediately without analysis

Answer all questions to check

Complete the quiz above first