Vulnerability management
Decide each finding once. Record it. Move on.
When a scanner flags a CVE you have three options — fix it, accept it, or prove it doesn't apply. These guides cover all three, ending in the same place: a VEX statement that records what you decided so nobody re-investigates the same finding next sprint.
How these guides are written
The guides assume you work in GitLab or GitHub. Where they say merge request — what GitHub calls a pull request — the concept is interchangeable; we've picked the GitLab term throughout. If you're on Bitbucket, Azure DevOps, or self-hosted Forgejo the ideas still apply, only the menus differ.
Every CI example uses shell commands in a pipeline file — a .gitlab-ci.yml stanza or a GitHub Actions run: step. We don't reach for vendor plugins or marketplace actions when the same job fits in five lines of bash, because the bash works regardless of which CI vendor you migrate to next year and stays readable as a script you can run locally.
The audience is developers, not security teams. The goal is to give you enough context to make the right call on a finding in the time you have between merging this feature and being asked to merge the next one. Your decision ends up as evidence the security team can verify without interrupting you twice.
Each scanner speaks its own dialect.
These guides translate each scanner's output into the same destination — a VEX statement that records what you decided about each finding.
When the fix isn't in the code.
A WAF rule blocks the attack vector. An IPS signature drops the exploit packet. A YARA rule catches the payload on disk. A Sigma rule alerts when the attempt hits your logs. Each is a valid response to a vulnerability — but only when the mitigation is documented somewhere a scanner can read.
If SBOM and VEX are new to you, start here.
Background on the two attestation formats the scanner and rules guides assume — what they are, why they exist, and why generating them yourself during normal development flow saves everyone time downstream.