Finding Triage
Turn one scanner, audit, or advisory finding into a ticket-ready disposition with CVSS context, mitigation steps, or defensible accepted-risk language.
Overview
Finding Triage is an agent skill most often used in Ship (also Operate and Build) that dispositions a single security finding into fix, defer, accept-risk, or false-positive with audit-ready justification.
Install
npx skills add https://github.com/briiirussell/cybersecurity-skills --skill finding-triageWhat is this skill?
- Closes the loop on findings from SAST, DAST, advisories, pentests, and manual audits
- Aligns with Three-Disposition rule: Fixed, Deferred, Accepted Risk—plus explicit false-positive determination
- Produces regulator-friendly writeups with justification fields and audit trail
- Supports CVSS contextualization and compensating-control narratives
- Works on one finding at a time with ticket-ready output
- Four outcome paths: Fixed, Deferred, Accepted Risk, and false-positive determination
- Three-Disposition rule aligned with OWASP-audit style audits
Adoption & trust: 1 installs on skills.sh; 242 GitHub stars; trending (+100% hot-view momentum).
What problem does it solve?
You have one security alert or audit line item and no standardized way to decide if it is real, how severe it is for your app, or what to tell compliance six months later.
Who is it for?
Indie SaaS and small teams closing scanner and audit findings with documented Fixed, Deferred, or Accepted Risk decisions.
Skip if: Full-repo OWASP audits or bulk remediation sprints—use a dedicated audit or remediation skill first, then triage individual items here.
When should I use this skill?
User says triage this finding, false positive, accept this risk, CVSS this, mitigation plan, disposition, or should we fix this.
What do I get? / Deliverables
You get a complete ticket-ready triage writeup with disposition, mitigation or risk acceptance text, and traceable rationale you can attach to the finding record.
- Ticket-ready triage document with disposition and justification
- Mitigation plan or accepted-risk narrative with compensating controls
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Security findings are usually handled in Ship when hardening and sign-off happen, but the same triage ritual applies whenever production or compliance reviews surface a hit. Single-finding disposition, compensating controls, and false-positive justification are core security review work—not generic code review.
Where it fits
Disposition a DAST hit before release with defer vs fix and owner assignment.
Triage a production dependency advisory without reopening the entire backlog.
Decide whether a SAST warning on new API code is acceptable for the current milestone.
How it compares
Use for one finding’s disposition writeup, not as a replacement for running the scanner or a whole-application security audit.
Common Questions / FAQ
Who is finding-triage for?
Solo builders and small teams who own security responses without a dedicated AppSec desk and need consistent, defensible language per finding.
When should I use finding-triage?
In Ship when signing off on release blockers; in Operate when production alerts or vendor disclosures arrive; in Build when dependency or SAST tools flag something mid-sprint.
Is finding-triage safe to install?
Review the skill’s allowed tools (read, grep, bash, web search) and the Security Audits panel on this Prism page before granting agent access to repos or secrets.
SKILL.md
READMESKILL.md - Finding Triage
# Finding Triage — Single-Finding Disposition with Defensible Justification Every other skill in this repo *generates* findings. This skill *closes the loop* — for a single finding, walk through whether it's real, what severity it deserves in your context, and what to do about it. Output is a complete ticket-ready writeup with the right fields, the right justification, and an audit trail that survives a regulator reading it six months later. The dispositions match `owasp-audit`'s Three-Disposition rule: **Fixed**, **Deferred**, or **Accepted Risk**. False positive is a fourth — but it isn't a disposition for a real finding, it's a determination that there *is* no finding. This skill works on findings from any source: SAST output, DAST scanner, dependency advisory, manual audit, threat-hunt hit, pentest report, vendor disclosure, internal red-team writeup, bug bounty submission. Cross-references: - `vuln-research` for the technical CVE deep-dive that feeds reachability assessment here - `owasp-audit` Three-Disposition rule (the framework this implements per-finding) - `security-comms` for translating the disposition writeup into stakeholder-readable language when the finding has to leave the security context - Any audit skill — this consumes their findings as input ## Workflow The agent works through these steps with the user. Stop and ask clarifying questions where the user has context the finding alone doesn't reveal. ### Step 1 — Restate the finding in your own words If the finding came from a scanner, restate what's actually being claimed. Scanners produce noise; restating filters out the boilerplate. A good restatement names: - **What** the issue is (specific weakness — CWE if applicable) - **Where** it lives (file:line, endpoint, resource ARN, host) - **How** it could be exploited (preconditions, attacker capability needed) - **Impact** if it were exploited (data loss, privilege escalation, availability) If you can't restate it clearly, you don't understand it yet. Ask the user for context. ### Step 2 — Is this actually true? Half of automated-scanner findings are false positives by volume. The triage: | Question | If yes | If no | |---|---|---| | Does the vulnerable code path exist as described? | Continue | False positive — scanner found a phantom | | Is the code path reachable from any attacker-controllable input? | Continue | Continue, but severity drops | | Does the exploit precondition match your environment? | Continue | Severity drops or false positive | | Is there a public PoC, or has anyone confirmed this in the wild? | Severity stays / rises | Severity may drop | | Are existing controls (WAF, auth, network segmentation) preventing exploitation? | Severity drops; controls become the mitigation | Severity stays | **Common false-positive patterns:** - SAST flag on test files or dead code - Dependency scanner flag on package in `devDependencies` only — runtime-unreachable (see `dependency-audit` reachability column) - DAST flag on a path that returns 404 in your real environment but was confused by SPA routing - Outdated advisory — vendor silently fixed it before the CVE; your version contains the fix - Pattern match on code that *looks* vulnerable but is inside a function never invoked **Document a false-positive determination as carefully as a real finding.** If a future scanner or auditor fla