building-vulnerability-scanning-workflow

Builds a structured vulnerability scanning workflow using tools like Nessus, Qualys, and OpenVAS to discover, prioritize, and track remediation of security vulnerabilities across infrastructure. Use when SOC teams need to establish recurring vulnerability assessment processes, integrate scan results with SIEM alerting, and build remediation tracking dashboards.

16 stars

byplurigrid

View on GitHub Installation ↓

Best use case

building-vulnerability-scanning-workflow is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Teams using building-vulnerability-scanning-workflow should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/building-vulnerability-scanning-workflow/SKILL.md --create-dirs "https://raw.githubusercontent.com/plurigrid/asi/main/plugins/asi/skills/building-vulnerability-scanning-workflow/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/building-vulnerability-scanning-workflow/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How building-vulnerability-scanning-workflow Compares

Feature / Agent	building-vulnerability-scanning-workflow	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Building Vulnerability Scanning Workflow

## When to Use

Use this skill when:
- SOC teams need to establish or improve recurring vulnerability scanning programs
- Scan results require prioritization beyond raw CVSS scores using asset context and threat intelligence
- Vulnerability data must be integrated into SIEM for correlation with exploitation attempts
- Remediation tracking needs formalization with SLA-based dashboards and reporting

**Do not use** for penetration testing or active exploitation — vulnerability scanning identifies weaknesses, penetration testing validates exploitability.

## Prerequisites

- Vulnerability scanner (Tenable Nessus Professional, Qualys VMDR, or OpenVAS/Greenbone)
- Asset inventory with criticality classifications (business-critical, standard, development)
- Network access from scanner to all target segments (agent-based or network scan)
- SIEM integration for scan result ingestion and correlation
- Patch management system (WSUS, SCCM, Intune) for remediation tracking

## Workflow

### Step 1: Define Scan Scope and Scheduling

Create scan policies covering all asset types:

**Nessus Scan Configuration (API):**
```python
import requests

nessus_url = "https://nessus.company.com:8834"
headers = {"X-ApiKeys": f"accessKey={access_key};secretKey={secret_key}"}

# Create scan policy
policy = {
    "uuid": "advanced",
    "settings": {
        "name": "SOC Weekly Infrastructure Scan",
        "description": "Weekly credentialed scan of all server and workstation segments",
        "scanner_id": 1,
        "policy_id": 0,
        "text_targets": "10.0.0.0/16, 172.16.0.0/12",
        "launch": "WEEKLY",
        "starttime": "20240315T020000",
        "rrules": "FREQ=WEEKLY;INTERVAL=1;BYDAY=SA",
        "enabled": True
    },
    "credentials": {
        "add": {
            "Host": {
                "Windows": [{
                    "domain": "company.local",
                    "username": "nessus_svc",
                    "password": "SCAN_SERVICE_PASSWORD",
                    "auth_method": "Password"
                }],
                "SSH": [{
                    "username": "nessus_svc",
                    "private_key": "/path/to/nessus_key",
                    "auth_method": "public key"
                }]
            }
        }
    }
}

response = requests.post(f"{nessus_url}/scans", headers=headers, json=policy,
                         verify=not os.environ.get("SKIP_TLS_VERIFY", "").lower() == "true")  # Set SKIP_TLS_VERIFY=true for self-signed certs in lab environments
scan_id = response.json()["scan"]["id"]
print(f"Scan created: ID {scan_id}")
```

**Qualys VMDR Scan via API:**
```python
import qualysapi

conn = qualysapi.connect(
    hostname="qualysapi.qualys.com",
    username="api_user",
    password="API_PASSWORD"
)

# Launch vulnerability scan
params = {
    "action": "launch",
    "scan_title": "Weekly_Infrastructure_Scan",
    "ip": "10.0.0.0/16",
    "option_id": "123456",  # Scan profile ID
    "iscanner_name": "Internal_Scanner_01",
    "priority": "0"
}

response = conn.request("/api/2.0/fo/scan/", params)
print(f"Scan launched: {response}")
```

### Step 2: Process and Prioritize Scan Results

Download results and apply risk-based prioritization:

```python
import requests
import csv

# Export Nessus results
response = requests.get(
    f"{nessus_url}/scans/{scan_id}/export",
    headers=headers,
    params={"format": "csv"},
    verify=not os.environ.get("SKIP_TLS_VERIFY", "").lower() == "true",  # Set SKIP_TLS_VERIFY=true for self-signed certs in lab environments
)

# Parse and prioritize
vulns = []
reader = csv.DictReader(response.text.splitlines())
for row in reader:
    cvss = float(row.get("CVSS v3.0 Base Score", 0))
    asset_criticality = get_asset_criticality(row["Host"])  # From asset inventory

    # Risk-based priority calculation
    risk_score = cvss * asset_criticality_multiplier(asset_criticality)

    # Boost score if actively exploited (check CISA KEV)
    if row.get("CVE") in cisa_kev_list:
        risk_score *= 1.5

    vulns.append({
        "host": row["Host"],
        "plugin_name": row["Name"],
        "severity": row["Risk"],
        "cvss": cvss,
        "cve": row.get("CVE", "N/A"),
        "risk_score": round(risk_score, 1),
        "asset_criticality": asset_criticality,
        "kev": row.get("CVE") in cisa_kev_list
    })

# Sort by risk score
vulns.sort(key=lambda x: x["risk_score"], reverse=True)
```

**CISA KEV (Known Exploited Vulnerabilities) Check:**
```python
import requests

kev_response = requests.get(
    "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
)
kev_data = kev_response.json()
cisa_kev_list = {v["cveID"] for v in kev_data["vulnerabilities"]}

# Check if vulnerability is actively exploited
def is_actively_exploited(cve_id):
    return cve_id in cisa_kev_list
```

### Step 3: Define Remediation SLAs

Apply SLA-based remediation timelines:

| Priority | CVSS Range | Asset Type | SLA | Examples |
|----------|-----------|------------|-----|---------|
| **P1 Critical** | 9.0-10.0 + KEV | All assets | 24 hours | Log4Shell, EternalBlue on prod servers |
| **P2 High** | 7.0-8.9 or 9.0+ non-KEV | Business-critical | 7 days | RCE without known exploit |
| **P3 Medium** | 4.0-6.9 | Business-critical | 30 days | Authenticated privilege escalation |
| **P4 Low** | 0.1-3.9 | Standard | 90 days | Information disclosure, low-impact DoS |
| **P5 Informational** | 0.0 | Development | Next cycle | Best practice findings, config hardening |

### Step 4: Integrate with SIEM for Exploitation Detection

Correlate vulnerability scan data with SIEM alerts to detect active exploitation:

```spl
index=vulnerability sourcetype="nessus:scan"
| eval vuln_key = Host.":".CVE
| join vuln_key type=left [
    search index=ids_ips sourcetype="snort" OR sourcetype="suricata"
    | eval vuln_key = dest_ip.":".cve_id
    | stats count AS exploit_attempts, latest(_time) AS last_exploit_attempt by vuln_key
  ]
| where isnotnull(exploit_attempts)
| eval risk = "CRITICAL — Vulnerability being actively exploited"
| sort - exploit_attempts
| table Host, CVE, plugin_name, cvss_score, exploit_attempts, last_exploit_attempt, risk
```

**Alert when KEV vulnerabilities are detected on critical assets:**
```spl
index=vulnerability sourcetype="nessus:scan" severity="Critical"
| lookup cisa_kev_lookup.csv cve_id AS CVE OUTPUT kev_status, due_date
| where kev_status="active"
| lookup asset_criticality_lookup.csv ip AS Host OUTPUT criticality
| where criticality IN ("business-critical", "mission-critical")
| table Host, CVE, plugin_name, cvss_score, kev_status, due_date, criticality
```

### Step 5: Build Remediation Tracking Dashboard

**Splunk Dashboard for Vulnerability Metrics:**
```spl
-- Open vulnerabilities by severity
index=vulnerability sourcetype="nessus:scan" status="open"
| stats count by severity
| eval order = case(severity="Critical", 1, severity="High", 2, severity="Medium", 3,
                    severity="Low", 4, 1=1, 5)
| sort order

-- SLA compliance tracking
index=vulnerability sourcetype="nessus:scan" status="open"
| eval sla_days = case(
    severity="Critical", 1,
    severity="High", 7,
    severity="Medium", 30,
    severity="Low", 90
  )
| eval days_open = round((now() - first_detected) / 86400)
| eval sla_status = if(days_open > sla_days, "OVERDUE", "Within SLA")
| stats count by severity, sla_status

-- Remediation trend over 90 days
index=vulnerability sourcetype="nessus:scan"
| eval is_open = if(status="open", 1, 0)
| eval is_closed = if(status="fixed", 1, 0)
| timechart span=1w sum(is_open) AS opened, sum(is_closed) AS remediated
```

### Step 6: Automate Remediation Ticketing

Create tickets automatically for high-priority findings:

```python
import requests

servicenow_url = "https://company.service-now.com/api/now/table/incident"
headers = {
    "Content-Type": "application/json",
    "Authorization": f"Bearer {snow_token}"
}

for vuln in vulns:
    if vuln["risk_score"] >= 8.0:
        ticket = {
            "short_description": f"[VULN] {vuln['cve']} — {vuln['plugin_name']} on {vuln['host']}",
            "description": (
                f"Vulnerability: {vuln['plugin_name']}\n"
                f"CVE: {vuln['cve']}\n"
                f"CVSS: {vuln['cvss']}\n"
                f"Host: {vuln['host']}\n"
                f"Asset Criticality: {vuln['asset_criticality']}\n"
                f"CISA KEV: {'YES' if vuln['kev'] else 'NO'}\n"
                f"Risk Score: {vuln['risk_score']}\n"
                f"Remediation SLA: {'24 hours' if vuln['kev'] else '7 days'}"
            ),
            "urgency": "1" if vuln["kev"] else "2",
            "impact": "1" if vuln["asset_criticality"] == "business-critical" else "2",
            "assignment_group": "IT Infrastructure",
            "category": "Vulnerability"
        }
        response = requests.post(servicenow_url, headers=headers, json=ticket)
        print(f"Ticket created: {response.json()['result']['number']}")
```

## Key Concepts

| Term | Definition |
|------|-----------|
| **CVSS** | Common Vulnerability Scoring System — standardized severity rating (0-10) for vulnerabilities |
| **CISA KEV** | Known Exploited Vulnerabilities catalog — CISA-maintained list of vulnerabilities with confirmed active exploitation |
| **Credentialed Scan** | Vulnerability scan using authenticated access for deeper detection than network-only scanning |
| **Asset Criticality** | Business impact classification determining remediation priority (mission-critical, business-critical, standard) |
| **Remediation SLA** | Service Level Agreement defining maximum time allowed to patch vulnerabilities by severity |
| **EPSS** | Exploit Prediction Scoring System — ML-based probability score predicting likelihood of exploitation |

## Tools & Systems

- **Tenable Nessus / Tenable.io**: Enterprise vulnerability scanner with 200,000+ plugin checks and compliance auditing
- **Qualys VMDR**: Cloud-based vulnerability management with asset discovery, prioritization, and patching integration
- **OpenVAS (Greenbone)**: Open-source vulnerability scanner with community-maintained vulnerability feed
- **CISA KEV Catalog**: US government maintained list of actively exploited vulnerabilities requiring mandatory remediation
- **Rapid7 InsightVM**: Vulnerability management platform with live dashboards and remediation project tracking

## Common Scenarios

- **Zero-Day Response**: New CVE published — run targeted scan for affected software, cross-reference with KEV and exploit databases
- **Compliance Audit Prep**: Generate PCI DSS or HIPAA vulnerability report showing scan coverage and remediation status
- **Post-Patch Verification**: Rescan patched systems to confirm vulnerability closure and update tracking dashboard
- **Network Expansion**: New subnet added to infrastructure — onboard to scan scope with appropriate policy
- **Third-Party Risk**: Scan externally-facing assets to validate vendor patch compliance before integration

## Output Format

```
VULNERABILITY SCAN REPORT — Weekly Summary
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Scan Date:    2024-03-16 02:00 UTC
Scan Scope:   10.0.0.0/16 (1,247 hosts scanned)
Duration:     4h 23m
Coverage:     98.7% (16 hosts unreachable)

Findings:
  Severity     Count    New    CISA KEV
  Critical     23       5      3
  High         187      34     12
  Medium       892      78     0
  Low          1,456    112    0
  Info         3,891    201    0

Top Priority (P1 — 24hr SLA):
  CVE-2024-21762  FortiOS RCE           3 hosts   KEV: YES
  CVE-2024-1709   ConnectWise RCE       1 host    KEV: YES
  CVE-2024-3400   Palo Alto PAN-OS RCE  2 hosts   KEV: YES

SLA Compliance:
  Critical: 82% within SLA (4 overdue)
  High:     91% within SLA (17 overdue)
  Medium:   88% within SLA (107 overdue)

Tickets Created: 39 (ServiceNow)
```

Related Skills

testing-api-for-mass-assignment-vulnerability

from plurigrid/asi

Tests APIs for mass assignment (auto-binding) vulnerabilities where clients can modify object properties they should not have access to by including additional parameters in API requests. The tester identifies writable endpoints, adds undocumented fields to request bodies (role, isAdmin, price, balance), and checks if the server binds these to the data model without filtering. Part of OWASP API3:2023 Broken Object Property Level Authorization. Activates for requests involving mass assignment testing, parameter binding abuse, auto-binding vulnerability, or API over-posting.

substrate-vulnerability-scanner

from plurigrid/asi

Scans Substrate/Polkadot pallets for 7 critical vulnerabilities including arithmetic overflow, panic DoS, incorrect weights, and bad origin checks. Use when auditing Substrate runtimes or FRAME pallets. (project, gitignored)

securing-github-actions-workflows

from plurigrid/asi

This skill covers hardening GitHub Actions workflows against supply chain attacks, credential theft, and privilege escalation. It addresses pinning actions to SHA digests, minimizing GITHUB_TOKEN permissions, protecting secrets from exfiltration, preventing script injection in workflow expressions, and implementing required reviewers for workflow changes.

secure-workflow-guide

from plurigrid/asi

Guide you through Trail of Bits' 5-step secure development workflow. Runs Slither scans, checks special features (upgradeability/ERC conformance/token integration), generates visual security diagrams, helps document security properties for fuzzing/verification, and reviews manual security areas. (project, gitignored)

scanning-network-with-nmap-advanced

from plurigrid/asi

Performs advanced network reconnaissance using Nmap's scripting engine, timing controls, evasion techniques, and output parsing to discover hosts, enumerate services, detect vulnerabilities, and fingerprint operating systems across authorized target networks.

scanning-kubernetes-manifests-with-kubesec

from plurigrid/asi

Perform security risk analysis on Kubernetes resource manifests using Kubesec to identify misconfigurations, privilege escalation risks, and deviations from security best practices.

scanning-infrastructure-with-nessus

from plurigrid/asi

Tenable Nessus is the industry-leading vulnerability scanner used to identify security weaknesses across network infrastructure including servers, workstations, network devices, and operating systems.

scanning-docker-images-with-trivy

from plurigrid/asi

Trivy is a comprehensive open-source vulnerability scanner by Aqua Security that detects vulnerabilities in OS packages, language-specific dependencies, misconfigurations, secrets, and license violati

scanning-containers-with-trivy-in-cicd

from plurigrid/asi

This skill covers integrating Aqua Security's Trivy scanner into CI/CD pipelines for comprehensive container image vulnerability detection. It addresses scanning Docker images for OS package and application dependency CVEs, detecting misconfigurations in Dockerfiles, scanning filesystem and git repositories, and establishing severity-based quality gates that block deployment of vulnerable images.

scanning-container-images-with-grype

from plurigrid/asi

Scan container images for known vulnerabilities using Anchore Grype with SBOM-based matching and configurable severity thresholds.

performing-web-application-vulnerability-triage

from plurigrid/asi

Triage web application vulnerability findings from DAST/SAST scanners using OWASP risk rating methodology to separate true positives from false positives and prioritize remediation.

performing-web-application-scanning-with-nikto

from plurigrid/asi

Nikto is an open-source web server and web application scanner that tests against over 7,000 potentially dangerous files/programs, checks for outdated versions of over 1,250 servers, and identifies ve