/goalsecurityhigh riskintermediatesafety C · 65Forward Futurepre-dates current gate · under review

Burn down CVEs by reachability

Rank dependency CVEs by reachability and exposure, apply one bounded fix, and verify the whole project before moving on.

prompt
→ Claude
Scan the dependencies of [authorized project or current repository] for known CVEs using current advisory sources. If you cannot access the dependency graph, repository, or current advisories, report the blocker and stop. For each high or critical finding, identify the affected direct or transitive dependency, determine whether the vulnerable code is reachable, and check whether the exploit conditions exist in this project. Rank findings by severity, reachability, exposure, and available remediation. Patch or upgrade the highest-risk reachable dependency using the smallest credible change. Run the build, tests, and security scan again. Keep the change only if verification passes and no unacceptable regression appears. Repeat until no exploitable high or critical CVE remains, or every remaining finding has an evidence-backed reachability assessment and an approved risk decision. Ask before major or breaking upgrades, production changes, or accepting risk. Finish with the CVE inventory, reachability evidence, fixes, verification results, and remaining risks.
claude-code · codex

Use this when

Use this when dependency scans report high or critical CVEs and remediation should reflect whether vulnerable code is actually reachable in the project.

How it runs

  1. Scan current dependencies and advisories, then map each high or critical CVE to reachable project code and exploit conditions.
  2. Rank findings by severity, reachability, exposure, and the safety of available remediation.
  3. Fix the highest-risk reachable finding with one bounded patch or upgrade, then rerun the build, tests, and scan.
  4. Repeat until reachable risk is removed or every remaining finding has evidence and an approved decision.

Done when

No exploitable high or critical dependency CVE remains without an explicit decision. Current scans, code-path evidence, the passing build and tests, and approved risk decisions account for every high or critical finding.

Why it works

CVSS alone does not show whether a vulnerable path is used or exposed in a specific project. Reachability and regression checks focus effort on real risk while keeping dependency changes reviewable.

Implementation note

Use current primary advisory sources. Do not silence findings, accept risk, make production changes, or perform a major or breaking upgrade without explicit approval.

Source: Forward Future

More security loops

Weekly dependency vulnerability audit

/scheduleloopreponew

Every Monday morning, run the dependency vulnerability audit, open one PR fixing what auto-fix can handle safely, and file issues for the rest.

prompt
→ Claude
/schedule every Monday at 8am, run `npm audit`, open a single PR applying only non-breaking fixes with tests passing, and file one issue per remaining high or critical advisory with its CVE link and affected paths
securitymedium risk

Keep security audits running until clear

/goalnew

Run Claude repeatedly across turns until your security audit condition is met, then stop.

prompt
→ Claude
/goal [condition|clear] keeps Claude working across turns until the condition is met
securitylow risk

Secrets scan until clean

/goalloopreponew

Run a secrets scanner over the working tree and drive the findings to zero: real secrets get flagged for rotation, false positives get baselined.

prompt
→ Claude
/goal `gitleaks detect --no-git` reports zero findings — for each finding, tell me whether it looks like a real credential (flag it for rotation and replace it with an env var lookup) or a false positive (add it to the baseline with a comment); never print the secret value itself; stop after 8 turns
securitylow risk