Chapter 2. Checklist

Decide how you’ll triage, verify, fix, and prove risk reduction.

Policy & Thresholds

  • Blocking policy: What fails builds now? (Secrets: verified only; SAST: High/Critical curated; SCA: Critical/High w/ fixes; IaC: privileged/root)
  • Unfixed CVEs: Track but don’t block, or block for specific components (base image/runtime path)?

Ownership & SLAs

  • Finding owner: Who owns each class of finding (Dev vs Sec vs Platform)?
  • SLAs: Critical ≤7d, High ≤30d, Medium ≤90d — do these match your risk tolerance?
  • Exception process: How do you grant time-boxed risk acceptances (with expiry & rationale)?

Tuning & Evidence

  • False positives: Do you maintain allowlists/ignores (.trivyignore, Semgrep suppressions with comments)?
  • Artifacts: Where do ./artifacts/* live long-term (bucket/share/repo)? Who reviews ARTIFACTS.md?
  • Defect tracking: Do you want a local tracker (e.g., DefectDojo) or your issue system (Jira/GitHub) as the SoT?

Secrets & Rotation

  • Secrets policy: What constitutes a “verified secret” vs noise? Who can revoke/rotate quickly?
  • Pre-commit hooks: Will you add local hooks to catch secrets before push?

SBOM & Licensing

  • SBOM consumers: Who reads sbom.json today (security, procurement, customers)?
  • License enforcement: Do you start in WARN then ENFORCE once tuned?