Vulnerability SLAs (Tracker)
Suggested SLAs (tune to your risk)
- Critical ≤ 7 days, High ≤ 30 days, Medium ≤ 90 days, Low best effort.
- SLA starts when a finding is triaged & assigned.
Columns (use in your sheet)
| Column | Purpose / Examples |
|---|---|
| ID | Tracker key (e.g., SCA-2025-014) |
| Source | Semgrep / Trivy / Checkov / ZAP / Manual |
| Component | Service, image, file path |
| Severity | Critical / High / Medium / Low |
| Opened | YYYY-MM-DD |
| SLA (days) | 7 / 30 / 90 / 0 |
| Due | =IF([@SLA (days)]="", "", [@Opened]+[@SLA (days)]) |
| Owner | Name / team |
| Status | Open / In-Progress / Overdue / Fixed-Pending-Retest / Closed |
| Notes | Link to PR, rationale, etc. |
Conditional formatting (XLSX): mark Overdue in red when
TODAY() > DueandStatus <> "Closed".
CSV seed (import to Excel/Sheets)
ID,Source,Component,Severity,Opened,SLA (days),Due,Owner,Status,Notes
SCA-2025-014,Trivy,ship/app:quarantine,High,2025-10-15,30,,alice,Open,"Base image vuln; fix available"
SAST-2025-021,Semgrep,app/main.go,Critical,2025-10-15,7,,team-web,In-Progress,"Reflected XSS"
IAC-2025-003,Checkov,infra/k8s/deployment.yaml,High,2025-10-15,30,,platform,Open,"runAsNonRoot missing"