Security Scanner Triage

Workflow

1. Normalize findings
• Convert scanner text into discrete claims.
• Group by category: data routing, credentials, defaults, docs mismatch, privilege/persistence.

1. Verify against code/docs
• Locate exact file/line evidence.
• Mark each claim as:
• Confirmed
• Partially confirmed
• Not reproducible

1. Risk rate
• Critical / High / Medium / Low
• Include blast radius and exploitability notes.

1. Remediation plan
• Provide minimal patch order:

1) safety first

2) behavior/docs consistency

3) version bump and publish notes

1. Verification
• Provide re-scan checklist and expected clean-state signals.

Output format

Use references/output-template.md.

Guardrails

• Never leak secrets from .env.
• Distinguish trust/disclosure issues from active vulnerabilities.
• Always separate "data-routing transparency" findings from "security-impact" findings.