Summary of What Needs to be Done:
The Dependency Vulnerability Audit Operator Guide (docs/dependency_audit_operator_guide.md) describes how to configure exceptions and run audits locally, but lacks a clear triage decision table that helps operators decide what to do with a given vulnerability finding.
Changes that Need to be Made:
Add a "Triage Decision Table" section to docs/dependency_audit_operator_guide.md with a decision matrix covering:
- Severity + exploitability combinations and recommended action (block / exception / acknowledge)
- Cases where CVSS score alone is insufficient (e.g., dev-only dependency, disabled by config)
- When to file a security ticket vs. adding an exception
- Criteria for exception expiry and re-evaluation cadence
- Example rows: critical+exploitable = block + file ticket; medium+dev-only = acknowledge; high+mitigated-by-config = exception with reason
Impact that it would Provide:
- Reduces decision fatigue for contributors triaging new vulnerability findings
- Ensures consistent triage across the team
- Makes the exception policy more actionable and less ambiguous
Note: This task is being handled by tmdeveloper007 — please assign to that account when picking it up.
Summary of What Needs to be Done:
The Dependency Vulnerability Audit Operator Guide (docs/dependency_audit_operator_guide.md) describes how to configure exceptions and run audits locally, but lacks a clear triage decision table that helps operators decide what to do with a given vulnerability finding.
Changes that Need to be Made:
Add a "Triage Decision Table" section to docs/dependency_audit_operator_guide.md with a decision matrix covering:
Impact that it would Provide:
Note: This task is being handled by tmdeveloper007 — please assign to that account when picking it up.