Vulnerability Management Automation: Scan, Prioritize, Patch, Verify
I built a closed-loop vulnerability management cycle that schedules OpenVAS scans, prioritizes findings by CVSS 3.1 and business context, opens Jira tickets via API, and remediates with Ansible. The pipeline cut the critical-vulnerability exposure window from 7 days to 4 hours across 15+ Linux nodes.
Context & Standards Alignment
The workflow implements the NIST SP 800-40 patch management lifecycle and CIS Control 7 (Continuous Vulnerability Management), turning ad-hoc scanning into a measurable, auditable process.
- T1190 Exploit Public-Facing Application – prioritized remediation of internet-reachable CVEs.
- T1203 Exploitation for Client Execution – endpoint patch orchestration via Ansible.
OpenVAS/GVM] --> A[Analyze
CVSS 3.1] A --> P[Prioritize
business risk] P --> T[Ticket
Jira API] T --> R[Remediate
Ansible] R --> V[Verify
rescan] V --> S
Environment & Prerequisites
- OpenVAS/GVM 22.4 scanner with daily feed sync; Nessus Professional for cross-validation.
- Ansible control node with inventory of 15+ RHEL 9 / Ubuntu 22.04 hosts.
- Jira Cloud project + API token; Grafana dashboard fed from a PostgreSQL results store.
Step-by-Step Execution
1. Launch an authenticated scan via the GVM CLI [PRIVILEGED]
gvm-cli --gmp-username admin socket --xml "<start_task task_id='UUID'/>"2. Export and prioritize by CVSS 3.1
gvm-script --gmp-username admin socket get_results.py --severity 9.0 | tee critical.csvCVE-2024-3094 10.0 CRITICAL xz-utils backdoor host=192.168.20.31
CVE-2023-4911 7.8 HIGH glibc CVE-2023-4911 host=192.168.20.18
3. Remediate with Ansible
ansible-playbook -i inventory patch-critical.yml --limit critical_hostsPLAY RECAP
192.168.20.31 : ok=6 changed=3 unreachable=0 failed=0
192.168.20.18 : ok=6 changed=2 unreachable=0 failed=0
Validation & Testing
Trigger an automated rescan of the patched hosts and confirm the previously critical CVEs no longer appear. The Grafana dashboard should show the open-critical count drop to zero (alt text: Grafana panel trending open critical CVEs to zero after Ansible remediation).
Advanced: Troubleshooting
- Authenticated scan returns few results: verify SSH credentials and that the scan target uses a credentialed config.
- Feed out of date: run
greenbone-feed-syncand check/var/log/gvm/. - Ansible patch reboot loops: gate reboots behind a
reboot_requiredfact check.
Key Results
- Orchestrated patching across 15+ Linux servers with a 99.2% success rate.
- Prioritized 200+ CVEs by CVSS 3.1 and business criticality each cycle.
- Reduced the critical-vulnerability exposure window from 7 days to 4 hours.
- Automated Jira ticket creation for 100% of high/critical findings.