Vulnerability
The Vulnerability dimension helps you identify, prioritize, and remediate Common Vulnerabilities and Exposures (CVEs) and non-CVE exposures across your applications and environments. Based on ingested vulnerability scan data and your vulnerability priority and risk score settings, Concert assesses and prioritizes the vulnerabilities impacting your applications so you know which to address first.
- Automated remediation workflows that identify vulnerabilities, generate AI-assisted remediation actions powered by IBM watsonx.ai, and apply patches or version upgrades across supported operating systems, web servers such as Apache Tomcat, and container environments.
- Proactive vulnerability alerts that identify vulnerable packages early in the development lifecycle and notify developers through GitHub pull requests.
- Automated ticket creation using automation rules when Concert identifies high-priority CVEs or exposures.
- IDE-based remediation capabilities that enable developers to remediate code vulnerabilities and upgrade vulnerable dependencies in Visual Studio Code (VS Code) using AI-generated recommendations.
The Vulnerability dimension supports applications that are automatically discovered from source code repositories and consolidates vulnerability insights across shared repositories, build artifacts, and runtime environments by using correlated scan and package metadata. Vulnerability data can be uploaded manually or imported by using Concert Workflows to support automated ingestion pipelines. Vulnerability visibility is based on scan data associated with repositories, build artifacts, and environments, and reflects the current state of those artifacts in Concert. Changes to application associations alone do not remove vulnerability findings unless the related artifacts and their scan data are explicitly cleaned up.
Concert identifies vulnerabilities reported against a container image, source repository, or runtime virtual machine (VM). You can find CVE-related information in public databases; however, specific details about non-CVE exposures or security issues are not publicly available. Only the generic classification of the type of exposure, not the specific finding, is known publicly.
Refer to the topics in this section to learn how to detect, prioritize, remediate, and automate vulnerability management workflows across your development and runtime environments.