Skip to content

Diagnostic Questions

Before revealing the investigation path:

  1. Trivy reports CVE-2026-1234 as CRITICAL in libcurl 8.5.0. The pipeline policy blocks on CRITICAL findings. Should you immediately add a scanner exception to unblock the deploy, or investigate further first?

  2. dpkg -l inside the running container shows libcurl4 8.5.0-2+deb12u2 (the fixed version), but Trivy reports 8.5.0-2 (the vulnerable version). What could cause the scanner to see a different version than what is actually installed?

  3. The CI pipeline caches base images in an internal registry. How does a stale base image cache contribute to scanner false positives in multi-layer Docker images?

  4. The CVE affects HTTP/2 PUSH processing, and the application only uses HTTP/1.1. Even if the vulnerability were real, would this service be exploitable? How should exploitability factor into the security gate decision?

  5. How would you design a pipeline that balances security scanning accuracy with deployment velocity? What mechanisms prevent false positives from blocking real bug fixes?