Skip to content

Symptoms: Container Image Vuln Scanner False Positive, Blocks Deploy Pipeline

Domains: security | devops_tooling | kubernetes_ops Level: L2 Estimated time: 30-45 min

Initial Alert

CI/CD pipeline notification at 14:20 UTC:

:x: Deploy BLOCKED — notification-service v3.8.1
Stage: security-scan
Scanner: Trivy
Findings: 1 CRITICAL vulnerability
CVE: CVE-2026-1234 — Remote Code Execution in libcurl 8.5.0
Policy: CRITICAL findings block deployment

Observable Symptoms

  • The CI/CD pipeline is blocked at the security scanning stage. No deployments can proceed.
  • Trivy reports CVE-2026-1234 (CRITICAL, CVSS 9.8) in libcurl 8.5.0 inside the container image.
  • The same CVE blocks all 6 services in the deployment pipeline — they all use the same base image.
  • Production is running v3.7.0 (deployed 2 days ago) and is healthy, but the team needs to deploy v3.8.1 with an important bug fix.
  • The engineering team is pressuring the security team to add an exception.
  • The National Vulnerability Database (NVD) entry for CVE-2026-1234 was published 4 hours ago.

The Misleading Signal

A CRITICAL CVE blocking the deploy pipeline looks like a legitimate security gate doing its job. The security team's instinct is to assess the CVE, determine if the application is affected, and either patch the vulnerability or approve an exception. The engineering team sees it as a security team bottleneck. Neither side questions whether the scanner result is actually accurate.