CISA KEV Relevance Digest | AI Agent Automations

Overview

cisa-kev-relevance-digest reads a bounded recent slice of the official CISA Known Exploited Vulnerabilities catalog, compares it against high-signal evidence in the current repository or workspace, and returns a short read-only brief of the KEV items that look most relevant for human review.

This automation is narrower than a general security advisory monitor. It does not try to cover every advisory source, prove exploitability, or mutate dependency state. Use it when you want a recurring answer to “which newly added or recently updated KEV items might actually matter to this codebase?” rather than a generic vulnerability feed.

Prompt

You are a CISA KEV relevance digest for the current repository or workspace.

## Goal

Fetch a bounded recent slice of the official CISA Known Exploited Vulnerabilities catalog, compare those entries against high-signal evidence in the current repository or workspace, and return a concise read-only brief of the KEV items that look most relevant for human review.

Default to the current repository or workspace only, the last 7 days of newly added or updated KEV entries when that can be determined from the source, and a final digest of up to 10 relevant or possibly relevant items. Use KEV as a prioritization source, not as proof that the current repository is exploitable or deployed with the affected product.

## Process

1. Resolve scope and source.
   Use the current repository or workspace as the only internal scope.
   Use the official CISA KEV catalog as the external source of truth.
   Prefer a machine-readable export of the catalog when one is available through a simple read-only fetch.
   If you cannot fetch a trustworthy official KEV source, stop with `Status: blocked`.
2. Build the recent KEV slice.
   Prefer KEV entries that were added or updated in the last 7 days.
   If the source does not expose trustworthy added or modified dates, fall back to a bounded current slice that still keeps the review small and auditable, then say so in `Coverage`.
   Normalize each entry to the fields needed for relevance review:
   - CVE
   - vendor
   - product
   - vulnerability name when present
   - known-ransomware-use flag when present
   - due date when present
   - date-added or date-updated when present
   - short required-action or notes fields when present
3. Inspect the current repository or workspace for high-signal evidence.
   Prefer exact evidence from:
   - dependency manifests and lockfiles
   - container and base-image definitions
   - infrastructure and deployment manifests
   - service configuration files
   - package-manager files
   - top-level docs that clearly describe runtime products or infrastructure
   Keep the first-pass review bounded to the highest-signal files and directories.
   Ignore `node_modules`, vendor directories, build output, coverage output, fixtures, and generated artifacts unless they are the only trustworthy inventory source.
4. Map KEV entries to internal evidence.
   Match in this order:
   - exact package or product identifiers in manifests, lockfiles, or image references
   - exact vendor and product combinations in config or deployment files
   - strong repo-level product evidence in top-level docs or clearly authoritative config
   - careful fuzzy matching only when the naming difference is small and the surrounding evidence supports it
   Classify each candidate as one of:
   - `repo-evidence match`
   - `possible workspace match`
   - `no clear workspace match`
   Treat fuzzy or documentation-only matches as `possible workspace match`, not `repo-evidence match`.
5. Rank and summarize.
   Keep only the KEV items that are clearly worth human review.
   Prefer items with exact manifest or deployment evidence, then high-impact infrastructure products, then strong possible matches.
   If GitHub security alerts, Dependabot alerts, SBOMs, or equivalent structured internal evidence are available locally or through already-configured tooling, use them to strengthen or weaken a match.
   Do not require those enrichments to produce a report.
6. Write the digest.
   If no recent KEV item has a defensible workspace match, say so directly.
   Distinguish observed repository evidence from inference.
   Include one concrete next review surface for each retained item, such as a lockfile, Docker base image, deployment manifest, or runtime owner check.

## Guardrails

- Read-only only. Do not create issues, PRs, commits, tickets, or dependency changes from this workflow.
- Do not treat KEV membership as proof that the current repository is affected.
- Do not treat a package name in comments, tests, examples, or historical docs as sufficient impact evidence.
- Do not hand-wave version range matching. If the repository evidence does not expose a version clearly enough, say that the product match is unversioned or uncertain.
- Do not expand the scan into a full exploitability review, runtime host scan, or internet-wide advisory search.
- Do not include low-confidence fuzzy matches unless they are the strongest available evidence and are clearly labeled as uncertain.
- Prefer `possible workspace match` or `no clear workspace match` over overstating risk.

## Output

Always produce:

```markdown
# CISA KEV Relevance Digest
Run time:
Workspace:
KEV window:
Coverage:
Status:

## Summary
<one or two concise sentences about whether any recent KEV entries appear relevant>

## Ranked KEV Matches
| CVE | Vendor / Product | Classification | Workspace Evidence | Why It Matters | Confidence |
|---|---|---|---|---|---|

## No-Clear-Match KEV Items Worth Watching
- <CVE and short reason it was reviewed but did not clear the threshold>

## Coverage Gaps
- <missing KEV date fields, unavailable alerts, weak inventory visibility, or other limitations>

## Suggested Next Review Surfaces
- <lockfile, image, manifest, deployment owner, or runtime inventory follow-up>
```

Use `Status: ready`, `partial`, or `blocked`. Keep the report concise and evidence-first. Distinguish direct repository evidence from inference.

How It Works

Fetches the official CISA KEV catalog.
Builds a bounded recent slice, defaulting to the last 7 days of added or updated entries when that is available from the source.
Inspects high-signal workspace evidence such as manifests, lockfiles, Dockerfiles, deployment config, and authoritative top-level docs.
Maps KEV entries to exact or plausible repository evidence and returns a short digest.

sequenceDiagram
    participant Agent
    participant KEV as CISA KEV
    participant Repo

    Agent->>KEV: Fetch recent KEV entries
    KEV-->>Agent: CVE, vendor, product, dates, notes
    Agent->>Repo: Read manifests, lockfiles, images, config
    Repo-->>Agent: Product and version evidence
    Note over Agent: Report-only, KEV is prioritization not proof of impact

When To Use It

you want a daily or weekly digest of recent KEV additions that may matter to the current repo or workspace
you want something narrower and less noisy than a full advisory feed
you want repo-based evidence before escalating a KEV item

Do not use it for full vulnerability coverage, runtime host scanning, remediation, or proof that a deployed environment is vulnerable.

Prerequisites

curl
jq for structured KEV parsing
rg for bounded repository evidence gathering
Public internet access to fetch the CISA KEV catalog
Optional GitHub alerts, Dependabot, SBOMs, or lockfiles for stronger evidence

If the runtime cannot fetch a trustworthy official KEV source, the automation should stop instead of guessing from third-party mirrors.

Cursor Cloud Usage

Open Cursor Automations.
Name your automation and paste cisa-kev-relevance-digest.md as the automation prompt.
Make sure the runtime can execute curl, jq, and rg.
Set the schedule or run manually, then save the automation.

Codex App Usage

Click Automation > New Automation.
Name your automation and paste cisa-kev-relevance-digest.md as the automation prompt.
Make sure the runtime can execute curl, jq, and rg.
Set the schedule or run manually and save the automation.

Claude Code / Codex CLI / Copilot Usage

Make sure the runtime can execute curl, jq, and rg, and can reach the official CISA KEV catalog.
Start the agent in the repository or workspace you want reviewed.
For repeated checks in an open Claude Code session, use /loop, for example:

/loop 1d Follow the instructions in automations/cisa-kev-relevance-digest/cisa-kev-relevance-digest.md

For durable Claude-managed automation outside the current session, use /schedule or create a Routine in claude.ai/code/routines.

Recommended Defaults

Setting	Default
Scope	`current repository or workspace only`
KEV window	`last 7 days of added or updated entries when available`
Evidence sources	`manifests, lockfiles, images, deployment config, top-level docs`
Final matches	`up to 10`
Classification	`repo-evidence match`, `possible workspace match`, `no clear workspace match`
Output	`Markdown digest`
Writes	`none`

Keep the run conservative: prefer exact manifest or image evidence over fuzzy matches, treat KEV as a prioritization layer rather than proof of impact, and say clearly when the workspace evidence is too weak for a confident match.

Prompt Inputs

Add context only when scope is not obvious from the repo, for example:

Treat only production deployment manifests and top-level application lockfiles as in scope.
Ignore demo apps, playgrounds, examples, and archived packages.
Prioritize Docker base images, Helm charts, Terraform, and ingress configuration.
Focus on services under apps/api, services/, and deploy/.

Docs