Use when asked to scan for vulnerabilities and create tickets, triage security findings into Jira or ADO work items, or turn a vulnerability scan into actionable backlog items.
Scan for vulnerabilities across dependency CVEs, SonarQube, and SDElements, then create prioritized Jira or Azure DevOps tickets for actionable findings.
Step 1 — Scan all vulnerability sources.
pncli deps frisk
pncli sonar issues --types VULNERABILITY --statuses OPEN --branch <branch-name>
pncli sonar hotspots --status TO_REVIEW --branch <branch-name>
Use pncli git branch to get the current branch name. Optionally pull SDElements threats with pncli sde threats --project <id> for business-context severity.
Step 2 — Triage by severity.
Consolidate all findings into a prioritized list: critical CVEs and blocker-severity SonarQube issues first, then high, then medium. Drop low/info findings unless explicitly requested.
Step 3 — Create tickets for each actionable finding.
Detect provider: run git remote -v. If a URL contains /_git/ → Azure DevOps. If /scm/ → Bitbucket.
For each critical or high finding:
pncli jira create-issue --project <key> --type Bug --summary "Security: <description>" --description "<source, severity, component, CVE or rule key>" --priority <High|Critical> --labels security,vulnerability-scanpncli ado work create --type Bug --title "Security: <description>" --description "<details>" --priority <1|2>Link related findings:
pncli jira link-issue --key <new> --link-type "relates to" --target <related>pncli ado work link --id <new-id> --to <related-id> --type relatedStep 4 — Post summary.
If a PR is open, add a comment summarizing the triage:
pncli bitbucket add-comment --pr <id> --body "Vulnerability triage: <N> findings, <M> tickets created."pncli ado repo add-comment --pr <id> --body "Vulnerability triage: <N> findings, <M> tickets created."