Try JFrog
Guides
Contact SupportTry JFrog
Start typing to search…
  1. runtime
  2. How-Tos

Prioritizing Vulnerabilities Using Runtime Dashboard

This guide walks you through using the Vulnerability Prioritization Dashboard to identify, filter, and prioritize vulnerabilities across your running container images. The dashboard combines data from JFrog Xray, Advanced Security Contextual Analysis, and Runtime sensors to help you focus remediation on the CVEs that matter most.

Before You Begin

  • At least one cluster must be connected with a running controller.
  • Automatic Security Scanning should be enabled with SCA and Vulnerabilities Contextual Analysis for complete dashboard data.
  • For the Validated in Runtime funnel stage, Runtime Impact (Controller + Sensors) must be deployed.

Step 1: Assess Your Environment Using the Prioritization Funnel

The funnel is the dashboard's primary tool for narrowing thousands of CVEs to the most actionable subset.

  1. Navigate to the Vulnerability Prioritization Dashboard.
  2. Review each funnel stage from top to bottom:
StageWhat It Tells You
All VulnerabilitiesThe total number of distinct CVEs detected across all scanned running images. A high number is expected — this is your starting point.
Critical & HighHow many of those CVEs are rated Critical or High severity. This is the first significant reduction.
ApplicableHow many Critical & High CVEs are confirmed exploitable by Contextual Analysis. This typically eliminates a large portion of alerts that do not impact your code.
With Fix VersionHow many applicable CVEs have a known fix available. These are your most actionable items.
Validated in RuntimeHow many fixable, applicable CVEs are confirmed as actively loaded or executed. These are your highest-priority items — real threats running in production.
  1. Focus your remediation efforts starting from the bottom of the funnel (Validated in Runtime) and work upward.

Step 2: Investigate Specific CVEs in the Vulnerability Table

The vulnerability table lists individual CVEs with detailed information to help you triage and plan remediation.

  1. Below the funnel, review the Vulnerability Table.

  2. Each row shows:

    • CVE ID and Xray ID — Standard CVE identifier and JFrog's internal identifier.
    • Severity — CVSS-based severity (Critical, High, Medium, Low, Unknown).
    • CVSS v3 Score — Numeric score for precise ranking.
    • JFrog Research Severity — JFrog Security Research's independent assessment, reflecting real-world exploitability. This may differ from the standard CVSS score.
    • Contextual Analysis Status — Whether the CVE is applicable, not_applicable, undetermined, or another status.
    • Fix Version — Whether a fix exists and which version resolves the issue.
    • Validated in Runtime — Whether Runtime sensors confirmed the vulnerable code is actively loaded.
    • Component — The affected software package(s).
    • Related Images — Number of running images affected by this CVE.

  3. Click on any column header to sort the table. The default sort order prioritizes by CVSS v3 score (descending), then severity, then runtime validation status.

Step 3: Filter to Focus on What Matters

Use the table's filters to narrow results based on your current priorities.

Filter by severity:

  • Select Critical and High to focus on the most severe vulnerabilities first.

Filter by contextual analysis:

  • Select Applicable to show only vulnerabilities confirmed exploitable in your environment. This eliminates noise from CVEs that exist in dependencies but cannot be reached through your code paths.

Filter by fix availability:

  • Enable the Fix Version filter to show only CVEs with an available fix, making your results directly actionable.

Filter by runtime validation:

  • Enable Validated in Runtime to show only CVEs where the vulnerable code is confirmed as actively loaded by a running process. These represent the highest-risk items.

Search by CVE ID:

  • Enter a full or partial CVE ID (e.g., CVE-2024-21626 or just 2024-21626) to quickly locate a specific vulnerability.

Filter by JFrog Research Severity:

  • Use this filter when you want to prioritize based on JFrog's independent exploitability assessment rather than standard CVSS scores.

Step 4: Assess Blast Radius Using Related Images

Understanding how widely a vulnerability is deployed is critical for prioritization. A CVE affecting a single non-critical workload is less urgent than one present in images running across multiple production clusters.

  1. In the vulnerability table, look at the Related Images count for a CVE.
  2. Click on the count or select the vulnerability to view the full list of affected images.
  3. For each related image, you can see:
    • Image name and tag
    • Architecture (e.g., amd64, arm64)
    • Registry the image was pulled from
    • SHA256 digest
  4. Use the optional image name filter to search for a specific image within the related images list.
  5. Prioritize CVEs that affect images deployed across multiple critical clusters or workloads.

Step 5: Monitor Trends Over Time

The Running Images Trend Chart helps you track whether your vulnerability posture is improving or degrading.

  1. Review the 30-day trend chart at the top of the dashboard.
  2. Key things to watch for:
    • Rising unscanned count — New images may be deployed without scan coverage. Check that Automatic Security Scanning is enabled for all clusters.
    • Increasing vulnerability counts — New CVE disclosures or new deployments may be introducing risk. Cross-reference with recent deployment activity.
    • Improving trends — Decreasing vulnerability counts indicate your remediation efforts are having an impact.

Step 6: Review Live Assessment Highlights

The highlights widget surfaces the most critical findings that may require immediate attention.

  • Malicious Packages — If any count is non-zero, investigate immediately. These are packages identified as harmful by JFrog's automated scanners and research team. Navigate to the affected images in Runtime > Live Assessment > Images to identify which workloads are affected.
  • Critical & Applicable CVEs — These are the CVEs most likely to be exploited. Review the affected image count to understand the scope.
  • Integrity Violations — These indicate that a running binary does not match its source artifact in Artifactory, which could signal tampering or images pulled from untrusted registries. Investigate using the Untrusted Registry and Integrity Violation filters in Live Assessment.

Putting It All Together: A Recommended Workflow

  1. Check Runtime Status — Ensure scan status is scanned and installation status is full for maximum dashboard coverage.
  2. Start with highlights — Address any malicious packages or integrity violations first, as these represent the most immediate threats.
  3. Work the funnel bottom-up — Focus on "Validated in Runtime" vulnerabilities first, then "With Fix Version", then "Applicable".
  4. Assess blast radius — For each high-priority CVE, check how many images and workloads are affected to determine the scope of remediation.
  5. Filter and assign — Use table filters to create focused lists for different teams (e.g., all Critical + Applicable CVEs for a specific component).
  6. Track progress — Use the trend chart to verify that remediation efforts are reducing vulnerability counts over time.

Updated 6 days ago