Public documentation for governed AI labor
SDKs/Governance/Connectors
Arx / Docs / Critical Vulnerability Escalation

Documentation

Critical Vulnerability Escalation

arxsec-site / library/workflows/critical-vuln-escalation/README.md

arxsec-site repo-root library/workflows/critical-vuln-escalation/README.md

Aggregates critical vulnerabilities from Wiz (and optionally Qualys), creates PagerDuty P1 incidents for immediate response, and opens Jira blocker tickets for remediation tracking.

Maturity: L3-4 (Enforced to Governed)  ยท  See the 5-level maturity model for where this workflow fits in your program.

Time Saved

Before: ~30 minutes per critical vulnerability manually triaging across scanners, paging on-call, and creating tracking tickets.

After: Automated deduplication and escalation. On-call engineers receive PagerDuty P1 alerts with full vulnerability context.

Connectors

| Connector | Operations | Risk | |-----------|-----------|------| | Wiz | findings:read | LOW | | Qualys | findings:read (optional) | LOW | | PagerDuty | incidents:create | MEDIUM | | Jira | issues:create | MEDIUM |

Overall Risk: MEDIUM -- Creates P1 PagerDuty incidents and Jira blocker tickets. No direct remediation or infrastructure changes.

How It Works

  1. Query Wiz for critical vulnerability findings.
  2. Optionally query Qualys for corroborating scan data.
  3. Deduplicate findings across sources by CVE ID.
  4. Create a PagerDuty P1 incident for each unique critical vulnerability.
  5. Create a Jira blocker ticket with remediation details and linked CVE data.

ARX Governance

  • Risk Classification:
  • Wiz:findings:read -- LOW -- read-only vulnerability query
  • Qualys:findings:read -- LOW -- read-only scan data query
  • PagerDuty:incidents:create -- MEDIUM -- pages on-call engineers with P1 urgency
  • Jira:issues:create -- MEDIUM -- creates blocker-priority tickets
  • HITL Gate: Disabled -- ticket and incident creation are auto-approved. While P1 pages are high-impact, the workflow only fires for confirmed critical vulnerabilities where immediate escalation is the correct response.
  • Policy Rules:
  • PERMITTED: Reading findings from Wiz and Qualys
  • PERMITTED (auto-approved): Creating PagerDuty P1 incidents for critical CVEs
  • PERMITTED (auto-approved): Creating Jira blocker tickets for remediation tracking
  • DENIED: Any modification to vulnerability data or scan configurations
  • Audit Trail: Every CVE processed, deduplication decisions, PagerDuty incident IDs, and Jira ticket keys are logged. Full lineage from finding source to escalation action.
  • Config: See arx.yaml for connector permissions, schedule, and severity thresholds.

Setup

Prerequisites

``bash pip install arx ``

Environment Variables

```bash export WIZ_CLIENT_ID="your-wiz-client-id" export WIZ_CLIENT_SECRET="your-wiz-client-secret" export WIZ_API_URL="https://api.wiz.io" export PAGERDUTY_API_KEY="your-pagerduty-api-key" export PAGERDUTY_SERVICE_ID="your-service-id" export JIRA_URL="https://your-org.atlassian.net" export JIRA_API_TOKEN="your-jira-api-token" export JIRA_PROJECT_KEY="VULN"

Optional Qualys

export QUALYS_URL="https://qualysapi.your-org.com" export QUALYS_USERNAME="your-qualys-username" export QUALYS_PASSWORD="your-qualys-password" ```

Run

```bash

One-time execution

arx run workflow.py

Register on schedule (every 2 hours)

arx register --config arx.yaml ```

Customization

  • Enable or disable Qualys integration via qualys_enabled flag
  • Adjust CVE severity thresholds for escalation criteria
  • Configure PagerDuty escalation policy and service mapping