Sorting through the fluff: Declutter and remediate container vulnerabilities with context

"At Atlassian, 99% of services deployed to production are built on containers. When implementing container scanning company wide for the first time we were faced with tens of thousands of issues being found by Snyk across the organization.

We chose to go against the grain of using CVSS scores exclusively when assigning severity to tickets and instead examined the issues in the context of their target operating systems. By utilizing the distros' relative importance provided by Snyk, we ensured any asks of our engineers were actionable and assigned an appropriate severity level that matched the prioritization needed from them.

Combining this with the process of identifying containers built on "golden" base images or services using common sidecars, we not only ensure developers can focus on issues they actually have control over, but also improve our security posture by keeping these container images and sidecars up to date across all Atlassian services."