Skip to content

Common Vulnerabilities and Exposures 101

Vulnerabilities are weaknesses in software that attackers can exploit to gain unauthorized access to systems or data. As software and threat landscapes evolve, new vulnerabilities are discovered frequently by security researchers.

This guide explains the role of Common Vulnerabilities and Exposures (CVEs) in secure development, particularly in the context of Game Warden and Department of Defense (DoD) environments. It also describes how Game Warden streamlines CVE management to support compliance with Authority to Operate (ATO) and software authorization requirements to enable faster, more secure deployment to production.

CVEs in DoD environments

CVEs are critical to manage within DoD systems for several reasons:

  • Awareness: CVEs provide a standardized way to identify and track known software vulnerabilities.
  • Risk prioritization: CVEs allow DoD teams to focus on the most serious vulnerabilities first.
  • System compatibility: Visibility into CVEs helps ensure interconnected systems remain secure.
  • Regulatory compliance: CVEs support alignment with required cybersecurity frameworks.
  • Risk mitigation: Structured CVE tracking improves risk management across mission-critical systems.
  • Collaboration: CVEs are globally recognized, supporting coordination between DoD, industry, and allies.

Reducing CVEs is a security best practice—and a strict requirement when deploying to DoD environments.

Info

CVEs are scored using the Common Vulnerability Scoring System (CVSS) and listed in a global directory maintained by MITRE. CVEs are analyzed by NIST and published on several public registries.

CVEs and Game Warden

During onboarding, Game Warden scans your application containers for CVEs. These results are accessible through Findings, a CVE management tool built into the Game Warden web app. Use it to:

  • Review CVE details and severity levels
  • Apply remediation or submit justifications
  • Request a security review within the platform

After deployment, Game Warden performs scans to ensure your containers remain secure and compliant with the Acceptance Baseline Criteria. Any new vulnerabilities must be resolved or justified within the required timelines.

Warning

Failure to remediate or justify vulnerabilities within the required SLAs may result in deployment delays or noncompliance status.

Findings overview

The Findings page provides an aggregated view of all CVEs detected across your Development (DEV), Staging (STG), and Production (PRD) environments. Use it to view, resolve, or justify CVEs, address Anchore compliance results, and review security team responses to your proposed resolutions.

Free scanning tools: Trivy and Grype

Game Warden’s scanning pipelines use the enterprise version of Anchore and open-source Trivy to analyze containers. You can run free versions of these tools locally to preview your CVE posture before submission.

  • Anchore defines policy rules aligned with NIST 800-53 and DoD standards.
  • Trivy offers fast, lightweight container scanning.
  • Grype offers fast scanning of container images and filesystems to find known vulnerabilities in operating system and language-specific packages.

Anchore compliance justifications

Anchore also detects DoD compliance issues based on NIST 800-53 policies. These findings are treated similarly to CVEs and must be resolved or justified.

Severity levels:

  • Go – OK to proceed (Low severity)
  • Warn – Warning (Medium severity)
  • Stop – Critical finding; blocks deployment (High severity)

Warning

Second Front requires all vulnerabilities to be addressed unless a valid CVE statement and justification are provided.

Managing CVEs post-deployment

Applications deployed to staging or production are scanned monthly. All new vulnerabilities must be addressed within the timelines specified in Tables A and B of the Acceptance Baseline Criteria.

Note

  • If remediation isn’t possible for a critical/high vulnerability, a CVE justification and mitigation is required.
  • As the threat landscape evolves, new vulnerabilities may surface. It is essential that customers continuously update their applications and container dependencies.