Security analysts and system engineers need to quickly assess the potential impact of Common Vulnerabilities and Exposures (CVEs) on diverse local systems (Windows, macOS, Linux) without exposing host data or credentials.
Existing CVE scanners lack contextual awareness of system architecture and do not leverage modern AI reasoning. Traditional tools also persist sensitive configuration data, creating long-term security risks.
I propose a secure, ephemeral “CVE‐Checker Shell” — a command‐line tool that launches a temporary containerised runtime to perform AI-assisted CVE impact analysis.
The shell initialises with short-lived authentication tokens (≤ 8 hours) and dynamically installs approved AI model clients (e.g., OpenAI, Anthropic) inside the container. Once execution completes, the container and all secrets are destroyed, leaving no footprint on the host.
-
- CLI authenticates via enterprise SSO and requests a time-bound JWT or Vault token encoding user role and permissions.
- The controller script collects system metadata (OS, CPU, packages) on the local host and mounts it read-only into the container as JSON.
- The container runs the AI analysis pipeline:
- Parses host data
- Queries configured AI providers for vulnerability context
- Generates a prioritised CVE impact report
- Upon exit, all runtime artefacts, credentials, and network connections are destroyed.
-
- Controller CLI: Handles auth, container lifecycle, token TTL, logging. - Ephemeral Container: Sandboxed Python/Rust runtime with model adapters and CVE logic. - Role Policy Engine: Defines permissions per role (e.g., admin, analyst). - Secrets Backend: Issues expiring tokens and revokes access on logout or TTL expiry.
- Isolation: Containerised runtime (Docker/Podman) with no host persistence (`--rm`).
- Token Lifespan: Max 8 h TTL; revocable on demand.
- Role-Based Access: Tokens encode role; container validates signature and policy before execution.
- Network Control: Outbound traffic limited to approved AI API endpoints.
- Zero Trust: No implicit trust in host or container; each run is independently authenticated.
- Eliminates persistent secrets and local installs.
- Enables cross-platform CVE context analysis tailored to system architecture.
- Enforces reproducible, auditable sessions aligned with enterprise compliance.
- Extensible to support offline or on-prem LLMs for air-gapped environments.
- Integrate with HashiCorp Vault or AWS STS for federated token issuance.
- Add Rust backend for lower latency and improved concurrency.
- Extend to digital-twin telemetry for Software-Defined Vehicle (SDV) environments.
CVE Impact Predictor combines ephemeral compute, AI reasoning, and strict tokenised authentication to deliver secure, context-aware vulnerability impact analysis. It embodies Amazon’s principles of security by default, least privilege, and short-lived trust, while showcasing modular extensibility for next-generation intelligent security tooling.
“CveToad”, a localized, authenticated & containerised, open-src AI-workflow type of application; additionally secured by secret-managers, short-lived session tokens for container-shells with hard memory limits & role-based env configs. The use-case is to help you pin down CVE impact on your system whilst incrementally building user-specific CVE-context.
The concept is to incrementally feed it the right context to optimise how accurately it predicts individual CVSS vector elements (specific to the CVSS version & CVE’s age/create-date).
- the CVSS-v4 specification document (first.org/cvss/v4-0/specification-document) as an automatable base-layer pre-process context,
sys.infocontext (including rpm-tree data); about the user OS-instance (from outside the shell) to specify system-specific CVE impact details,- identify useful pkg-attributes like
vendor,maintainer,rpm name(product name),dependencies(parent/child packages), etc., from pagure.io/fedora-packages-static … and so on.
- NVD (NIST) - nvd.nist.gov ,
- RedHat API - docs.redhat.com/en/documentation/red_hat_security_data_api/1.0 ,
- Debian - security-tracker.debian.org ,
- Suse - suse.com/support/security ,
- Amazon Linux - explore.alas.aws.amazon.com ,
- Fedora (Script to pull all package names and meta-data) : pagure.io/fedora-packages-static ,
- OSV.dev - github.com/google/osv.dev .
- My ( Keerthana's ) CVE user Story - github.com/keerthanap8898/CveToad/tree/main/CVE-Consumer_User-Story.md ,
- CVE User-story_Description - github.com/keerthanap8898/CveToad/blob/main/CVE-user-story_Description.md ,
- CVE Meta-data Framework Table Image: - github.com/keerthanap8898/CveToad/blob/main/Resources/Images/CVE_Meta-data_Framework_Table.jpg .
CopyrightⒸ 2025 Keerthana Purushotham <[email protected]>. Licensed under the GNU AGPL v3. See LICENSE for details.