Inglese

This thesis presents a practical framework for automating vulnerability assessment and remediation in cloud-native environments, with a strong focus on developer-centric workflows and integration within CI/CD pipelines. It investigates the challenges posed by fragmented vulnerability data, inconsistent tooling, and the lack of actionable remediation strategies in modern software supply chains. At the core of this research is Vulnbot, a modular and CI-integrated automation agent that orchestrates vulnerability detection, prioritization, and remediation. Vulnbot supports multiple ecosystems, interfaces with scanners like OSV-Scanner and Trivy, and automates dependency patching and pull request generation, streamlining remediation and reducing mean-time-to-remediation (MTTR). First, it establishes a foundation in vulnerability databases and their relevance in cloud-native security. Second, it explores how security can be embedded into CI/CD processes using SBOMs, IaC validation, and policy-as-code. Third, it presents automated remediation strategies and best practices. Finally, this thesis contributes with the design of a novel approach, i.e., Vulnbot, for vulnerability remediation automation integrated with development workflows. Its implementation demonstrates how Vulnbot integrates with GitHub Actions, processes vulnerability advisories, and generates remediation pull requests with minimal developer intervention. The presented proof of concept offers insights into the future of automated, policy-driven DevSecOps pipelines.