ADR-004 Accepted 2026-07-03

ADR-004: Severity Classification and Response Matrix

Severity-driven response matrix and why OVER_PRIVILEGED_SA is alert-only.

ADR-004: Severity classification and response matrix

Context

Not every finding should be auto-remediated. The response matrix must balance speed (closing attack paths quickly) with safety (avoiding production outages from overly aggressive automation). The matrix is the core policy engine of SecureVault.

Decision

Adopt a severity-driven response matrix:

SeverityActionRationale
CRITICAL + mapped finding classAuto-remediate + immediate alertKnown, high-blast-radius misconfigurations with safe remediation paths.
CRITICAL + unmapped finding classImmediate alert only; no remediationAvoid destructive action on findings we have not modeled.
HIGHImmediate alert; no auto-remediationRequires human judgment before change.
MEDIUMLog and include in daily digestTrend analysis and hygiene tracking.
LOWLog onlyNoise reduction; available in BigQuery if needed.

Mapped auto-remediation classes in v0.1.0:

OVER_PRIVILEGED_SA is deliberately not auto-remediated. SCC’s finding identifies that a service account is over-privileged, not which specific role is excessive. A handler with no way to target the bad grant can only strip every predefined role on the account, a wider blast radius than the finding itself, on a CRITICAL-severity trigger with no human in the loop. It is treated as CRITICAL + unmapped: alert only, no remediation.

Consequences

Positive:

Negative:

Alternatives considered

AlternativeProsConsVerdict
Auto-remediate every CRITICAL findingFastest responseHigh risk of breaking production on unfamiliar findingsRejected; safety outweighs speed for unmapped findings.
Alert on everything; no remediationVery safeMisses the value of rapid closure for known misconfigurationsRejected; the project goal is automated response.
Manual triage for all findingsHuman judgmentDoes not scale; defeats automation purposeRejected.

References