Automated Results Triage
#Purpose
Scanner output is evidence, not a finding. This workflow normalizes JSONL output, deduplicates repeated observations, assigns a review priority, and creates a queue for manual confirmation.
#Paste-Ready JSONL Triage
The script accepts Nuclei JSONL and produces a stable CSV. It preserves the original source file and records its SHA-256 hash.
#!/usr/bin/env bash
set -Eeuo pipefail
umask 077
[[ $# -eq 2 ]] || { echo "Usage: $0 <nuclei.jsonl> <output-directory>"; exit 1; }
INPUT="$(realpath "$1")"
OUT="$2"
[[ -s "$INPUT" ]] || { echo "Input is empty"; exit 1; }
for tool in jq sha256sum; do
command -v "$tool" >/dev/null 2>&1 || { echo "Missing dependency: $tool"; exit 1; }
done
mkdir -p "$OUT"
sha256sum "$INPUT" > "$OUT/source.sha256"
{
echo 'priority,severity,template_id,target,name,matcher,source_hash'
HASH="$(cut -d' ' -f1 "$OUT/source.sha256")"
jq -r --arg hash "$HASH" '
def priority:
if (.info.severity == "critical") then 1
elif (.info.severity == "high") then 2
elif (.info.severity == "medium") then 3
elif (.info.severity == "low") then 4
else 5 end;
[
priority,
(.info.severity // "unknown"),
(.template-id // ""),
(.matched-at // .host // ""),
(.info.name // ""),
(.matcher-name // ""),
$hash
] | @csv
' "$INPUT" | sort -u
} > "$OUT/review-queue.csv"
echo "Review queue: $OUT/review-queue.csv"
BASH
#Review Decision
Each row must end in one of these states:
| State | Meaning |
|---|---|
| Confirmed | Reproduced with sufficient evidence and business impact |
| Informational | Accurate observation without a security impact |
| False positive | Detection condition did not represent the claimed issue |
| Accepted exception | Valid issue excluded by documented engagement rules |
| Needs retest | Evidence is incomplete or target stability prevented confirmation |
#Evidence Package
For confirmed findings, store:
- Target and timestamp.
- Tool and template versions.
- Exact request or command.
- Minimal response proving the condition.
- Impact explanation.
- Artifacts created and cleanup performed.
- Retest instructions that do not require rediscovery.