Automated maintenance tools find more issues than any team can address immediately. Security scans reveal vulnerabilities. Code quality tools flag violations. Dependency checkers show available updates. Without a triage system, teams either ignore findings or drown in maintenance work.
Effective triage separates signal from noise, focuses effort on what matters, and ensures critical issues get immediate attention while minor issues get appropriate handling.
Why Triage Matters
Triage enables sustainable maintenance.
Prevent Overload
Not everything needs immediate action:
@devonair triage findings by severity
Teams can't fix everything at once.
Focus on Impact
Address what matters most:
@devonair prioritize by risk and impact
Reduce Noise
Filter out low-value alerts:
@devonair suppress low-priority findings
Enable Planning
Make maintenance predictable:
@devonair queue maintenance work appropriately
Triage Levels
Critical (Immediate)
Requires immediate action:
Criteria:
- Active security vulnerability
- Production outage risk
- Data loss risk
- Compliance violation
Response:
- Drop other work
- Fix immediately
- Post-mortem after
@devonair alert team immediately for critical issues
High (Same Day)
Needs quick attention:
Criteria:
- Security vulnerability (not yet exploited)
- Failing tests blocking development
- Performance regression affecting users
- Build broken
Response:
- Address within the day
- Consider pairing for complex issues
@devonair alert owner for high priority issues
Medium (This Sprint)
Plan to address soon:
Criteria:
- Code quality violations
- Minor dependency updates
- Test coverage gaps
- Documentation outdated
Response:
- Add to sprint backlog
- Address within 2 weeks
@devonair create ticket for medium priority issues
Low (Backlog)
Address when convenient:
Criteria:
- Style violations
- Minor optimizations
- Nice-to-have improvements
- Non-critical updates
Response:
- Add to maintenance backlog
- Address when capacity allows
@devonair add to backlog for low priority issues
Won't Fix
Explicitly ignore:
Criteria:
- False positives
- Acceptable risk
- Cost exceeds benefit
- External dependency issue
Response:
- Document decision
- Add to ignore list if recurring
- Review periodically
@devonair mark as won't fix with documentation
Triage Criteria
Security Assessment
For security findings:
Consider:
- Exploitability (how hard to exploit)
- Impact (what happens if exploited)
- Exposure (public-facing vs internal)
- Data sensitivity (what data at risk)
@devonair assess security issues using CVSS factors
Business Impact
For all findings:
Consider:
- User impact (how many users affected)
- Revenue impact (does it affect transactions)
- Reputation impact (would it be embarrassing)
- Compliance impact (regulatory requirements)
@devonair factor business impact into priority
Fix Complexity
Consider effort:
Consider:
- Lines of code to change
- Testing required
- Risk of regression
- Expertise needed
@devonair estimate fix complexity
Dependencies
Consider blockers:
Consider:
- Does this block other work?
- Is other work blocked on this?
- Are there dependency chains?
@devonair identify dependency relationships
Triage Process
Intake
Gather findings:
@devonair collect findings from:
- Security scans
- Code quality tools
- Dependency checks
- Manual reports
Initial Classification
Quick categorization:
@devonair auto-classify findings:
- Security → high priority
- Build failure → high priority
- Quality violation → medium priority
- Style issue → low priority
Review
Human verification:
@devonair flag findings that need human review:
- Unusual patterns
- Edge cases
- Context-dependent issues
Assignment
Route to right people:
@devonair assign to:
- Code owner for that area
- Security team for security issues
- Platform team for infrastructure
Tracking
Monitor progress:
@devonair track issues through resolution:
- Creation date
- Assignment date
- Resolution date
- Status updates
Automated Triage
Let automation handle routine triage.
Rule-Based Classification
Auto-classify by rules:
@devonair configure rules:
- CVE severity critical → Critical priority
- Test failure → High priority
- Lint violation → Low priority
- Style only → Low priority
Smart Routing
Auto-assign by content:
@devonair route automatically:
- Security issues → security channel
- Frontend issues → frontend team
- Backend issues → backend team
Auto-Resolution
Fix without triage:
@devonair auto-fix:
- Formatting issues
- Simple lint violations
- Obvious quick fixes
Auto-Dismissal
Dismiss known non-issues:
@devonair auto-dismiss:
- Known false positives
- Issues in test code
- Intentional patterns
Handling Volume
When findings exceed capacity.
Batching
Group similar issues:
@devonair batch:
- All React component issues together
- All test coverage issues together
- All dependency updates together
Sampling
Don't fix everything:
@devonair sample low-priority issues:
- Fix representative examples
- Track remaining count
- Address in batches over time
Scheduling
Spread the work:
@devonair schedule:
- 5 low-priority fixes per day
- 10 medium-priority fixes per week
Acceptance
Accept some debt:
@devonair accept:
- Some low-priority issues will persist
- Focus on preventing new issues
- Gradually reduce backlog
Triage Meetings
Daily Triage
Quick daily review:
Daily (5-10 minutes):
- Review critical/high issues
- Ensure assignments are clear
- Remove blockers
Weekly Triage
Broader review:
Weekly (30 minutes):
- Review medium issues
- Plan sprint maintenance
- Discuss patterns
- Update priorities
Monthly Review
Strategic review:
Monthly:
- Review backlog health
- Assess triage effectiveness
- Adjust rules and thresholds
- Clean up stale issues
Tools for Triage
Issue Tracking
Central tracking:
@devonair create issues in JIRA/GitHub:
- Consistent format
- Proper labels
- Linked to code
Dashboards
Visibility:
@devonair maintain triage dashboard:
- Issues by priority
- Issues by age
- Issues by owner
Alerts
Notifications:
@devonair alert on:
- New critical issues
- Issues approaching SLA
- Unusual volume
Metrics
Triage Efficiency
How fast are issues triaged?
@devonair track time from detection to triage
Resolution Rate
Are issues getting fixed?
@devonair track resolution rate by priority
Backlog Health
Is the backlog growing?
@devonair track backlog size over time
SLA Compliance
Are priorities being met?
@devonair track SLA compliance:
- Critical: resolved in 24h
- High: resolved in 1 week
- Medium: resolved in 1 month
Getting Started
Set up classification:
@devonair configure priority rules
Enable routing:
@devonair configure automatic assignment
Start tracking:
@devonair track issues and resolution
Review and adjust:
@devonair refine triage rules based on results
Effective triage turns a flood of findings into a manageable stream of prioritized work. When the most important issues get immediate attention and low-value noise is filtered out, maintenance becomes sustainable.
FAQ
How do I handle disagreements about priority?
Have clear criteria. When criteria are ambiguous, err on the side of higher priority. Discuss patterns in retrospectives and refine criteria.
What if everything seems high priority?
If everything is high priority, nothing is. Review criteria rigor. Consider whether the bar for "high" is too low. Ensure "critical" is reserved for genuine emergencies.
How do I avoid issues getting stuck in the backlog?
Set backlog limits. Review aging issues regularly. Consider periodic backlog bankruptcy for truly low-priority items. Track backlog age metrics.
Should security issues always be highest priority?
Not all security issues are equal. A theoretical vulnerability with no known exploit in internal tooling isn't the same as an actively exploited vulnerability in public-facing code. Use CVSS or similar frameworks.