Make vulnerable items untraceable in non-prod environment

As is general best practice, by company policy I'm also required not to use real production data in our non-production instances of ServiceNow. I find it challanging to gain compliancy with Host Vulnerability Response. I do believe it makes sense not to use real production data from our vulnerability scanner, since that information is quite sensitive regarding IT security. But, in order for flows, rules, scripts etc. to be covered from start to end in testing, it is necessary to use data very similar to the real thing, like the hostnames and cloud asset tags used for CI matching and assignment rules.

Setting up a test environment of the vulnerability scanner and have it contain fake data to feed into ServiceNow was found to be almost impossible. That's why I'm looking for ways to achieve my goal at the ServiceNow end.

For compliancy it won't be a big deal to have the vulnerability scanner ingress real asset data. And I think that is crucial for CI matching to be successful (we have real CMDB data in the non-prod environments). But, the users accessing the non-prod environments shouldn't be able to learn which vulnerabilities actually were detected on them. That's why I'm looking into ways to swap out the detected CVE (from NVD) for a dummy (a set imported by myself).

I've briefly looked into the Data anonymization (Platform Privacy) feature, but I'm not convinced that can help me to achieve this. (I don't have any experience or prior knowledge of this though, so I could very much be wrong).

Do any of you know how I could alter the DET/VIT's CVE early on in the process, or have other ideas on how to achieve my goal? Your help is very much appreciated.

We're current running:

• Yokohama
• Vulnerability Response 26.1.4
• Integration with NVD 1.7.2
• Rapid7 Integration for Security Operations 13.15.1  (InsightVM)