aquasecurity/trivy
VEX
Active contributors: knqyf263, DmitriyLewen
Purpose
VEX (Vulnerability Exploitability eXchange) statements declare whether a particular vulnerability is or is not exploitable in a particular product. Trivy can consume VEX documents and use them to suppress not-affected findings before they reach the report. This is the recommended way to handle CVE noise in production: you ship signed VEX statements alongside your software rather than maintaining ad-hoc ignore lists.
Supported formats
| Format | File | Notes |
|---|---|---|
| CSAF | pkg/vex/csaf.go |
OASIS CSAF 2.0 with VEX profile. |
| OpenVEX | pkg/vex/openvex.go |
https://github.com/openvex/spec |
| CycloneDX VEX | pkg/vex/cyclonedx.go |
CycloneDX with VEX-shaped extensions. |
VEX statements can be supplied in three ways:
- Inline file via
--vex <path>(a single statement document). - OCI artifact via
--vex oci://<image>— useful when the VEX document is built into the same OCI registry as the application. - VEX repository via
pkg/vex/repo/— a directory tree that contains many statements indexed by product. Managed withtrivy vex repo ....
How it filters
graph LR
Scan[Scan finishes] --> Report[types.Report]
Report --> VEXLoad[pkg/vex.New]
VEXLoad --> Doc[loaded VEX document]
Doc --> Filter[Filter Report]
Filter -->|not_affected| Drop[suppress]
Filter -->|affected/under_investigation| Keep[keep]
Filter --> Final[final Report]The filter is applied by the runner after scan.Service.ScanArtifact returns. This way the same VEX subsystem works in both standalone and client/server modes; the server doesn't need to know about VEX at all.
A VEX statement can mark a vulnerability as affected, not_affected, fixed, or under_investigation. Trivy currently suppresses not_affected and respects fixed for already-fixed advisories; the others remain in the report.
VEX repositories
pkg/vex/repo/ implements a "repository" pattern modeled on Linux package repositories: a top-level index (vex-repository.json) lists products and points at directories of VEX documents. Trivy users can:
trivy vex repo init # bootstrap a local repo
trivy vex repo download <url> # download a remote repo
trivy vex repo list # list configured reposRepositories are configured in ~/.trivy/vex/repository.yaml.
SBOM references
A VEX statement can reference an SBOM rather than a single artifact (pkg/vex/sbomref.go). This is useful when one VEX document covers multiple components shipped together.
Configuration
| Flag | Purpose |
|---|---|
--vex <source> |
Apply a VEX document or oci:// reference. |
--vex repo |
Use the configured VEX repositories. |
The trivy vex subcommand manages VEX repositories without a scan attached.
Integration points
- Vulnerability scanning — VEX filters its output.
- SBOM — CycloneDX VEX is embedded in CycloneDX SBOMs.
- Reports — filter happens before render.
Entry points for modification
- Add a format — implement a loader under
pkg/vex/<format>.goand register it inpkg/vex/vex.go. - Change suppression logic —
pkg/vex/vex.gois the single place where the policy lives. - Change repository format —
pkg/vex/repo/. The schema is documented in the vex-repo-spec project.
Key source files
| File | Purpose |
|---|---|
pkg/vex/vex.go |
Top-level VEX loader and filter. |
pkg/vex/csaf.go |
CSAF reader. |
pkg/vex/openvex.go |
OpenVEX reader. |
pkg/vex/cyclonedx.go |
CycloneDX VEX reader. |
pkg/vex/oci.go |
OCI download path. |
pkg/vex/repo.go, pkg/vex/repo/ |
Repository pattern. |
pkg/vex/sbomref.go |
SBOM reference handling. |
pkg/vex/document.go |
Common document model. |
.vex/ |
Trivy's own VEX statements (dogfooding). |
See also
- Vulnerability scanning — the source of findings VEX filters.
- SBOM — sibling capability often paired with VEX.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.