Open-Source Wikis

/

Trivy

/

Features

/

VEX

aquasecurity/trivy

VEX

Active contributors: knqyf263, DmitriyLewen

Purpose

VEX (Vulnerability Exploitability eXchange) statements declare whether a particular vulnerability is or is not exploitable in a particular product. Trivy can consume VEX documents and use them to suppress not-affected findings before they reach the report. This is the recommended way to handle CVE noise in production: you ship signed VEX statements alongside your software rather than maintaining ad-hoc ignore lists.

Supported formats

Format File Notes
CSAF pkg/vex/csaf.go OASIS CSAF 2.0 with VEX profile.
OpenVEX pkg/vex/openvex.go https://github.com/openvex/spec
CycloneDX VEX pkg/vex/cyclonedx.go CycloneDX with VEX-shaped extensions.

VEX statements can be supplied in three ways:

  1. Inline file via --vex <path> (a single statement document).
  2. OCI artifact via --vex oci://<image> — useful when the VEX document is built into the same OCI registry as the application.
  3. VEX repository via pkg/vex/repo/ — a directory tree that contains many statements indexed by product. Managed with trivy vex repo ....

How it filters

graph LR
    Scan[Scan finishes] --> Report[types.Report]
    Report --> VEXLoad[pkg/vex.New]
    VEXLoad --> Doc[loaded VEX document]
    Doc --> Filter[Filter Report]
    Filter -->|not_affected| Drop[suppress]
    Filter -->|affected/under_investigation| Keep[keep]
    Filter --> Final[final Report]

The filter is applied by the runner after scan.Service.ScanArtifact returns. This way the same VEX subsystem works in both standalone and client/server modes; the server doesn't need to know about VEX at all.

A VEX statement can mark a vulnerability as affected, not_affected, fixed, or under_investigation. Trivy currently suppresses not_affected and respects fixed for already-fixed advisories; the others remain in the report.

VEX repositories

pkg/vex/repo/ implements a "repository" pattern modeled on Linux package repositories: a top-level index (vex-repository.json) lists products and points at directories of VEX documents. Trivy users can:

trivy vex repo init                      # bootstrap a local repo
trivy vex repo download <url>            # download a remote repo
trivy vex repo list                      # list configured repos

Repositories are configured in ~/.trivy/vex/repository.yaml.

SBOM references

A VEX statement can reference an SBOM rather than a single artifact (pkg/vex/sbomref.go). This is useful when one VEX document covers multiple components shipped together.

Configuration

Flag Purpose
--vex <source> Apply a VEX document or oci:// reference.
--vex repo Use the configured VEX repositories.

The trivy vex subcommand manages VEX repositories without a scan attached.

Integration points

Entry points for modification

  • Add a format — implement a loader under pkg/vex/<format>.go and register it in pkg/vex/vex.go.
  • Change suppression logicpkg/vex/vex.go is the single place where the policy lives.
  • Change repository formatpkg/vex/repo/. The schema is documented in the vex-repo-spec project.

Key source files

File Purpose
pkg/vex/vex.go Top-level VEX loader and filter.
pkg/vex/csaf.go CSAF reader.
pkg/vex/openvex.go OpenVEX reader.
pkg/vex/cyclonedx.go CycloneDX VEX reader.
pkg/vex/oci.go OCI download path.
pkg/vex/repo.go, pkg/vex/repo/ Repository pattern.
pkg/vex/sbomref.go SBOM reference handling.
pkg/vex/document.go Common document model.
.vex/ Trivy's own VEX statements (dogfooding).

See also

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

VEX – Trivy wiki | Factory