Developer builds governed VEX platform using Next.js and Trivy to streamline CVE triage
A developer has published an open-source demo showing how to replace ad-hoc vexctl scripts with a structured VEX (Vulnerability Exploitability eXchange) platform built on Next.js and keyless signing. The project targets the PingAccess 8.3.4-edge container image, which initially returned 70 vulnerability findings across critical, high, medium, and low severities when scanned with Trivy. Using vexctl, individual VEX statements are generated per CVE, pinned to the image digest rather than a tag, then merged into a single OpenVEX document that reduces reported findings from 70 to zero. The suppressed findings are not deleted but remain fully auditable in Trivy's output with justifications attached. The demo repository and a one-script setup are publicly available on GitHub, though the author cautions that all CVEs are marked 'not_affected' mechanically for workflow testing and should not be replicated without genuine security assessment.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)
Log in to join the discussion and vote.
Log in