How to get started 👇

Using Your Favourite Scanner Scan an Image

$ trivy image YOUR_IMAGE_NAME
--format json
--output report.json

Send Scan Results & Receive Noise-Free Results

$ curl -X POST
-H "Content-Type: multipart/form-data"
-F "context={"privileged": false }"
-F "report=@report.json"
"https://vexstore.com/api/v1/filter-scan"

Optional: Get Explanation for False Positives

We provide VEX Documents that give you explanations of why a vulnerability is a false positive.

$ curl -X POST
-H "Content-Type: multipart/form-data"
-F "context={"privileged": false }"
-F "report=@report.json"
"https://vexstore.com/api/v1/vex" > vex.json

You can then apply the VEX Document to your scan to get a noise-free scan.

$ trivy image YOUR_IMAGE_NAME --format json

First, let's see how a typical container vulnerability scan works.

Vulnerability scanner enumerates all the installed packages and their versions on your container
For each installed package, it queries a Vulnerability DB to check if that package has a vulnerability. You can think of the Vulnerability DB containing tuples like:
(Package Name, Package Version, Vulnerability)
This creates a lot of noise because the scanner doesn't actually know how that package is used. It will report a vulnerability simply by seeing the presence of that Package.
It also reports certain "vulnerabilities" that have no impact.

We noticed that due to the security features of containers, the majority of vulnerabilities are simply not exploitable. Using smart rules, we filter out these kinds of vulnerabilities.

We also maintain a database of vulnerabilities that are conditionally false positives. Thus, leveraging the context of how the container is used to filter out false positives.

We use the context of how the container is used to filter out false positives from your container scans.

How to get started 👇

Using Your Favourite Scanner Scan an Image

Send Scan Results & Receive Noise-Free Results

Optional: Get Explanation for False Positives

How It Works👇