vex-hub/Trivy

Stop flagging CVEs the vendor already resolved

vex-hub merges CSAF and OVAL so Trivy's --vex flag sees what Red Hat CSAF alone misses.

CVE-2025-2487 on RHEL 9.6 EUS

CSAF alone
0
EUS platform CPEs
vex-hub
CSAF + OVAL merged
12
EUS platform CPEs
Full breakdown in vex-hub

Two commands

1. Query vex-hubOpenVEX 0.2.0 output
curl -X POST https://vex.getreel.dev/v1/resolve \
  -H "Content-Type: application/json" \
  -d '{
    "cves": ["CVE-2026-2100"],
    "products": ["pkg:rpm/redhat/p11-kit"],
    "format": "openvex"
  }' > vex.json
2. Scan with the VEX documenttrivy ≥ 0.50
trivy image --vex vex.json --show-suppressed \
  registry.access.redhat.com/ubi9/ubi:latest

Docs →

Real suppression on UBI9

  1. 01

    Scan without VEX — 335 findings

    trivy image --format json \
  registry.access.redhat.com/ubi9/ubi:latest > scan.json
  2. 02

    Fetch VEX from vex-hub

    curl -X POST https://vex.getreel.dev/v1/resolve \
  -H "Content-Type: application/json" \
  -d '{"cves":["CVE-2026-2100"],
       "products":["pkg:rpm/redhat/p11-kit"],
       "format":"openvex"}' > vex.json
  3. 03

    Re-scan with --vex — finding suppressed

    trivy image --vex vex.json --show-suppressed \
  registry.access.redhat.com/ubi9/ubi:latest
    Suppressed Vulnerabilities (Total: 1)
=====================================
┌────────────┬───────────────┬──────────┬──────────────┬─────────────────────────────┬──────────┐
│  Library   │ Vulnerability │ Severity │    Status    │          Statement          │  Source  │
├────────────┼───────────────┼──────────┼──────────────┼─────────────────────────────┼──────────┤
│ p11-kit    │ CVE-2026-2100 │ MEDIUM   │ not_affected │ vulnerable_code_not_present │ vex.json │
└────────────┴───────────────┴──────────┴──────────────┴─────────────────────────────┴──────────┘

Try it

Search by CVEBrowse statementsAPI referenceAll endpoints & fieldsGitHubSource & issues