{"slug": "vens-action-reranking-trivy-grype-cves-by-real-risk-in-ci", "title": "vens-action: reranking Trivy/Grype CVEs by real risk in CI", "summary": "Vens Labs has released vens-action, a GitHub Action that reranks Trivy and Grype CVE scan results by actual business risk rather than generic CVSS scores. The tool reads scan output alongside a YAML configuration describing a service's exposure, data sensitivity, and business criticality, then uses an LLM to generate a CycloneDX VEX with OWASP Risk Rating scores that can gate CI builds. The action supports configurable fail-on-severity thresholds and can enrich original scan reports with context-aware risk assessments.", "body_md": "If you run Trivy or Grype in CI and triage the output by CVSS, this is the thing I wish I'd had two years ago.\n\nQuick recap. Trivy and Grype hand you a list of CVEs. CVSS is a score in a vacuum — it doesn't know whether a service runs in a private subnet behind mTLS, or sits on the open internet handling payment cards. [vens](https://github.com/venslabs/vens) reads your scan output plus a YAML describing the service (exposure, data sensitivity, business criticality, controls, compliance, …), runs every CVE through an LLM with that context, and emits a CycloneDX VEX with OWASP Risk Rating scores. You gate the build on those instead.\n\n[ vens-action](https://github.com/venslabs/vens-action) is the GitHub Action wrapper — install, invocation, build gate, packaged as a composite. Here's the minimum to drop it in.\n\n`.vens/config.yaml`\n\n. Three context fields are the floor; the full annotated reference is in `examples/quickstart/config.yaml`\n\n`serialNumber`\n\nof your CycloneDX SBOM (or an ad-hoc one — see below).The bare minimum:\n\n```\nproject:\n name: \"checkout-api\"\ncontext:\n exposure: \"internet\"\n data_sensitivity: \"high\"\n business_criticality: \"critical\"\n```\n\nFor scoring that actually reflects your service, fill in the rest — security controls (WAF, IDS, segmentation, …), compliance requirements, availability target, free-form notes. The annotated reference lives in [ examples/quickstart/config.yaml](https://github.com/venslabs/vens/blob/main/examples/quickstart/config.yaml). Wrong values → wrong scores, so this file deserves the same review process as the rest of your code (CODEOWNERS, PR review, the works).\n\nvens writes a CycloneDX VEX whose `vulnerabilities[].affects[].ref`\n\nentries are [BOM-Link](https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_affects_items_ref_anyOf_i0) references — they must point back to the `serialNumber`\n\nof the SBOM the scan was produced from.\n\nIf you already have a CycloneDX SBOM for the artifact, pull the serial from it:\n\n```\nSBOM_UUID=$(jq -r .serialNumber sbom.cdx.json)\n```\n\nIf you don't have one yet, generate an ad-hoc serial and reuse it across rescans of the same service so the BOM-Link stays stable:\n\n```\nSBOM_UUID=\"urn:uuid:$(uuidgen | tr '[:upper:]' '[:lower:]')\"\n```\n\nStore the value as a repo variable, say `vars.SBOM_SERIAL`\n\n. Flag reference: [ vens generate --sbom-serial-number](https://venslabs.github.io/vens/reference/generate/#-sbom-serial-number-urnuuid).\n\n`.github/workflows/scan.yml`\n\n:\n\n```\nname: scan\non: [push]\npermissions:\n contents: read\njobs:\n scan:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n\n - name: Trivy scan\n run: trivy image python:3.11-slim --format json --output report.json\n\n - name: vens\n id: vens\n uses: venslabs/vens-action@v0.1.0\n with:\n version: v0.3.2\n config-file: .vens/config.yaml\n input-report: report.json\n sbom-serial-number: ${{ vars.SBOM_SERIAL }}\n llm-provider: openai\n llm-model: gpt-4o\n llm-api-key: ${{ secrets.OPENAI_API_KEY }}\n fail-on-severity: critical\n enrich: \"true\"\n\n - uses: actions/upload-artifact@v4\n with:\n name: vens\n path: |\n ${{ steps.vens.outputs.vex-file }}\n ${{ steps.vens.outputs.enriched-report }}\n```\n\nEach run gives you a CycloneDX VEX (`vex-file`\n\n), your original Trivy report annotated with `Custom.owasp_score`\n\n(`enriched-report`\n\n, when `enrich: true`\n\n), and per-severity counts as step outputs (`count-critical`\n\n, `count-high`\n\n, …). Pipe the counts into dashboards, PR comments, whatever you already do with scan metrics.\n\n`fail-on-severity: critical`\n\nmakes the step fail if any CVE comes out CRITICAL by OWASP (score ≥ 60). Drop the line if you just want artifacts and a manual review.\n\n`llm-provider: ollama`\n\n+ `llm-base-url: http://ollama.corp:11434`\n\n.`bin-path`\n\ninstead of `version`\n\n. Skips the download + checksum step entirely.`uses: venslabs/vens-action@`\n\n. Renovate and Dependabot both follow SHA-pinned actions.CVSS sorts vulnerabilities like a smoke detector that can't tell if you're cooking or your kitchen is on fire. A 9.8 on an internal service with no PII and no internet exposure is rarely your urgent problem. A 5.4 on the auth path with cleartext token logging probably is. Your team knows the difference — but a spreadsheet per service doesn't scale, and most tools that do contextual scoring are paid SaaS with their own opinions.\n\nvens is OSS, Apache 2.0. The action is a thin composite around the CLI. Issues, feedback, PRs — I read them.", "url": "https://wpnews.pro/news/vens-action-reranking-trivy-grype-cves-by-real-risk-in-ci", "canonical_source": "https://dev.to/fahed-dorgaa/vens-action-reranking-trivygrype-cves-by-real-risk-in-ci-1eec", "published_at": "2026-05-28 09:06:12+00:00", "updated_at": "2026-05-28 09:22:51.166227+00:00", "lang": "en", "topics": ["ai-tools", "ai-products", "ai-infrastructure", "large-language-models", "mlops"], "entities": ["Trivy", "Grype", "vens", "vens-action", "CycloneDX", "OWASP", "GitHub", "LLM"], "alternates": {"html": "https://wpnews.pro/news/vens-action-reranking-trivy-grype-cves-by-real-risk-in-ci", "markdown": "https://wpnews.pro/news/vens-action-reranking-trivy-grype-cves-by-real-risk-in-ci.md", "text": "https://wpnews.pro/news/vens-action-reranking-trivy-grype-cves-by-real-risk-in-ci.txt", "jsonld": "https://wpnews.pro/news/vens-action-reranking-trivy-grype-cves-by-real-risk-in-ci.jsonld"}}