Monday Morning Nightmare
Monday 9 AM. Coffee in hand. You open the Trivy report: 107 vulnerabilities.
You sort by CVSS. A 9.8 CRITICAL CVE at the top. Emergency meeting. Everyone panics.
Except⦠this vulnerability targets a feature you don't even use. 2 days wasted for nothing.
Meanwhile, a 5.3 MEDIUM CVE sits quietly in the list. It exposes customer data. Your company is under GDPR. That was the real problem.
CVSS tells you the technical severity. Not the real risk for YOUR system.
Vens: Context, Finally
vens is a tool that analyzes your vulnerabilities with your system's context (exposure, sensitive data, compliance, security controls) and calculates a realistic OWASP score using an LLM.
Real Example
Result: You finally know what to patch first.
How Does It Work?
1. Install vens
vens is an official Trivy plugin π
go install github.com/venslabs/vens/cmd/vens@latest
# or as Trivy plugin
trivy plugin install github.com/venslabs/vens
2. Scan as usual
trivy image python:3.11-slim --format json --output report.json
3. Create context with config.yaml:
project:
name: "my-api"
description: "Customer-facing REST API"
context:
exposure: "internet" # Internet-accessible
data_sensitivity: "high" # Customer PII data
business_criticality: "high" # Business-critical service
compliance_requirements: ["GDPR", "SOC2"]
controls:
waf: true # Cloudflare WAF active
ids: true # IDS in place
4. Run contextual analysis
export OPENAI_API_KEY="sk-..."
export OPENAI_MODEL="gpt-4o"
trivy vens generate --config-file config.yaml report.json output.vex.json
Result: A VEX That Speaks Your Language
Here's what vens generates (extract from a real VEX):
{
"$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"version": 1,
"vulnerabilities": [
{
"id": "CVE-2026-0915",
"ratings": [
{
"score": 45.5,
"severity": "high",
"method": "OWASP",
"vector": "SL:7/M:7/O:7/S:7/ED:6/EE:6/A:6/ID:3/LC:7/LI:7/LAV:7/LAC:7/FD:7/RD:7/NC:7/PV:7"
}
]
},
{
"id": "CVE-2019-1010023",
"ratings": [
{
"score": 10,
"severity": "low",
"method": "OWASP",
"vector": "SL:3/M:3/O:3/S:3/ED:2/EE:2/A:2/ID:7/LC:4/LI:4/LAV:4/LAC:4/FD:4/RD:4/NC:4/PV:4"
}
]
}
]
}
See the difference?
Each vulnerability has a human explanation of the real risk. No more guessing!
No more guessing!
The Flow
Trivy Scan β 107 CVEs with CVSS scores
β
vens + LLM β Analyzes each CVE with YOUR context
β
OWASP Scores β Risk = Likelihood Γ Impact
β
Prioritized List β Fix what matters for YOU
Try vens Now
- π¦ GitHub: https://github.com/venslabs/vens
- π Full example: https://github.com/venslabs/vens/tree/main/examples/quickstart
- π License: Apache License 2.0 β Open source, contributions welcome
- π€ LLM support: OpenAI, Anthropic, Ollama (local), Google AI
Originally published on Medium
Top comments (1)
I would be very happy to answer any questions regarding Vens and the OWASP ecosystem :)