DEV Community: Fahed dorgaa The latest articles on DEV Community by Fahed dorgaa (@fahed-dorgaa). https://dev.to/fahed-dorgaa https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3772647%2Fac5273a8-ce5c-4d26-8d03-7596dab4d25a.jpg DEV Community: Fahed dorgaa https://dev.to/fahed-dorgaa en vens-action: reranking Trivy/Grype CVEs by real risk in CI Fahed dorgaa Thu, 28 May 2026 09:06:12 +0000 https://dev.to/fahed-dorgaa/vens-action-reranking-trivygrype-cves-by-real-risk-in-ci-1eec https://dev.to/fahed-dorgaa/vens-action-reranking-trivygrype-cves-by-real-risk-in-ci-1eec <p>If you run Trivy or Grype in CI and triage the output by CVSS, this is the thing I wish I'd had two years ago.</p> <p>Quick recap. Trivy and Grype hand you a list of CVEs. CVSS is a score in a vacuum — it doesn't know whether a service runs in a private subnet behind mTLS, or sits on the open internet handling payment cards. <a href="https://github.com/venslabs/vens" rel="noopener noreferrer">vens</a> reads your scan output plus a YAML describing the service (exposure, data sensitivity, business criticality, controls, compliance, …), runs every CVE through an LLM with that context, and emits a CycloneDX VEX with OWASP Risk Rating scores. You gate the build on those instead.</p> <p><a href="https://github.com/venslabs/vens-action" rel="noopener noreferrer"><code>vens-action</code></a> is the GitHub Action wrapper — install, invocation, build gate, packaged as a composite. Here's the minimum to drop it in.</p> <h2> What you need </h2> <ul> <li>A Trivy or Grype JSON report (you're probably running one of these already).</li> <li>A <code>.vens/config.yaml</code>. Three context fields are the floor; the full annotated reference is in <a href="https://github.com/venslabs/vens/blob/main/examples/quickstart/config.yaml" rel="noopener noreferrer"><code>examples/quickstart/config.yaml</code></a>.</li> <li>An LLM API key — OpenAI, Anthropic, Google, or a self-hosted Ollama.</li> <li>The <code>serialNumber</code> of your CycloneDX SBOM (or an ad-hoc one — see below).</li> </ul> <h2> The config </h2> <p>The bare minimum:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">project</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">checkout-api"</span> <span class="na">context</span><span class="pi">:</span> <span class="na">exposure</span><span class="pi">:</span> <span class="s2">"</span><span class="s">internet"</span> <span class="na">data_sensitivity</span><span class="pi">:</span> <span class="s2">"</span><span class="s">high"</span> <span class="na">business_criticality</span><span class="pi">:</span> <span class="s2">"</span><span class="s">critical"</span> </code></pre> </div> <p>For scoring that actually reflects your service, fill in the rest — security controls (WAF, IDS, segmentation, …), compliance requirements, availability target, free-form notes. The annotated reference lives in <a href="https://github.com/venslabs/vens/blob/main/examples/quickstart/config.yaml" rel="noopener noreferrer"><code>examples/quickstart/config.yaml</code></a>. Wrong values → wrong scores, so this file deserves the same review process as the rest of your code (CODEOWNERS, PR review, the works).</p> <h2> The SBOM serial number </h2> <p>vens writes a CycloneDX VEX whose <code>vulnerabilities[].affects[].ref</code> entries are <a href="https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_affects_items_ref_anyOf_i0" rel="noopener noreferrer">BOM-Link</a> references — they must point back to the <code>serialNumber</code> of the SBOM the scan was produced from.</p> <p>If you already have a CycloneDX SBOM for the artifact, pull the serial from it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">SBOM_UUID</span><span class="o">=</span><span class="si">$(</span>jq <span class="nt">-r</span> .serialNumber sbom.cdx.json<span class="si">)</span> </code></pre> </div> <p>If you don't have one yet, generate an ad-hoc serial and reuse it across rescans of the same service so the BOM-Link stays stable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">SBOM_UUID</span><span class="o">=</span><span class="s2">"urn:uuid:</span><span class="si">$(</span>uuidgen | <span class="nb">tr</span> <span class="s1">'[:upper:]'</span> <span class="s1">'[:lower:]'</span><span class="si">)</span><span class="s2">"</span> </code></pre> </div> <p>Store the value as a repo variable, say <code>vars.SBOM_SERIAL</code>. Flag reference: <a href="https://venslabs.github.io/vens/reference/generate/#-sbom-serial-number-urnuuid" rel="noopener noreferrer"><code>vens generate --sbom-serial-number</code></a>.</p> <h2> The workflow </h2> <p><code>.github/workflows/scan.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">scan</span> <span class="na">on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">push</span><span class="pi">]</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">scan</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Trivy scan</span> <span class="na">run</span><span class="pi">:</span> <span class="s">trivy image python:3.11-slim --format json --output report.json</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">vens</span> <span class="na">id</span><span class="pi">:</span> <span class="s">vens</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">venslabs/vens-action@v0.1.0</span> <span class="na">with</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s">v0.3.2</span> <span class="na">config-file</span><span class="pi">:</span> <span class="s">.vens/config.yaml</span> <span class="na">input-report</span><span class="pi">:</span> <span class="s">report.json</span> <span class="na">sbom-serial-number</span><span class="pi">:</span> <span class="s">${{ vars.SBOM_SERIAL }}</span> <span class="na">llm-provider</span><span class="pi">:</span> <span class="s">openai</span> <span class="na">llm-model</span><span class="pi">:</span> <span class="s">gpt-4o</span> <span class="na">llm-api-key</span><span class="pi">:</span> <span class="s">${{ secrets.OPENAI_API_KEY }}</span> <span class="na">fail-on-severity</span><span class="pi">:</span> <span class="s">critical</span> <span class="na">enrich</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/upload-artifact@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">vens</span> <span class="na">path</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">${{ steps.vens.outputs.vex-file }}</span> <span class="s">${{ steps.vens.outputs.enriched-report }}</span> </code></pre> </div> <p>Each run gives you a CycloneDX VEX (<code>vex-file</code>), your original Trivy report annotated with <code>Custom.owasp_score</code> (<code>enriched-report</code>, when <code>enrich: true</code>), and per-severity counts as step outputs (<code>count-critical</code>, <code>count-high</code>, …). Pipe the counts into dashboards, PR comments, whatever you already do with scan metrics.</p> <p><code>fail-on-severity: critical</code> makes the step fail if any CVE comes out CRITICAL by OWASP (score ≥ 60). Drop the line if you just want artifacts and a manual review.</p> <h2> Things you'll probably want to tweak </h2> <ul> <li> <strong>Self-hosted models.</strong> <code>llm-provider: ollama</code> + <code>llm-base-url: http://ollama.corp:11434</code>.</li> <li> <strong>Air-gapped runners.</strong> Build vens yourself and pass <code>bin-path</code> instead of <code>version</code>. Skips the download + checksum step entirely.</li> <li> <strong>Pin by SHA.</strong> <code>uses: venslabs/vens-action@&lt;commit-sha&gt;</code>. Renovate and Dependabot both follow SHA-pinned actions.</li> </ul> <h2> Why I bothered building it </h2> <p>CVSS sorts vulnerabilities like a smoke detector that can't tell if you're cooking or your kitchen is on fire. A 9.8 on an internal service with no PII and no internet exposure is rarely your urgent problem. A 5.4 on the auth path with cleartext token logging probably is. Your team knows the difference — but a spreadsheet per service doesn't scale, and most tools that do contextual scoring are paid SaaS with their own opinions.</p> <p>vens is OSS, Apache 2.0. The action is a thin composite around the CLI. Issues, feedback, PRs — I read them.</p> <ul> <li>Action: <a href="https://github.com/venslabs/vens-action" rel="noopener noreferrer">github.com/venslabs/vens-action</a> </li> <li>CLI: <a href="https://github.com/venslabs/vens" rel="noopener noreferrer">github.com/venslabs/vens</a> </li> <li>Docs: <a href="https://venslabs.github.io/vens/" rel="noopener noreferrer">venslabs.github.io/vens</a> </li> </ul> devsecops githubactions security supplychain [Boost] Fahed dorgaa Sat, 14 Feb 2026 13:14:30 +0000 https://dev.to/fahed-dorgaa/-1581 https://dev.to/fahed-dorgaa/-1581 <div class="crayons-card c-embed text-styles text-styles--secondary"> <div class="c-embed__content"> <div class="c-embed__cover"> <a href="https://dev.to/fahed-dorgaa/vens-stop-patching-vulnerabilities-that-dont-matter-to-you-4921" class="c-link align-middle" rel="noopener noreferrer"> <img alt="" src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcg71gz2qcfabyf77s6km.png" height="336" class="m-0" width="800"> </a> </div> <div class="c-embed__body"> <h2 class="fs-xl lh-tight"> <a href="https://dev.to/fahed-dorgaa/vens-stop-patching-vulnerabilities-that-dont-matter-to-you-4921" rel="noopener noreferrer" class="c-link"> Vens: Stop Patching Vulnerabilities That Don't Matter to You - DEV Community </a> </h2> <p class="truncate-at-3"> Monday Morning Nightmare Monday 9 AM. Coffee in hand. You open the Trivy report: 107... </p> <div class="color-secondary fs-s flex items-center"> <img alt="favicon" class="c-embed__favicon m-0 mr-2 radius-0" src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8j7kvp660rqzt99zui8e.png" width="300" height="299"> dev.to </div> </div> </div> </div> cybersecurity owasp vulnerabilities trivy Vens: Stop Patching Vulnerabilities That Don't Matter to You Fahed dorgaa Sat, 14 Feb 2026 12:57:53 +0000 https://dev.to/fahed-dorgaa/vens-stop-patching-vulnerabilities-that-dont-matter-to-you-4921 https://dev.to/fahed-dorgaa/vens-stop-patching-vulnerabilities-that-dont-matter-to-you-4921 <h2> Monday Morning Nightmare </h2> <p>Monday 9 AM. Coffee in hand. You open the Trivy report: <strong>107 vulnerabilities</strong>.</p> <p>You sort by CVSS. A <strong>9.8 CRITICAL</strong> CVE at the top. Emergency meeting. Everyone panics.</p> <p>Except… <strong>this vulnerability targets a feature you don't even use</strong>. 2 days wasted for nothing.</p> <p>Meanwhile, a <strong>5.3 MEDIUM</strong> CVE sits quietly in the list. It exposes customer data. Your company is under GDPR. <strong>That was the real problem</strong>.</p> <blockquote> <p>CVSS tells you the technical severity. Not the real risk for YOUR system.</p> </blockquote> <h2> Vens: Context, Finally </h2> <p><strong>vens</strong> is a tool that analyzes your vulnerabilities with your system's context (exposure, sensitive data, compliance, security controls) and calculates a realistic <strong>OWASP score</strong> using an LLM.</p> <h3> Real Example </h3> <p><strong>Result</strong>: You finally know what to patch first.</p> <h2> How Does It Work? </h2> <h3> 1. Install vens </h3> <p><strong>vens</strong> is an <a href="https://aquasecurity.github.io/trivy-plugin-index/" rel="noopener noreferrer">official Trivy plugin</a> 🎉<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>go <span class="nb">install </span>github.com/venslabs/vens/cmd/vens@latest <span class="c"># or as Trivy plugin</span> trivy plugin <span class="nb">install </span>github.com/venslabs/vens </code></pre> </div> <h3> 2. Scan as usual </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>trivy image python:3.11-slim <span class="nt">--format</span> json <span class="nt">--output</span> report.json </code></pre> </div> <h3> 3. Create context with <a href="https://github.com/venslabs/vens/blob/main/examples/quickstart/config.yaml" rel="noopener noreferrer"><code>config.yaml</code></a>: </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">project</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">my-api"</span> <span class="na">description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Customer-facing</span><span class="nv"> </span><span class="s">REST</span><span class="nv"> </span><span class="s">API"</span> <span class="na">context</span><span class="pi">:</span> <span class="na">exposure</span><span class="pi">:</span> <span class="s2">"</span><span class="s">internet"</span> <span class="c1"># Internet-accessible</span> <span class="na">data_sensitivity</span><span class="pi">:</span> <span class="s2">"</span><span class="s">high"</span> <span class="c1"># Customer PII data</span> <span class="na">business_criticality</span><span class="pi">:</span> <span class="s2">"</span><span class="s">high"</span> <span class="c1"># Business-critical service</span> <span class="na">compliance_requirements</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">GDPR"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">SOC2"</span><span class="pi">]</span> <span class="na">controls</span><span class="pi">:</span> <span class="na">waf</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># Cloudflare WAF active</span> <span class="na">ids</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># IDS in place</span> </code></pre> </div> <h3> 4. Run contextual analysis </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">OPENAI_API_KEY</span><span class="o">=</span><span class="s2">"sk-..."</span> <span class="nb">export </span><span class="nv">OPENAI_MODEL</span><span class="o">=</span><span class="s2">"gpt-4o"</span> trivy vens generate <span class="nt">--config-file</span> config.yaml report.json output.vex.json </code></pre> </div> <h2> Result: A VEX That Speaks Your Language </h2> <p>Here's what vens generates (extract from a real VEX):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"$schema"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://cyclonedx.org/schema/bom-1.6.schema.json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"bomFormat"</span><span class="p">:</span><span class="w"> </span><span class="s2">"CycloneDX"</span><span class="p">,</span><span class="w"> </span><span class="nl">"specVersion"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.6"</span><span class="p">,</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"vulnerabilities"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"CVE-2026-0915"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ratings"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"score"</span><span class="p">:</span><span class="w"> </span><span class="mf">45.5</span><span class="p">,</span><span class="w"> </span><span class="nl">"severity"</span><span class="p">:</span><span class="w"> </span><span class="s2">"high"</span><span class="p">,</span><span class="w"> </span><span class="nl">"method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"OWASP"</span><span class="p">,</span><span class="w"> </span><span class="nl">"vector"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SL:7/M:7/O:7/S:7/ED:6/EE:6/A:6/ID:3/LC:7/LI:7/LAV:7/LAC:7/FD:7/RD:7/NC:7/PV:7"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"CVE-2019-1010023"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ratings"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"score"</span><span class="p">:</span><span class="w"> </span><span class="mi">10</span><span class="p">,</span><span class="w"> </span><span class="nl">"severity"</span><span class="p">:</span><span class="w"> </span><span class="s2">"low"</span><span class="p">,</span><span class="w"> </span><span class="nl">"method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"OWASP"</span><span class="p">,</span><span class="w"> </span><span class="nl">"vector"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SL:3/M:3/O:3/S:3/ED:2/EE:2/A:2/ID:7/LC:4/LI:4/LAV:4/LAC:4/FD:4/RD:4/NC:4/PV:4"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> See the difference? </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff8y3ak077k7swa1qo7kg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff8y3ak077k7swa1qo7kg.png" alt=" " width="799" height="178"></a></p> <p>Each vulnerability has a human explanation of the real risk. No more guessing!</p> <p>No more guessing!</p> <h2> The Flow </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Trivy Scan → 107 CVEs with CVSS scores ↓ vens + LLM → Analyzes each CVE with YOUR context ↓ OWASP Scores → Risk = Likelihood × Impact ↓ Prioritized List → Fix what matters for YOU </code></pre> </div> <h2> Try vens Now </h2> <ul> <li>📦 <strong>GitHub</strong>: <a href="https://github.com/venslabs/vens" rel="noopener noreferrer">https://github.com/venslabs/vens</a> </li> <li>📖 <strong>Full example</strong>: <a href="https://github.com/venslabs/vens/tree/main/examples/quickstart" rel="noopener noreferrer">https://github.com/venslabs/vens/tree/main/examples/quickstart</a> </li> <li>📄 <strong>License</strong>: Apache License 2.0 — Open source, contributions welcome</li> <li>🤖 <strong>LLM support</strong>: OpenAI, Anthropic, Ollama (local), Google AI</li> </ul> <p><em>Originally published on <a href="https://medium.com/@fahed.dorgaa/vens-stop-patching-vulnerabilities-that-dont-matter-to-you-64337b9468a5" rel="noopener noreferrer">Medium</a></em></p> cybersecurity owasp vulnerabilities trivy