DEV Community: Fahed dorgaa The latest articles on DEV Community by Fahed dorgaa (@fahed_dorgaa_46207c3345c5). https://dev.to/fahed_dorgaa_46207c3345c5 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3772647%2Fac5273a8-ce5c-4d26-8d03-7596dab4d25a.jpg DEV Community: Fahed dorgaa https://dev.to/fahed_dorgaa_46207c3345c5 en [Boost] Fahed dorgaa Sat, 14 Feb 2026 13:14:30 +0000 https://dev.to/fahed_dorgaa_46207c3345c5/-1581 https://dev.to/fahed_dorgaa_46207c3345c5/-1581 <div class="ltag__link"> <a href="/fahed_dorgaa_46207c3345c5" class="ltag__link__link"> <div class="ltag__link__pic"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3772647%2Fac5273a8-ce5c-4d26-8d03-7596dab4d25a.jpg" alt="fahed_dorgaa_46207c3345c5"> </div> </a> <a href="https://dev.to/fahed_dorgaa_46207c3345c5/vens-stop-patching-vulnerabilities-that-dont-matter-to-you-4921" class="ltag__link__link"> <div class="ltag__link__content"> <h2>Vens: Stop Patching Vulnerabilities That Don't Matter to You</h2> <h3>Fahed dorgaa ・ Feb 14</h3> <div class="ltag__link__taglist"> <span class="ltag__link__tag">#cybersecurity</span> <span class="ltag__link__tag">#owasp</span> <span class="ltag__link__tag">#vulnerabilities</span> <span class="ltag__link__tag">#trivy</span> </div> </div> </a> </div> cybersecurity owasp vulnerabilities trivy Vens: Stop Patching Vulnerabilities That Don't Matter to You Fahed dorgaa Sat, 14 Feb 2026 12:57:53 +0000 https://dev.to/fahed_dorgaa_46207c3345c5/vens-stop-patching-vulnerabilities-that-dont-matter-to-you-4921 https://dev.to/fahed_dorgaa_46207c3345c5/vens-stop-patching-vulnerabilities-that-dont-matter-to-you-4921 <h2> Monday Morning Nightmare </h2> <p>Monday 9 AM. Coffee in hand. You open the Trivy report: <strong>107 vulnerabilities</strong>.</p> <p>You sort by CVSS. A <strong>9.8 CRITICAL</strong> CVE at the top. Emergency meeting. Everyone panics.</p> <p>Except… <strong>this vulnerability targets a feature you don't even use</strong>. 2 days wasted for nothing.</p> <p>Meanwhile, a <strong>5.3 MEDIUM</strong> CVE sits quietly in the list. It exposes customer data. Your company is under GDPR. <strong>That was the real problem</strong>.</p> <blockquote> <p>CVSS tells you the technical severity. Not the real risk for YOUR system.</p> </blockquote> <h2> Vens: Context, Finally </h2> <p><strong>vens</strong> is a tool that analyzes your vulnerabilities with your system's context (exposure, sensitive data, compliance, security controls) and calculates a realistic <strong>OWASP score</strong> using an LLM.</p> <h3> Real Example </h3> <p><strong>Result</strong>: You finally know what to patch first.</p> <h2> How Does It Work? </h2> <h3> 1. Install vens </h3> <p><strong>vens</strong> is an <a href="https://aquasecurity.github.io/trivy-plugin-index/" rel="noopener noreferrer">official Trivy plugin</a> 🎉<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>go <span class="nb">install </span>github.com/venslabs/vens/cmd/vens@latest <span class="c"># or as Trivy plugin</span> trivy plugin <span class="nb">install </span>github.com/venslabs/vens </code></pre> </div> <h3> 2. Scan as usual </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>trivy image python:3.11-slim <span class="nt">--format</span> json <span class="nt">--output</span> report.json </code></pre> </div> <h3> 3. Create context with <a href="https://github.com/venslabs/vens/blob/main/examples/quickstart/config.yaml" rel="noopener noreferrer"><code>config.yaml</code></a>: </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">project</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">my-api"</span> <span class="na">description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Customer-facing</span><span class="nv"> </span><span class="s">REST</span><span class="nv"> </span><span class="s">API"</span> <span class="na">context</span><span class="pi">:</span> <span class="na">exposure</span><span class="pi">:</span> <span class="s2">"</span><span class="s">internet"</span> <span class="c1"># Internet-accessible</span> <span class="na">data_sensitivity</span><span class="pi">:</span> <span class="s2">"</span><span class="s">high"</span> <span class="c1"># Customer PII data</span> <span class="na">business_criticality</span><span class="pi">:</span> <span class="s2">"</span><span class="s">high"</span> <span class="c1"># Business-critical service</span> <span class="na">compliance_requirements</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">GDPR"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">SOC2"</span><span class="pi">]</span> <span class="na">controls</span><span class="pi">:</span> <span class="na">waf</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># Cloudflare WAF active</span> <span class="na">ids</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># IDS in place</span> </code></pre> </div> <h3> 4. Run contextual analysis </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">OPENAI_API_KEY</span><span class="o">=</span><span class="s2">"sk-..."</span> <span class="nb">export </span><span class="nv">OPENAI_MODEL</span><span class="o">=</span><span class="s2">"gpt-4o"</span> trivy vens generate <span class="nt">--config-file</span> config.yaml report.json output.vex.json </code></pre> </div> <h2> Result: A VEX That Speaks Your Language </h2> <p>Here's what vens generates (extract from a real VEX):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"$schema"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://cyclonedx.org/schema/bom-1.6.schema.json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"bomFormat"</span><span class="p">:</span><span class="w"> </span><span class="s2">"CycloneDX"</span><span class="p">,</span><span class="w"> </span><span class="nl">"specVersion"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.6"</span><span class="p">,</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"vulnerabilities"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"CVE-2026-0915"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ratings"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"score"</span><span class="p">:</span><span class="w"> </span><span class="mf">45.5</span><span class="p">,</span><span class="w"> </span><span class="nl">"severity"</span><span class="p">:</span><span class="w"> </span><span class="s2">"high"</span><span class="p">,</span><span class="w"> </span><span class="nl">"method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"OWASP"</span><span class="p">,</span><span class="w"> </span><span class="nl">"vector"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SL:7/M:7/O:7/S:7/ED:6/EE:6/A:6/ID:3/LC:7/LI:7/LAV:7/LAC:7/FD:7/RD:7/NC:7/PV:7"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"CVE-2019-1010023"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ratings"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"score"</span><span class="p">:</span><span class="w"> </span><span class="mi">10</span><span class="p">,</span><span class="w"> </span><span class="nl">"severity"</span><span class="p">:</span><span class="w"> </span><span class="s2">"low"</span><span class="p">,</span><span class="w"> </span><span class="nl">"method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"OWASP"</span><span class="p">,</span><span class="w"> </span><span class="nl">"vector"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SL:3/M:3/O:3/S:3/ED:2/EE:2/A:2/ID:7/LC:4/LI:4/LAV:4/LAC:4/FD:4/RD:4/NC:4/PV:4"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> See the difference? </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff8y3ak077k7swa1qo7kg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff8y3ak077k7swa1qo7kg.png" alt=" " width="800" height="178"></a></p> <p>Each vulnerability has a human explanation of the real risk. No more guessing!</p> <p>No more guessing!</p> <h2> The Flow </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Trivy Scan → 107 CVEs with CVSS scores ↓ vens + LLM → Analyzes each CVE with YOUR context ↓ OWASP Scores → Risk = Likelihood × Impact ↓ Prioritized List → Fix what matters for YOU </code></pre> </div> <h2> Try vens Now </h2> <ul> <li>📦 <strong>GitHub</strong>: <a href="https://github.com/venslabs/vens" rel="noopener noreferrer">https://github.com/venslabs/vens</a> </li> <li>📖 <strong>Full example</strong>: <a href="https://github.com/venslabs/vens/tree/main/examples/quickstart" rel="noopener noreferrer">https://github.com/venslabs/vens/tree/main/examples/quickstart</a> </li> <li>📄 <strong>License</strong>: Apache License 2.0 — Open source, contributions welcome</li> <li>🤖 <strong>LLM support</strong>: OpenAI, Anthropic, Ollama (local), Google AI</li> </ul> <p><em>Originally published on <a href="https://medium.com/@fahed.dorgaa/vens-stop-patching-vulnerabilities-that-dont-matter-to-you-64337b9468a5" rel="noopener noreferrer">Medium</a></em></p> cybersecurity owasp vulnerabilities trivy