Continuous rescanning & VEX
Yesterday’s clean image is today’s CVE.
Supply-chain security is not a build-time achievement you unlock once — it is an ongoing operation, because the artifact you signed and shipped as clean becomes vulnerable the moment a new CVE is disclosed against something inside it. Nothing about the running image changed; the world’s knowledge did. So you continuously rescan the artifacts you are actually running against fresh vulnerability data, using the SBOMs you already generated, and act on what newly lights up.
# rescan RUNNING images against today’s CVE feed — using stored SBOMs, no rebuild needed$ for sbom in inventory/*.spdx.json; dogrype "sbom:$sbom" --fail-on critical --only-fixeddone# a scheduled job (nightly, and on-demand when a big CVE drops) turns "are we exposed?" into a query
VEX: cut the noise so signal survives
Continuous rescanning has a failure mode: alert fatigue. Many reported CVEs do not actually affect you — the vulnerable code path is never reached, the component is not exposed, a mitigating control is in place. VEX (Vulnerability Exploitability eXchange) is a standard for recording those determinations as machine-readable statements: "CVE-X is not_affected in this product because the vulnerable function is unreachable." VEX lets you suppress the confirmed-irrelevant findings with an auditable justification, so the alerts that remain are ones that actually need action.
{"@context": "https://openvex.dev/ns/v0.2.0","statements": [{"vulnerability": { "name": "CVE-2024-XXXX" },"products": [{ "@id": "pkg:oci/payments-api@sha256:9f2a..." }],"status": "not_affected","justification": "vulnerable_code_not_in_execute_path"}]}
From alert to action
The operational loop closes when a real finding drives a real change. A newly-critical, reachable CVE in a running image should trigger the update path from earlier — an expedited dependency bump, a rebuild against a patched base, a fresh scan/sign/deploy — on a clock appropriate to the severity. The combination of stored SBOMs (know what you run), continuous rescanning (know when it becomes vulnerable), VEX (know what actually matters), and a patch cadence (fix it fast) is what "operating" supply-chain security actually is.