CoursesSoftware supply chain in depthSBOM & dependency integrity

Scanning, VEX & re-scan

Gate on what matters; catch new CVEs later.

Advanced30 min · lesson 11 of 15

Scanning is where the SBOM becomes actionable, but a scanner that fails the build on every CVE quickly gets disabled. Effective vulnerability management is about gating on what matters, suppressing noise responsibly, and re-scanning over time.

Gate on severity and exploitability

A scanner like Grype or Trivy reports findings by severity, but "fail on any CVE" is unworkable — base images always carry some, and many are not reachable in your code. The workable policy fails the build only on the findings that matter: high/critical severity, with a fix available, and not marked non-exploitable by a VEX statement. Run scanning in CI so a serious finding surfaces in the merge request, not in production, and record the result as a signed attestation so an admission gate can require "scanned, no unaddressed criticals".

a scan gate that is strict but livable
# Report everything (visibility) but FAIL only on fixable high/critical.
grype registry.acme.internal/api@sha256:9f2c... \
--fail-on high --only-fixed -o table
# Feed a VEX doc so known non-exploitable CVEs do not block the pipeline:
grype ... --vex vex.openvex.json
# Attach the result as evidence for the admission gate to require:
cosign attest --predicate scan.json --type https://acme.dev/scan/v1 <image@digest>

Suppress responsibly, re-scan always

Suppressing a finding is sometimes legitimate — a false positive, a genuinely unreachable path — but every suppression must carry a justification and an expiry, or the scanner slowly becomes meaningless as exceptions accumulate silently. Just as important, vulnerabilities are discovered continuously, so an artifact clean at build can be vulnerable next week: because you stored the SBOM, you can re-scan deployed artifacts against current data and catch newly-disclosed CVEs without rebuilding. Scanning is not a one-time gate but an ongoing posture.

Scanning as an ongoing control
1scan in CI
fail on fixable high/critical
2VEX + expiring suppressions
cut noise responsibly
3attest the result
evidence for admission
4re-scan deployed
catch new CVEs, no rebuild
Gate on what matters, justify every exception with an expiry, and keep re-scanning. A "fail on everything" scanner gets turned off.
A permanent silent suppression rots the scanner
Ignoring a finding with no justification and no expiry means it is never revisited — and enough of those make the scan a rubber stamp. Require a reason and an expiry on every suppression so exceptions are deliberate, reviewed, and temporary.