Week 18 - Vulnerability Scanning: Grype, Trivy, Clair¶

18.1 Conceptual Core¶

Scanners cross-reference image contents (or SBOMs) against vulnerability databases (NVD, distro-specific advisories, GitHub Security Advisories). They emit findings with CVE IDs, severities, and (sometimes) fixed versions.
The discipline is triage, not zero-CVE. A Critical CVE in a package you don't actually exercise is still a finding, but lower priority than a High in the request-handling path.
Tools:
Grype (Anchore)-SBOM-friendly; pairs with Syft.
Trivy (Aqua)-fast, broad ecosystem coverage, also handles config (Kubernetes YAML, Terraform).
Clair (Quay)-registry-side scanning; powers Quay and Harbor's scan UIs.

Severity classifications: NVD CVSS v3 score → Critical (≥9.0), High (7.0–8.9), Medium (4.0–6.9), Low (<4.0). Project-specific scores may differ.
Vulnerability Exploitability eXchange (VEX)-declares whether a CVE is actually exploitable in your context. affected, not_affected, fixed, under_investigation. Use OpenVEX or CSAF VEX to suppress non-exploitable findings without hiding them.
Allowlist / ignore files-.trivyignore, .grype.yaml. Use sparingly; document each entry's rationale.

Run Trivy on an image; produce a SARIF report. Upload to GitHub Code Scanning (or your scanner of choice).
Pick three findings; for each, write a one-paragraph triage decision: fix, accept, or VEX-suppress.
Author the VEX statement using vexctl (OpenVEX). Attach to the image.
Re-scan-verify the suppressed findings are now flagged as "not exploitable" rather than disappearing entirely.

Set CI policy: builds fail on Critical or High vulns with available fixes. Builds warn (do not fail) on findings without fixes-but require a VEX statement within 7 days.

Set up continuous re-scanning: nightly scans of all production images against the latest vulnerability database. New critical CVEs page on-call.