Aqua News Aqua Security Launches VEX Hub Repository and Expands Trivy’s Scanning Capabilities

First and only open source central repository of Vulnerability Exploitability eXchange (VEX) documents makes it easier for users and software maintainers to manage vulnerabilities

BOSTON—September 16, 2024—Aqua Security, the pioneer in cloud native security, today announced VEX Hub, a vendor neutral repository for VEX (Vulnerability Exploitability eXchange). VEX is a new industry standard for communicating and sharing information on security vulnerabilities for software artifacts, and VEX Hub now provides users and software maintainers a single library of vulnerability information and less false positives.

VEX Hub aggregates VEX documents from software maintainers and organizes them in a central repository, making them accessible for consumption by scanning tools. VEX Hub information improves the accuracy of scanning results and provides actionable vulnerability reports to users. As part of the release, the latest version of Aqua Trivy open source consumes VEX Hub information so users can better prioritize vulnerabilities and reduce alert fatigue.

“For years, users have struggled to locate and prioritize software vulnerabilities and maintainers have struggled with how to share the information. VEX was created to solve these problems,” said Itay Shakury, VP Open Source at Aqua Security. “The missing piece to date is a system to collect the relevant vulnerability exploitation information into a central repository – that’s where VEX Hub comes in. We have worked with the VEX community since inception, and we’re ready to take VEX to the next level with VEX Hub.”

VEX Hub is built for collaboration and simplifies the management of VEX information. Aqua’s open source team has created one place for maintainers to easily share timely vulnerability updates, and for users to find and access the critical vulnerability exploitation information.

VEX Hub was included in the latest version of Trivy v0.54, so those running on this version can use VEX Hub in their Trivy scans using the `–vex repo` flag. Now Trivy will deliver fewer false-positives and more accurate, actionable vulnerability reports.

More on the VEX Hub repository and how to participate in the VEX Hub community is available here and then also on the Aqua Blog.

In the near future, Aqua customers will be able to take advantage of VEX Hub as part of the Aqua Platform scanner.

About Aqua Security

Aqua Security is the pioneer in securing containerized cloud native applications from development to production. Aqua’s full lifecycle solution prevents attacks by enforcing pre-deployment hygiene and mitigates attacks in real time in production, reducing mean time to repair and overall business risk. The Aqua Platform, a Cloud Native Application Protection Platform (CNAPP), integrates security from Code to Cloud, combining the power of agent and agentless technology into a single solution. With enterprise scale that doesn’t slow development pipelines, Aqua secures your future in the cloud. Founded in 2015, Aqua is headquartered in Boston, MA and Ramat Gan, IL protecting over 500 of the world’s largest enterprises. For more information, visit https://www.aquasec.com.