GitHub Workflow Automates Critical CVE Triage for Container Images with VEX as Single Source of Truth

A new automated GitHub workflow establishes a rigorous vulnerability management pipeline for container images, moving beyond simple scanning to enforce structured remediation and compliance. The system performs a weekly rescan of all released images every Monday using the latest Grype vulnerability database, uploading results directly to GitHub Code Scanning for immediate visibility. This transforms sporadic security checks into a predictable, auditable operational rhythm.

The core innovation is a two-step triage process that mandates action for every new CVE. The first step is remediation: updating the affected package within a strict Service Level Agreement (SLA) window. The second is documentation: if a vulnerability is deemed not exploitable or already mitigated, a formal statement must be added to the image's Vulnerability Exploitability eXchange (VEX) file. These VEX files, authored in OpenVEX YAML format, serve as the single source of truth, simultaneously suppressing non-actionable findings in Grype scans and publishing the triage rationale as public compliance evidence on the release website.

This workflow institutionalizes accountability by binding technical fixes to policy deadlines. The defined SLAs create clear pressure: critical vulnerabilities with a CVSS score >=9 or those actively exploited must be addressed within seven days. By eliminating dual-bookkeeping between scanner configuration and audit artifacts, the system reduces operational friction but also creates a transparent, automated record of security decisions—and any potential delays—that is visible both internally on GitHub and externally to anyone reviewing the public release artifacts.