Continuous rescanning & VEX

Yesterday’s clean image is today’s CVE.

Advanced12 min · lesson 16 of 18

Supply-chain security is not a build-time achievement you unlock once — it is an ongoing operation, because the artifact you signed and shipped as clean becomes vulnerable the moment a new CVE is disclosed against something inside it. Nothing about the running image changed; the world’s knowledge did. So you continuously rescan the artifacts you are actually running against fresh vulnerability data, using the SBOMs you already generated, and act on what newly lights up.

THE CONTINUOUS RESCAN LOOP
1Rescan running images
stored SBOMs vs today's CVE feed, no rebuild
2New CVE lights up
image unchanged, the world's knowledge changed
3VEX filter
suppress confirmed-irrelevant, keep real signal
4Alert to action
expedited bump, rebuild on patched base, re-sign
Stored SBOMs + rescanning + VEX + a patch cadence is what operating supply-chain security actually means, not a green scan at build treated as permanent.
terminal
# rescan RUNNING images against today’s CVE feed — using stored SBOMs, no rebuild needed
$ for sbom in inventory/*.spdx.json; do
grype "sbom:$sbom" --fail-on critical --only-fixed
done
# a scheduled job (nightly, and on-demand when a big CVE drops) turns "are we exposed?" into a query

VEX: cut the noise so signal survives

Continuous rescanning has a failure mode: alert fatigue. Many reported CVEs do not actually affect you — the vulnerable code path is never reached, the component is not exposed, a mitigating control is in place. VEX (Vulnerability Exploitability eXchange) is a standard for recording those determinations as machine-readable statements: "CVE-X is not_affected in this product because the vulnerable function is unreachable." VEX lets you suppress the confirmed-irrelevant findings with an auditable justification, so the alerts that remain are ones that actually need action.

vex-statement (OpenVEX)
{
"@context": "https://openvex.dev/ns/v0.2.0",
"statements": [{
"vulnerability": { "name": "CVE-2024-XXXX" },
"products": [{ "@id": "pkg:oci/payments-api@sha256:9f2a..." }],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path"
}]
}

From alert to action

The operational loop closes when a real finding drives a real change. A newly-critical, reachable CVE in a running image should trigger the update path from earlier — an expedited dependency bump, a rebuild against a patched base, a fresh scan/sign/deploy — on a clock appropriate to the severity. The combination of stored SBOMs (know what you run), continuous rescanning (know when it becomes vulnerable), VEX (know what actually matters), and a patch cadence (fix it fast) is what "operating" supply-chain security actually is.

Clean at build is not clean forever
The most common false comfort in supply-chain security is a green scan at build time treated as a permanent verdict. New vulnerabilities are disclosed daily against code you already shipped, so an artifact’s security posture decays even while it sits untouched in production. Rescan what you run continuously, or you are secure only against the CVEs that were public the day you built — which is to say, against yesterday’s threats.