Run trivy image --format cyclonedx --output sbom.cdx.json <image-reference> to generate a CycloneDX SBOM; alternatively use trivy fs or trivy repo for filesystem or repository targets.
Run a vulnerability scan against the generated SBOM with trivy sbom sbom.cdx.json --output results.json --format json to decouple image pulling from scanning.
Prepare an OpenVEX or CycloneDX VEX file with not_affected statements for CVEs that do not affect your product (see separate VEX authoring steps).
Run trivy sbom sbom.cdx.json --vex ./vex.json to apply the VEX file; Trivy will suppress vulnerabilities that have a not_affected status for the matched product in the VEX document.
Compare scan output with and without --vex to confirm the expected CVEs are filtered and that no unintended findings are suppressed.
Known gotchas
Trivy's --vex flag support and the VEX format it accepts may vary by version; verify which formats (OpenVEX, CycloneDX VEX) are supported in your installed Trivy version.
Trivy matches VEX statements to vulnerabilities using CVE ID and product PURL; if the PURL in your VEX does not match Trivy's internal representation of the package, filtering will silently not apply.
Generating an SBOM with Trivy and then scanning that SBOM with Trivy may produce slightly different results than scanning the image directly due to how Trivy resolves package metadata in each mode.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp