Skip to content

docs: add OpenVEX document and wire into Trivy scans (OSPS-VM-04.02) #91

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
paradoxbound merged 1 commit into from
Mar 9, 2026
Merged

docs: add OpenVEX document and wire into Trivy scans (OSPS-VM-04.02) #91

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/workflows/docker-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -255,6 +255,7 @@ jobs:
--ignore-unfixed \
--exit-code 1 \
--cache-dir .cache/trivy \
--vex vex.json \
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest-amd64

# ─────────────────────────────────────────────────────────────────────────────
Expand Down Expand Up @@ -667,6 +668,7 @@ jobs:
--ignore-unfixed \
--exit-code 1 \
--cache-dir .cache/trivy \
--vex vex.json \
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:pr-${{ github.event.pull_request.number }}-amd64

# Smoke-test SBOM generation against the PR amd64 image.
Expand Down
20 changes: 20 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,26 @@ This section documents the attack surface, trust boundaries, and identified thre
- `BOOKSTACK_BASE_URL` is operator-supplied at deployment time; it is not accepted from end users or MCP clients
- Operators are responsible for ensuring the URL points to a legitimate BookStack instance

## VEX Document

A [VEX (Vulnerability Exploitability eXchange)](https://openvex.dev/) document is maintained at [`vex.json`](vex.json) in OpenVEX format. When a vulnerability scanner reports a CVE in a dependency that does not affect this project — for example, a vulnerable code path that is never called, or a CVE present only in a development dependency not shipped in the Docker image — a statement is added to `vex.json` with a machine-readable justification.

Trivy reads `vex.json` automatically during both PR and release scans, suppressing confirmed non-applicable findings from gate failures.

**To add a VEX statement**, append an entry to the `statements` array in `vex.json`:

```json
{
"vulnerability": { "name": "CVE-YYYY-NNNNN" },
"products": [{ "@id": "pkg:github/paradoxbound/bookstack-mcp" }],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"impact_statement": "Brief explanation of why this CVE does not affect the deployed product."
}
```

Valid `justification` values: `component_not_present`, `vulnerable_code_not_present`, `vulnerable_code_not_in_execute_path`, `vulnerable_code_cannot_be_controlled_by_adversary`, `inline_mitigations_already_exist`.

## Reporting a Vulnerability

Please do **not** open a public GitHub issue for security vulnerabilities.
Expand Down
8 changes: 8 additions & 0 deletions vex.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://github.com/paradoxbound/bookstack-mcp/blob/main/vex.json",
"author": "paradoxbound",
"timestamp": "2026-03-09T00:00:00Z",
"version": 1,
"statements": []
}