🔍 Add Vens plugin to Trivy plugin index

[fahedouch]

Hi everyone,

https://github.com/venslabs/vens

This PR adds the Vens plugin from VensLabs to the official Trivy plugin registry.

What is Vens?

Vens is an AI-powered vulnerability prioritizer that transforms massive Trivy security reports into precise, actionable CycloneDX VEX documents using LLMs. It helps security teams focus on the risks that actually matter by adding business context to vulnerability assessments.

Vision & Impact: 🌐

Vens is pioneering the use of LLMs for vulnerability management in the open-source ecosystem. We're not just using CycloneDX – we're actively shaping it by contributing to the specification to better support risk-based prioritization (CycloneDX PR #722). 🚀

Example use case:

Imagine Trivy finds 500 vulnerabilities in your application. Instead of manually reviewing all of them:

1. Run Trivy scan → Get trivy.json with 500 CVEs
2. Define your business context in config.yaml (e.g., your payment API has high impact: 9, high likelihood: 7)
3. Run vens generate with your SBOM and Trivy results
4. Get a prioritized VEX report with OWASP risk scores (0-81) for each vulnerability based on YOUR actual context

Result: Focus on the 10 critical vulnerabilities in your payment API first, instead of wasting time on low-risk issues in unused dependencies.

# Scan an image with Trivy
trivy image python:3.12.4 --format=json --severity HIGH,CRITICAL > report.json

# Generate VEX using vens as a Trivy plugin
trivy vens generate --config-file config.yaml --sboms sbom1.cdx.json,sbom2.cdx.json report.json vex.cdx.json

# Enrich the report with VEX ratings
trivy vens enrich --vex vex.cdx.json report.json

# Or save to a file
trivy vens enrich --vex vex.cdx.json --output enriched-report.json report.json

[CLAassistant]

All committers have signed the CLA.

[fahedouch]

@knqyf263 PTAL

[knqyf263]

Could you sign our CLA?

[fahedouch]

Could you sign our CLA?

done :)

[knqyf263]

Thanks