goharbor · reasonerjt · Dec 22, 2025 · Aug 28, 2025 · Dec 19, 2025
diff --git a/README.md b/README.md
@@ -102,6 +102,8 @@ Configuration of the adapter is done via environment variables at startup.
 | `SCANNER_TRIVY_GITHUB_TOKEN`            | N/A                                                            | The GitHub access token to download [Trivy DB] (see [GitHub rate limiting][gh-rate-limit])                                                                                                                                                                                         |
 | `SCANNER_TRIVY_INSECURE`                | `false`                                                        | The flag to skip verifying registry certificate                                                                                                                                                                                                                                    |
 | `SCANNER_TRIVY_TIMEOUT`                 | `5m0s`                                                         | The duration to wait for scan completion                                                                                                                                                                                                                                           |
+| `SCANNER_TRIVY_VEX_SOURCE`              | N/A                                                            | Enable VEX, possible values are `oci` and `repo` [EXPERIMENTAL]                                                                                                                                                                                                                    |
+| `SCANNER_TRIVY_SKIP_VEX_REPO_UPDATE`    | `false`                                                        | Skip updating the VEX repository [EXPERIMENTAL]                                                                                                                                                                                                                                    |
 | `SCANNER_STORE_REDIS_NAMESPACE`         | `harbor.scanner.trivy:store`                                   | The namespace for keys in the Redis store                                                                                                                                                                                                                                          |
 | `SCANNER_STORE_REDIS_SCAN_JOB_TTL`      | `1h`                                                           | The time to live for persisting scan jobs and associated scan reports                                                                                                                                                                                                              |
 | `SCANNER_JOB_QUEUE_REDIS_NAMESPACE`     | `harbor.scanner.trivy:job-queue`                               | The namespace for keys in the scan jobs queue backed by Redis                                                                                                                                                                                                                      |

diff --git a/helm/harbor-scanner-trivy/templates/statefulset.yaml b/helm/harbor-scanner-trivy/templates/statefulset.yaml
@@ -121,6 +121,10 @@ spec:
               value: "/certs/tls.crt"
             - name: "SCANNER_API_SERVER_TLS_KEY"
               value: "/certs/tls.key"
+            - name: "SCANNER_TRIVY_VEX_SOURCE"
+              value: {{ .Values.scanner.trivy.VEXSource | default "" | quote }}
+            - name: "SCANNER_TRIVY_SKIP_VEX_REPO_UPDATE"
+              value: {{ .Values.scanner.trivy.skipVEXRepoUpdate | default false | quote }}
             {{- end }}
           ports:
             - name: api-server

diff --git a/helm/harbor-scanner-trivy/values.yaml b/helm/harbor-scanner-trivy/values.yaml
@@ -150,6 +150,10 @@ scanner:
     #    # https://cwe.mitre.org/data/definitions/352.html
     #    input.CweIDs[_] == "CWE-352"
     #  }
+    ## VEXSource the VEX source for vulnerability filtering. Possible values are `oci` and `repo`.
+    VEXSource: ""
+    ## skipVEXRepoUpdate the flag to skip updating the VEX repository
+    skipVEXRepoUpdate: false
   store:
     ## redisNamespace the namespace for keys in the Redis store
     redisNamespace: "harbor.scanner.trivy:store"

diff --git a/pkg/etc/config.go b/pkg/etc/config.go
@@ -38,8 +38,10 @@ type Trivy struct {
 	JavaDBRepository string        `env:"SCANNER_TRIVY_JAVA_DB_REPOSITORY"`
 	OfflineScan      bool          `env:"SCANNER_TRIVY_OFFLINE_SCAN" envDefault:"false"`
 	GitHubToken      string        `env:"SCANNER_TRIVY_GITHUB_TOKEN"`
-	Insecure         bool          `env:"SCANNER_TRIVY_INSECURE" envDefault:"false"`
-	Timeout          time.Duration `env:"SCANNER_TRIVY_TIMEOUT" envDefault:"5m0s"`
+	Insecure            bool          `env:"SCANNER_TRIVY_INSECURE" envDefault:"false"`
+	VEXSource           string        `env:"SCANNER_TRIVY_VEX_SOURCE"`
+	SkipVEXRepoUpdate   bool          `env:"SCANNER_TRIVY_SKIP_VEX_REPO_UPDATE" envDefault:"false"`
+	Timeout             time.Duration `env:"SCANNER_TRIVY_TIMEOUT" envDefault:"5m0s"`
 }
 
 type API struct {

diff --git a/pkg/etc/config_test.go b/pkg/etc/config_test.go
@@ -159,7 +159,9 @@ func TestGetConfig(t *testing.T) {
 				"SCANNER_TRIVY_SKIP_UPDATE":     "true",
 				"SCANNER_TRIVY_OFFLINE_SCAN":    "true",
 				"SCANNER_TRIVY_GITHUB_TOKEN":    "<GITHUB_TOKEN>",
-				"SCANNER_TRIVY_TIMEOUT":         "15m30s",
+				"SCANNER_TRIVY_TIMEOUT":              "15m30s",
+				"SCANNER_TRIVY_VEX_SOURCE":           "oci",
+				"SCANNER_TRIVY_SKIP_VEX_REPO_UPDATE": "true",
 
 				"SCANNER_STORE_REDIS_NAMESPACE":    "store.ns",
 				"SCANNER_STORE_REDIS_SCAN_JOB_TTL": "2h45m15s",
@@ -199,8 +201,10 @@ func TestGetConfig(t *testing.T) {
 					SkipJavaDBUpdate: false,
 					OfflineScan:      true,
 					Insecure:         true,
-					GitHubToken:      "<GITHUB_TOKEN>",
-					Timeout:          parseDuration(t, "15m30s"),
+					GitHubToken:       "<GITHUB_TOKEN>",
+					Timeout:           parseDuration(t, "15m30s"),
+					VEXSource:         "oci",
+					SkipVEXRepoUpdate: true,
 				},
 				RedisPool: RedisPool{
 					URL:               "redis://harbor-harbor-redis:6379",

diff --git a/pkg/http/api/v1/handler.go b/pkg/http/api/v1/handler.go
@@ -315,7 +315,9 @@ func (h *requestHandler) GetMetadata(res http.ResponseWriter, _ *http.Request) {
 		"env.SCANNER_TRIVY_VULN_TYPE":           h.config.Trivy.VulnType,
 		"env.SCANNER_TRIVY_SECURITY_CHECKS":     h.config.Trivy.Scanners,
 		"env.SCANNER_TRIVY_SEVERITY":            h.config.Trivy.Severity,
-		"env.SCANNER_TRIVY_TIMEOUT":             h.config.Trivy.Timeout.String(),
+		"env.SCANNER_TRIVY_TIMEOUT":              h.config.Trivy.Timeout.String(),
+		"env.SCANNER_TRIVY_VEX_SOURCE":           h.config.Trivy.VEXSource,
+		"env.SCANNER_TRIVY_SKIP_VEX_REPO_UPDATE": strconv.FormatBool(h.config.Trivy.SkipVEXRepoUpdate),
 	}
 
 	vi, err := h.wrapper.GetVersion()

diff --git a/pkg/http/api/v1/handler_test.go b/pkg/http/api/v1/handler_test.go
@@ -710,15 +710,17 @@ func TestRequestHandler_GetMetadata(t *testing.T) {
 			},
 			config: etc.Config{
 				Trivy: etc.Trivy{
-					SkipDBUpdate:     false,
-					SkipJavaDBUpdate: false,
-					IgnoreUnfixed:    true,
-					DebugMode:        true,
-					Insecure:         true,
-					VulnType:         "os,library",
-					Scanners:         "vuln",
-					Severity:         "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
-					Timeout:          5 * time.Minute,
+					SkipDBUpdate:      false,
+					SkipJavaDBUpdate:  false,
+					IgnoreUnfixed:     true,
+					DebugMode:         true,
+					Insecure:          true,
+					VulnType:          "os,library",
+					Scanners:          "vuln",
+					Severity:          "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
+					Timeout:           5 * time.Minute,
+					VEXSource:         "oci",
+					SkipVEXRepoUpdate: true,
 				},
 			},
 			expectedHTTPCode: http.StatusOK,
@@ -773,7 +775,9 @@ func TestRequestHandler_GetMetadata(t *testing.T) {
 	"env.SCANNER_TRIVY_VULN_TYPE": "os,library",
 	"env.SCANNER_TRIVY_SECURITY_CHECKS": "vuln",
 	"env.SCANNER_TRIVY_SEVERITY": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
-	"env.SCANNER_TRIVY_TIMEOUT": "5m0s"
+	"env.SCANNER_TRIVY_TIMEOUT": "5m0s",
+	"env.SCANNER_TRIVY_VEX_SOURCE": "oci",
+	"env.SCANNER_TRIVY_SKIP_VEX_REPO_UPDATE": "true"
 }
 }`,
 		},
@@ -798,6 +802,7 @@ func TestRequestHandler_GetMetadata(t *testing.T) {
 					Scanners:         "vuln",
 					Severity:         "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
 					Timeout:          5 * time.Minute,
+					VEXSource:        "repo",
 				},
 			},
 			expectedHTTPCode: http.StatusOK,
@@ -850,7 +855,9 @@ func TestRequestHandler_GetMetadata(t *testing.T) {
 	"env.SCANNER_TRIVY_VULN_TYPE": "os,library",
 	"env.SCANNER_TRIVY_SECURITY_CHECKS": "vuln",
 	"env.SCANNER_TRIVY_SEVERITY": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
-	"env.SCANNER_TRIVY_TIMEOUT": "5m0s"
+	"env.SCANNER_TRIVY_TIMEOUT": "5m0s",
+	"env.SCANNER_TRIVY_VEX_SOURCE": "repo",
+	"env.SCANNER_TRIVY_SKIP_VEX_REPO_UPDATE": "false"
 }
 }`,
 		},
@@ -921,7 +928,9 @@ func TestRequestHandler_GetMetadata(t *testing.T) {
 	"env.SCANNER_TRIVY_VULN_TYPE": "os,library",
 	"env.SCANNER_TRIVY_SECURITY_CHECKS": "vuln",
 	"env.SCANNER_TRIVY_SEVERITY": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
-	"env.SCANNER_TRIVY_TIMEOUT": "5m0s"
+	"env.SCANNER_TRIVY_TIMEOUT": "5m0s",
+	"env.SCANNER_TRIVY_VEX_SOURCE": "",
+	"env.SCANNER_TRIVY_SKIP_VEX_REPO_UPDATE": "false"
 }
 }`,
 		},

diff --git a/pkg/trivy/wrapper.go b/pkg/trivy/wrapper.go
@@ -219,6 +219,14 @@ func (w *wrapper) prepareScanCmd(target ScanTarget, outputFile string, opt ScanO
 		args = append(args, "--insecure")
 	}
 
+	if w.config.VEXSource != "" {
+		args = append(args, "--vex", w.config.VEXSource)
+	}
+
+	if w.config.SkipVEXRepoUpdate {
+		args = append(args, "--skip-vex-repo-update")
+	}
+
 	targetName, err := target.Name()
 	if err != nil {
 		return nil, xerrors.Errorf("get target name: %w", err)

diff --git a/test/integration/api/rest_api_test.go b/test/integration/api/rest_api_test.go
@@ -417,7 +417,9 @@ func TestRestAPI(t *testing.T) {
 	"env.SCANNER_TRIVY_VULN_TYPE": "os",
 	"env.SCANNER_TRIVY_SEVERITY": "LOW,MEDIUM,HIGH,CRITICAL",
 	"env.SCANNER_TRIVY_SECURITY_CHECKS": "vuln",
-	"env.SCANNER_TRIVY_TIMEOUT": "5m0s"
+	"env.SCANNER_TRIVY_TIMEOUT": "5m0s",
+	"env.SCANNER_TRIVY_VEX_SOURCE": "",
+	"env.SCANNER_TRIVY_SKIP_VEX_REPO_UPDATE": "false"
 	}
 }`,
 			now.UTC().Format(time.RFC3339)),