goharbor · reasonerjt · Dec 22, 2025 · Aug 28, 2025 · Dec 19, 2025 · reasonerjt
diff --git a/README.md b/README.md
@@ -102,6 +102,7 @@ Configuration of the adapter is done via environment variables at startup.
 | `SCANNER_TRIVY_GITHUB_TOKEN`            | N/A                                                            | The GitHub access token to download [Trivy DB] (see [GitHub rate limiting][gh-rate-limit])                                                                                                                                                                                         |
 | `SCANNER_TRIVY_INSECURE`                | `false`                                                        | The flag to skip verifying registry certificate                                                                                                                                                                                                                                    |
 | `SCANNER_TRIVY_TIMEOUT`                 | `5m0s`                                                         | The duration to wait for scan completion                                                                                                                                                                                                                                           |
+| `SCANNER_TRIVY_VEX_SOURCE`              | N/A                                                            | Enable VEX, possible values are `oci` and `repo` [EXPERIMENTAL]
 | `SCANNER_STORE_REDIS_NAMESPACE`         | `harbor.scanner.trivy:store`                                   | The namespace for keys in the Redis store                                                                                                                                                                                                                                          |
 | `SCANNER_STORE_REDIS_SCAN_JOB_TTL`      | `1h`                                                           | The time to live for persisting scan jobs and associated scan reports                                                                                                                                                                                                              |
 | `SCANNER_JOB_QUEUE_REDIS_NAMESPACE`     | `harbor.scanner.trivy:job-queue`                               | The namespace for keys in the scan jobs queue backed by Redis                                                                                                                                                                                                                      |

diff --git a/helm/harbor-scanner-trivy/templates/statefulset.yaml b/helm/harbor-scanner-trivy/templates/statefulset.yaml
@@ -121,6 +121,8 @@ spec:
               value: "/certs/tls.crt"
             - name: "SCANNER_API_SERVER_TLS_KEY"
               value: "/certs/tls.key"
+            - name: "SCANNER_TRIVY_VEX_SOURCE"
+              value: {{ .Values.scanner.trivy.VEXSource | default "" | quote }}
             {{- end }}
           ports:
             - name: api-server

diff --git a/pkg/etc/config.go b/pkg/etc/config.go
@@ -39,6 +39,7 @@ type Trivy struct {
 	OfflineScan      bool          `env:"SCANNER_TRIVY_OFFLINE_SCAN" envDefault:"false"`
 	GitHubToken      string        `env:"SCANNER_TRIVY_GITHUB_TOKEN"`
 	Insecure         bool          `env:"SCANNER_TRIVY_INSECURE" envDefault:"false"`
+	VEXSource        string        `env:"SCANNER_TRIVY_VEX_SOURCE"`
 	Timeout          time.Duration `env:"SCANNER_TRIVY_TIMEOUT" envDefault:"5m0s"`
 }
 

diff --git a/pkg/etc/config_test.go b/pkg/etc/config_test.go
@@ -160,6 +160,7 @@ func TestGetConfig(t *testing.T) {
 				"SCANNER_TRIVY_OFFLINE_SCAN":    "true",
 				"SCANNER_TRIVY_GITHUB_TOKEN":    "<GITHUB_TOKEN>",
 				"SCANNER_TRIVY_TIMEOUT":         "15m30s",
+				"SCANNER_TRIVY_VEX_SOURCE":      "oci",
 
 				"SCANNER_STORE_REDIS_NAMESPACE":    "store.ns",
 				"SCANNER_STORE_REDIS_SCAN_JOB_TTL": "2h45m15s",
@@ -201,6 +202,7 @@ func TestGetConfig(t *testing.T) {
 					Insecure:         true,
 					GitHubToken:      "<GITHUB_TOKEN>",
 					Timeout:          parseDuration(t, "15m30s"),
+					VEXSource:        "oci",
 				},
 				RedisPool: RedisPool{
 					URL:               "redis://harbor-harbor-redis:6379",

diff --git a/pkg/http/api/v1/handler.go b/pkg/http/api/v1/handler.go
@@ -316,6 +316,7 @@ func (h *requestHandler) GetMetadata(res http.ResponseWriter, _ *http.Request) {
 		"env.SCANNER_TRIVY_SECURITY_CHECKS":     h.config.Trivy.Scanners,
 		"env.SCANNER_TRIVY_SEVERITY":            h.config.Trivy.Severity,
 		"env.SCANNER_TRIVY_TIMEOUT":             h.config.Trivy.Timeout.String(),
+		"env.SCANNER_TRIVY_VEX_SOURCE":          h.config.Trivy.VEXSource,
 	}
 
 	vi, err := h.wrapper.GetVersion()

diff --git a/pkg/http/api/v1/handler_test.go b/pkg/http/api/v1/handler_test.go
@@ -719,6 +719,7 @@ func TestRequestHandler_GetMetadata(t *testing.T) {
 					Scanners:         "vuln",
 					Severity:         "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
 					Timeout:          5 * time.Minute,
+					VEXSource:	  "oci",
 				},
 			},
 			expectedHTTPCode: http.StatusOK,
@@ -773,7 +774,8 @@ func TestRequestHandler_GetMetadata(t *testing.T) {
 	"env.SCANNER_TRIVY_VULN_TYPE": "os,library",
 	"env.SCANNER_TRIVY_SECURITY_CHECKS": "vuln",
 	"env.SCANNER_TRIVY_SEVERITY": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
-	"env.SCANNER_TRIVY_TIMEOUT": "5m0s"
+	"env.SCANNER_TRIVY_TIMEOUT": "5m0s",
+	"env.SCANNER_TRIVY_VEX_SOURCE": "oci"
 }
 }`,
 		},
@@ -798,6 +800,7 @@ func TestRequestHandler_GetMetadata(t *testing.T) {
 					Scanners:         "vuln",
 					Severity:         "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
 					Timeout:          5 * time.Minute,
+					VEXSource:        "repo",
 				},
 			},
 			expectedHTTPCode: http.StatusOK,
@@ -850,7 +853,8 @@ func TestRequestHandler_GetMetadata(t *testing.T) {
 	"env.SCANNER_TRIVY_VULN_TYPE": "os,library",
 	"env.SCANNER_TRIVY_SECURITY_CHECKS": "vuln",
 	"env.SCANNER_TRIVY_SEVERITY": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
-	"env.SCANNER_TRIVY_TIMEOUT": "5m0s"
+	"env.SCANNER_TRIVY_TIMEOUT": "5m0s",
+	"env.SCANNER_TRIVY_VEX_SOURCE": "repo"
 }
 }`,
 		},
@@ -921,7 +925,8 @@ func TestRequestHandler_GetMetadata(t *testing.T) {
 	"env.SCANNER_TRIVY_VULN_TYPE": "os,library",
 	"env.SCANNER_TRIVY_SECURITY_CHECKS": "vuln",
 	"env.SCANNER_TRIVY_SEVERITY": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
-	"env.SCANNER_TRIVY_TIMEOUT": "5m0s"
+	"env.SCANNER_TRIVY_TIMEOUT": "5m0s",
+	"env.SCANNER_TRIVY_VEX_SOURCE": ""
 }
 }`,
 		},

diff --git a/pkg/trivy/wrapper.go b/pkg/trivy/wrapper.go
@@ -219,6 +219,11 @@ func (w *wrapper) prepareScanCmd(target ScanTarget, outputFile string, opt ScanO
 		args = append(args, "--insecure")
 	}
 
+	if w.config.VEXSource != "" {
+		args = append(args, "--vex", w.config.VEXSource)
+	}
+
+
 	targetName, err := target.Name()
 	if err != nil {
 		return nil, xerrors.Errorf("get target name: %w", err)