Scanner Workflows
Step-by-step Trivy and Grype examples using HeroDevs OpenVEX and sample Maven SBOMs.
This page is a hands-on tutorial for integrating the HeroDevs VEX feed into your scanner workflow. It walks through a complete example using sample Maven SBOMs and shows how a known vulnerability is filtered out when the VEX document is applied.
Need raw endpoint details?
See the VEX Statements API page for request/response schemas and error codes. This page focuses on scanner workflows.
Prerequisites
You will need one of the following scanners installed:
trivy --version
grype --version
These examples were validated with Trivy v0.68.2 and Grype v0.109.1 on March 18, 2026.
Step 1: Download the Inputs
Download the HeroDevs VEX document and the sample Maven SBOMs provided by HeroDevs.
# HeroDevs OpenVEX document
curl -sSL https://apps.herodevs.com/api/ontology/vex/statements -o herodevs.openvex.json
# Sample SBOMs (Spring PetClinic, CycloneDX format)
curl -sSLO https://raw.githubusercontent.com/nes-examples/demo-scanners/main/oss-petclinic.sbom.cdx.json
curl -sSLO https://raw.githubusercontent.com/nes-examples/demo-scanners/main/nes-petclinic.sbom.cdx.json
Step 2: Run a Scan
Trivy
Scan the OSS SBOM to see the full vulnerability surface, then scan the NES SBOM with VEX applied and show suppressed findings to verify which results the HeroDevs VEX document filtered out.
# Scan the OSS SBOM (full vulnerability surface)
trivy sbom oss-petclinic.sbom.cdx.json
# Scan the NES SBOM with VEX applied and show suppressed findings
trivy sbom nes-petclinic.sbom.cdx.json --vex herodevs.openvex.json --show-suppressed
Omit --show-suppressed if you want suppressed findings to disappear from the default output. You can also rerun the NES SBOM without --vex to see the unsuppressed baseline.
Pin your Trivy version in CI
Trivy's VEX support has changed across releases and may be marked experimental in some versions. Pin a known version for consistent pipeline behavior.
Grype
Scan the OSS SBOM to see the full vulnerability surface, then scan the NES SBOM with VEX applied and show suppressed findings to verify which results the HeroDevs VEX document filtered out.
# Scan the OSS SBOM (full vulnerability surface)
grype sbom:oss-petclinic.sbom.cdx.json
# Scan the NES SBOM with VEX applied and show suppressed findings
grype sbom:nes-petclinic.sbom.cdx.json --vex herodevs.openvex.json --show-suppressed
Omit --show-suppressed if you want suppressed findings to disappear from the default output. You can also rerun the NES SBOM without --vex to see the unsuppressed baseline.
What to Expect
When you run the sample scans above with --show-suppressed, you will see specific CVEs marked as suppressed after applying the HeroDevs VEX document.
In the sample NES SBOM, VEX suppresses findings across spring-boot, spring-core, spring-context, spring-web, and spring-webmvc — including HIGH and CRITICAL severity. The CVEs are still on record; VEX simply tells the scanner that they no longer apply to this build because HeroDevs has already patched them. If you rerun the same command without --show-suppressed, those suppressed findings disappear from the default output.
The remaining findings after VEX is applied are for non-NES packages (e.g., logback, tomcat, jackson) that are outside the scope of NES patching.
Key Takeaways
- VEX removes resolved findings, not all findings. VEX filters only the vulnerabilities that HeroDevs has confirmed are patched or non-applicable in NES packages. Unrelated findings are unaffected.
- NES itself reduces your exposure. Switching from end-of-life OSS dependencies to NES-patched versions already eliminates many vulnerabilities before VEX is even applied.
- Trivy and Grype are the validated examples today. Other scanners that consume standard OpenVEX should also work, but broader integrations are still being validated.