Stop treating all vulnerabilities equally. Vens transforms generic CVSS scores into contextual OWASP risk scores tailored to YOUR system using LLM intelligence, and outputs standards-compliant CycloneDX VEX.
Traditional scanners treat all vulnerabilities the same. Vens analyzes each CVE in your specific context to calculate real risk:
Risk = Likelihood × Impact (0-81 scale)
Real example:
| CVE | CVSS (Generic) | OWASP (Contextual) | Why? |
|---|---|---|---|
| CVE-2019-1010023 | 8.8 HIGH | 10.0 LOW ⬇️ | Not exploitable in your runtime |
| CVE-2026-0915 | 5.3 MEDIUM | 52.0 HIGH ⬆️ | PII leak + GDPR impact |
Result: Fix what actually matters in YOUR system.
Standalone:
go install github.com/venslabs/vens/cmd/vens@latesttrivy plugin install github.com/venslabs/vens# 1. Set up LLM
export OPENAI_API_KEY="sk-..."
export OPENAI_MODEL="gpt-4o"
# 2. Scan with Trivy
trivy image python:3.11-slim --format json --output report.json
# 3. Generate contextual risk scores
vens generate --config-file config.yaml report.json output.vex.jsonOutput of CycloneDX VEX with OWASP scores:
{
"vulnerabilities": [{
"id": "CVE-2026-0915",
"ratings": [{
"method": "OWASP",
"score": 52.0,
"severity": "high",
"vector": "SL:7/M:7/O:7/S:7/ED:6/EE:6/A:6/ID:3/LC:7/LI:7/LAV:7/LAC:7/FD:7/RD:7/NC:7/PV:7"
}],
"analysis": {
"detail": "High risk: Exposes PII in GDPR-regulated environment"
}
}]
}Create config.yaml:
project:
name: "my-api"
description: "Customer-facing REST API"
context:
exposure: "internet" # internal | private | internet
data_sensitivity: "high" # low | medium | high | critical
business_criticality: "high" # low | medium | high | critical
compliance_requirements: ["GDPR", "SOC2"]
controls:
waf: trueLLM Providers:
| Provider | Environment Variable |
|---|---|
| OpenAI (recommended) | OPENAI_API_KEY |
| Anthropic | ANTHROPIC_API_KEY |
| Ollama (local) | OLLAMA_MODEL |
| Google AI | GOOGLE_API_KEY |
Generate VEX with contextual OWASP scores:
vens generate --config-file config.yaml INPUT OUTPUTKey flags:
--config-file(required) - Path to config.yaml--llm- LLM provider:openai|anthropic|ollama|googleai(default:auto)--llm-batch-size- CVEs per request (default:10)--debug-dir- Save prompts/responses for debugging
Enrich Trivy report with OWASP scores:
vens enrich --vex output.vex.json report.json- Complete Example - 107 real CVEs comparison
- Trivy Plugin Guide - Plugin usage
Contributions welcome! Open an issue or submit a PR.
Apache License 2.0 - See LICENSE
Focus on what matters. Patch smarter, not harder.