dhi: add get trivy vex repo (#23854)

craig-osterhout · web-flow · commit 11171a33649b · 2025-12-18T10:15:45.000Z
## Description When using vexhub with Trivy, it needs to be setup before it works. https://deploy-preview-23854--docsdocker.netlify.app/dhi/how-to/scan/#trivy ## Related issues or tickets https://docker.slack.com/archives/C0A3X908ASG/p1765983906348749 ## Reviews   - [ ] Technical review - [ ] Editorial review - [ ] Product review --------- Signed-off-by: Craig Osterhout <craig.osterhout@docker.com>
diff --git a/content/manuals/dhi/how-to/scan.md b/content/manuals/dhi/how-to/scan.md
@@ -187,27 +187,89 @@ packages and application dependencies.
 After installing Trivy, you can scan a Docker Hardened Image by pulling
 the image and running the scan command:
 
+```console
+$ docker pull dhi.io/<image>:<tag>
+$ trivy image --scanners vuln dhi.io/<image>:<tag>
+```
+
+To filter vulnerabilities using VEX statements, Trivy supports multiple
+approaches. Docker recommends using VEX Hub, which provides a seamless workflow
+for automatically downloading and applying VEX statements from configured
+repositories.
+
+#### Using VEX Hub (recommended)
+
+Configure Trivy to download the Docker Hardened Images advisories repository
+from VEX Hub. Run the following commands to set up the VEX repository:
+
+```console
+$ trivy vex repo init
+$ cat << REPO > ~/.trivy/vex/repository.yaml
+repositories:
+  - name: default
+    url: https://github.com/aquasecurity/vexhub
+    enabled: true
+    username: ""
+    password: ""
+    token: ""
+  - name: dhi-vex
+    url: https://github.com/docker-hardened-images/advisories
+    enabled: true
+REPO
+$ trivy vex repo list
+$ trivy vex repo download
+```
+
+After setting up VEX Hub, you can scan a Docker Hardened Image with VEX filtering:
+
 ```console
 $ docker pull dhi.io/<image>:<tag>
 $ trivy image --scanners vuln --vex repo dhi.io/<image>:<tag>
 ```
 
+For example, scanning the `dhi.io/python:3.13` image:
+
+```console
+$ trivy image --scanners vuln --vex repo dhi.io/python:3.13
+```
+
 Example output:
 
 ```plaintext
 Report Summary
 
-┌──────────────────────────────────────────────────────────────────────────────┬────────────┬─────────────────┬─────────┐
-│                                    Target                                    │    Type    │ Vulnerabilities │ Secrets │
-├──────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
-│ dhi.io/<image>:<tag> (debian 12.11)                                          │   debian   │       66        │    -    │
-├──────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
-│ opt/python-3.13.4/lib/python3.13/site-packages/pip-25.1.1.dist-info/METADATA │ python-pkg │        0        │    -    │
-└──────────────────────────────────────────────────────────────────────────────┴────────────┴─────────────────┴─────────┘
+┌─────────────────────────────────────────────────────────────────────────────┬────────────┬─────────────────┐
+│                                   Target                                    │    Type    │ Vulnerabilities │
+├─────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┤
+│ dhi.io/python:3.13 (debian 13.2)                                            │   debian   │        0        │
+├─────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┤
+│ opt/python-3.13.11/lib/python3.13/site-packages/pip-25.3.dist-info/METADATA │ python-pkg │        0        │
+└─────────────────────────────────────────────────────────────────────────────┴────────────┴─────────────────┘
+Legend:
+- '-': Not scanned
+- '0': Clean (no security findings detected)
 ```
 
-You should include the `--vex` flag to apply VEX statements during the scan,
-which filter out known non-exploitable CVEs.
+The `--vex repo` flag applies VEX statements from the configured repository during the scan,
+which filters out known non-exploitable CVEs.
+
+#### Using local VEX files
+
+In addition to VEX Hub, Trivy also supports the use of local VEX files for
+vulnerability filtering. You can download the VEX attestation that Docker
+Hardened Images provide and use it directly with Trivy.
+
+First, download the VEX attestation for your image:
+
+```console
+$ docker scout vex get dhi.io/<image>:<tag> --output vex.json
+```
+
+Then scan the image with the local VEX file:
+
+```console
+$ trivy image --scanners vuln --vex vex.json dhi.io/<image>:<tag>
+```
 
 ## Use VEX to filter known non-exploitable CVEs
 
