Weaving a VEX Feed Through the Kubernetes Project - Adolfo García Veytia, Stacklok
Adolfo García Veytia, Stacklok
KubeCon + CloudNativeCon Europe 2025 · Session
In this insightful KubeCon EU talk, Adolfo García Veytia, a key figure in both Kubernetes Release Engineering and the Open Source Security Foundation (OpenSSF) OpenVEX project, delved into the complex and critical endeavor of creating a comprehensive **Vulnerability Exploitability eXchange (VEX)** feed for the Kubernetes project. The talk addresses a fundamental challenge in modern software supply chain security: the pervasive issue of vulnerability scanners generating numerous false positives. These false positives arise because scanners often identify vulnerabilities in dependencies without understanding whether the vulnerability is actually exploitable within the specific context of the software product.
AI review
This talk presents a crucial and deeply technical approach to solving one of the most pervasive problems in software supply chain security: alert fatigue from false positive vulnerability scans. Adolfo García Veytia, a key figure in both Kubernetes and OpenVEX, lays out a comprehensive, multi-layered plan to integrate VEX into the Kubernetes project. The introduction of Vexflow, a novel chat-ops tool for VEX lifecycle management, alongside the strategic integration of GoVULN, Sigstore, and OSV, demonstrates a forward-thinking, actionable blueprint for any large-scale software project. This…