Reduce CVE noise with OpenVEX assessments in Datadog
Datadog describes how it publishes OpenVEX documents for its own agents, container images, and packages so downstream users can suppress SCA findings that are present in dependency metadata but not actually exploitable in the shipped artifact. The post explains the OpenVEX fields it emits per CVE—status (not_affected, affected, fixed, under_investigation), justification, impact statement, and action statement—and shows how scanners such as Trivy and Grype can ingest those JSON files via --vex to filter results. Datadog says its pipeline combines internal vulnerability scanning with human review from security engineers and service owners to determine reachability of vulnerable code paths and the presence of mitigations before publishing weekly assessments. This is mainly useful as defensive supply-chain workflow guidance for teams scanning Datadog artifacts, rather than new vulnerability research, but it is technically relevant for reducing false positives in CI/CD and image-scanning pipelines.