## GitHub CI Policy Shift: Auto-Registering 'Won't Fix' CVEs via OpenVEX to Bypass Manual Workflow Edits
A proposed change to a GitHub CI/CD policy workflow seeks to automate the management of permanently unfixable, high-severity vulnerabilities, eliminating the need for manual script edits with each new scan. The current process lacks a formal Vulnerability Exploitability eXchange (VEX) register, forcing developers to manually update an inline workflow script every time a scan identifies an OS-level CVE that cannot be patched.

The solution centers on introducing an OpenVEX document (`.vex/permanent.openvex.json`) directly into the repository. This version-controlled file would be natively consumed by security scanners Grype and Trivy before the policy script executes. Crucially, a new post-scan CI step would automatically update this VEX file whenever a scan returns a finding with a CVSS score of 7.0 or higher and a status of `wont-fix` or `will_not_fix`. This automation would initially open a pull request for a single human review; once merged, the system would self-maintain, suppressing the same CVE in all future scans while preserving a full audit trail.

This shift represents a move from reactive, manual vulnerability management to a declarative, automated policy. It directly addresses operational friction and potential human error in maintaining security compliance for known, accepted risks. The implementation formalizes the acceptance of specific vulnerabilities within the software supply chain, creating a clear, auditable record of decisions that could streamline security reviews and compliance reporting for the project.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CI/CD, Vulnerability Management, OpenVEX, SBOM, Supply Chain Security
- **Credibility**: unverified
- **Published**: 2026-04-04 15:27:02
- **ID**: 50076
- **URL**: https://whisperx.ai/en/intel/50076