CVE noise in open source scanning: what changes for developers?

TL;DR: ActiveState’s advisory feed now enriches Trivy scans with VEX and remediation guidance, helping teams suppress non-exploitable CVEs while preserving accurate risk signals for containers and language packages, according to Aqua Security. The governance issue is not vulnerability volume alone, but whether security teams can separate exploitable exposure from alert fatigue without weakening developer workflows.

NHIMG editorial — based on content published by Aqua Security: ActiveState joins Trivy Partner Connect to cut CVE noise and reduce alert fatigue for developers

By the numbers:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.

Questions worth separating out

Q: How should security teams reduce CVE noise without losing real risk signals?

A: Use exploitability context to separate actionable vulnerabilities from inherited or non-reachable issues, then apply policy-based triage instead of treating every match as urgent.

Q: When should a CVE be suppressed in a scanner workflow?

A: Suppress a CVE only when there is evidence that it is non-exploitable in the specific artifact, environment, or deployment path, and the suppression decision is governed and reviewable.

Q: What do teams get wrong about vulnerability alert fatigue?

A: They often assume the answer is fewer alerts, when the real issue is better prioritisation.

Practitioner guidance

• Suppress only non-exploitable findings with governance approval Define explicit rules for when VEX or advisory context is sufficient to suppress a CVE, and require review for exceptions so the suppression process stays auditable.
• Route container and package findings by artifact class Separate remediation paths for base images, application dependencies, and transitive packages so each finding lands with the team that can actually fix it.
• Measure scanner credibility against remediation outcomes Track how many findings are later confirmed exploitable, how many are suppressed, and how often teams reverse a suppression decision after new intelligence arrives.

What's in the full analysis

Aqua Security's full analysis covers the operational detail this post intentionally leaves for the source:

• The exact advisory-feed integration model for Trivy users working with ActiveState artifacts.
• The VEX handling logic used to suppress non-exploitable CVEs in scan output.
• Remediation options for affected containers and language packages when a CVE is still actionable.
• The practical workflow impact for developers who need cleaner triage without losing security context.

👉 Read Aqua Security's analysis of ActiveState advisory integration for Trivy →

CVE noise in open source scanning: what changes for developers?

Explore further

View Full Forum →  |  NHI Foundation Course →