Author: admin

Integration brings ActiveState’s VEX advisories and secure libraries directly into Trivy scans, providing high-fidelity results and faster remediation paths

VANCOUVER, BC and TEL AVIV, Israel, Nov. 17, 2025 /PRNewswire/ — ActiveState, a global leader in open source language solutions and secure software supply chain management, today announced it has joined Trivy Partner Connect, bringing ActiveState’s CVE advisories, secure open source containers, and language libraries to Trivy’s trusted scanning capabilities. This collaboration delivers CVE-free open source directly into the workflows developers already use, helping teams build and ship secure software more efficiently.

ActiveState joins a growing community of organizations collaborating with Aqua to advance Trivy, the world’s most popular open source vulnerability scanner. Together, ActiveState and Trivy help reduce the noise associated with CVE alerts by integrating ActiveState’s advisory feed into the scanning process. Trivy users can now see an accurate risk profile for any ActiveState open source artifacts they use. The advisory feed also includes VEX (Vulnerability Exploitability eXchange) information, enabling Trivy to suppress CVEs that have been fully investigated and deemed non-exploitable by ActiveState. When valid CVEs are found, Trivy users will also receive remediation options provided by ActiveState for affected containers and language packages.

Through this integration, users will have the most up-to-date information verified by both parties. This collaboration extends the value of Trivy Partner Connect, making it easier for organizations to ensure their open source components are secure, compliant, and production ready.

“ActiveState’s participation in Partner Connect brings their deep expertise in the open source supply chain directly to the Trivy community,” said Matt Richards, CMO at Aqua Security. “By combining ActiveState’s advisories, trusted libraries and secure containers with Trivy’s powerful scanning, developers get the best of both worlds: high-quality, vetted components and reliable, high-fidelity validation. This is a big step forward for developer-first security and supply chain integrity.”

Recent industry research¹ shows that 86% of commercial code bases contain open source vulnerabilities and 81% contain high or critical CVEs. ActiveState found that researching the potential impact of CVEs consumes about 26% of the overall vulnerability discovery-to-remediation process. This involves hands-on research to understand if the vulnerability is reachable and exploitable, and then determining the next step based on those findings (remediate or VEX). The integration between Trivy and ActiveState aims to reduce time spent researching vulnerabilities, giving developers back time to focus on delivering innovation.

“Partnering with Trivy underscores our shared commitment to enabling and securing open source in enterprise applications,” said Stephen Baker, CEO of ActiveState. “Our mission at ActiveState is to provide developers with a trusted, ‘paved path’ for open source, eliminating the complexity, risk, and manual vetting associated with securing the supply chain. This collaboration enables developers to confidently build applications using secure, curated components that are validated by Trivy, allowing them to maintain speed, compliance, and trust in their open source.”

Learn More
Organizations can explore ActiveState’s Trivy-integrated secure open source containers and language libraries at https://trivy.dev/partners or activestate.com. Trivy Partner Connect is open and expanding quickly. Organizations interested in joining can learn more and apply at Trivy Partner Connect.

About ActiveState
ActiveState enables DevOps, InfoSec, and Development teams to improve their security posture while simultaneously increasing productivity and innovation to deliver secure applications faster. We are the only solution in the market today that offers vulnerability-free open source language packages and containers and Intelligent Remediation, which identifies which vulnerabilities to prioritize, assesses the impact of updates causing breaking changes, prioritizes what to fix first, securely builds open source packages from source, and facilitates the build and deploy process to get fixes into production quickly and easily. All from the trusted partner that pioneered and continues to lead enterprise adoption and use of open source software.

About Aqua Trivy
Trivy is the most popular open source scanner for containers, IaC, code, cloud, and Kubernetes, detecting vulnerabilities, misconfigurations, and secrets. Trusted by millions worldwide, Trivy is maintained by Aqua Security. Learn more at https://trivy.dev/.

About Aqua Security
Aqua Security protects every cloud native application from code to cloud to prompt. As the pioneer in container security and vulnerability management, Aqua delivers full protection across the application lifecycle in real time. Our unified CNAPP combines agentless and agent-based controls with industry-leading runtime security for cloud, on-prem, hybrid, multi-cloud, VM and mainframe environments. The Aqua Platform provides best-in-class security agents and advanced contextual analysis to reduce noise and accelerate remediation. Founded in 2015, Aqua is headquartered in Boston, MA and Ramat Gan, Israel and secures more than 40% of the Fortune 100. Learn more at aquasec.com.

¹ https://news.blackduck.com/2025-02-25-New-Black-Duck-Report-86-of-Commercial-Codebases-Contain-Vulnerable-Open-Source,-Exposing-Organizations-to-Security-Risks

SOURCE ActiveState