How do we handle concerns about vulnerability scanning of our app by customers, potentially flagging "false positives"?
Last updated: February 27, 2026
QUESTION
How do we handle concerns about vulnerability scanning of our app by customers, potentially flagging "false positives"?
ANSWER
There are open standards like VEX (Vulnerability Exploitability Exchange) that you as the vendor can use so scanners ignore them. Almost all scanners these days are aware of it.
All you would need to do is attach a VEX document alongside your OCI artifact for scanners to ignore it.
DOCS