{"id":28933327,"url":"https://github.com/dasiths/ai_generated_vex","last_synced_at":"2025-10-08T08:54:33.687Z","repository":{"id":298748762,"uuid":"1000981133","full_name":"dasiths/ai_generated_vex","owner":"dasiths","description":"Automated security scanning system using GitHub Copilot as an intelligent agent to generate comprehensive VEX documents with contextual vulnerability analysis.","archived":false,"fork":false,"pushed_at":"2025-07-01T07:47:12.000Z","size":115,"stargazers_count":2,"open_issues_count":1,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-07-01T08:38:21.874Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Makefile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dasiths.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"docs/security/reports/example_2025-06-15/20250613-vulpy-security-report.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-06-12T16:09:27.000Z","updated_at":"2025-06-26T23:52:26.000Z","dependencies_parsed_at":"2025-06-12T17:36:52.133Z","dependency_job_id":"c00bb13b-7251-4c1d-911c-b74b34ccd06c","html_url":"https://github.com/dasiths/ai_generated_vex","commit_stats":null,"previous_names":["dasiths/ai_generated_vex"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/dasiths/ai_generated_vex","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dasiths%2Fai_generated_vex","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dasiths%2Fai_generated_vex/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dasiths%2Fai_generated_vex/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dasiths%2Fai_generated_vex/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dasiths","download_url":"https://codeload.github.com/dasiths/ai_generated_vex/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dasiths%2Fai_generated_vex/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278916437,"owners_count":26068090,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-08T02:00:06.501Z","response_time":56,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-06-22T17:41:10.101Z","updated_at":"2025-10-08T08:54:33.679Z","avatar_url":"https://github.com/dasiths.png","language":"Makefile","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AI-Powered Security Analysis with VEX Generation\n\n**VEX (Vulnerability Exploitability eXchange)** tells you whether vulnerabilities actually matter in your specific environment. Instead of just listing CVEs, VEX provides context about real exploitability and practical risk assessment.\n\n## 🚨 The Problem with Traditional Vulnerability Scanning\n\nTraditional vulnerability scanners generate overwhelming noise - reporting every CVE found in dependencies without considering whether they're actually exploitable. Security teams waste critical time triaging hundreds of theoretical vulnerabilities while real threats go unaddressed.\n\n**Common Issues:**\n- **False Positives**: Vulnerable libraries that aren't actually reachable by attackers\n- **Context Blindness**: Scanners can't evaluate runtime protections, network controls, or application-specific mitigations\n- **Alert Fatigue**: Teams become desensitized to constant vulnerability reports\n- **Resource Misallocation**: Critical effort spent on non-exploitable CVEs instead of real security gaps\n\n## 🎯 Why Exploitability Analysis Matters\n\nThis workflow addresses fundamental gaps in traditional security assessment by focusing on **actual risk** rather than theoretical vulnerability presence. The exploitability analysis phase performs deep technical investigation that answers the critical question: \"Can an attacker actually exploit this in our specific environment?\"\n\n**Technical Depth Required:**\n- **Code Reachability Analysis**: Tracing execution paths from entry points to vulnerable functions\n- **Attack Surface Mapping**: Identifying realistic attack vectors and prerequisites\n- **Environmental Context**: Evaluating protective controls, deployment configurations, and runtime defenses\n- **Exploitation Feasibility**: Assessing real-world conditions needed for successful attacks\n\n**Beyond CVE Catalogs:**\nWhile CVE databases document known vulnerabilities, they can't evaluate your specific implementation context. A CVE marked \"Critical\" may be completely unexploitable due to how your application is architected, deployed, or protected. Conversely, application-specific vulnerabilities not captured in any CVE database may pose significant risk.\n\n**Supply Chain Transparency:**\nVEX documents provide standardized communication about vulnerability status across development teams, security organizations, and third-party vendors. Instead of blanket vulnerability reports, stakeholders receive evidence-based determinations about actual risk exposure.\n\n## What You Get\n\nThis automated workflow generates three comprehensive security deliverables:\n\n1. **📄 Summary** - Executive overview of critical findings\n2. **📋 Security Reports** - Detailed technical analysis with exploitability details and remediation guidance\n3. **🔒 VEX Document** - Industry-standard OpenVEX-compliant exploitability determinations generated using the VEX Document MCP Server\n\n**📁 Example Reports**: [docs/security/reports/](docs/security/reports/)\n\n## Two Modes of Operation\n\nThis project provides two complementary security analysis workflows:\n\n### 🔍 **Mode 1: Security Scan \u0026 VEX Generation**\nComplete security assessment workflow that scans your application, analyses exploitability, and generates standardized VEX documentation.\n\n**Use when:** Starting security assessment from scratch or need comprehensive vulnerability analysis\n\n### 🎯 **Mode 2: Deep CVE Exploit Analysis** \nAdvanced exploit analysis that takes existing security reports and creates detailed technical documentation for each CVE vulnerability.\n\n**Use when:** You have existing security reports and need deeper technical analysis for specific CVEs\n\n## Why This Approach Matters\n\nTraditional vulnerability scanners generate overwhelming noise - reporting every CVE found in dependencies without considering actual exploitability. This project focuses on **evidence-based risk assessment** rather than theoretical vulnerability presence.\n\n**Key Benefits:**\n- **🎯 Evidence-Based Analysis**: Every determination backed by concrete technical proof\n- **🔍 Beyond CVE Scanning**: Discovers application-specific vulnerabilities through OWASP Top 10 review\n- **📊 Risk-Based Prioritization**: Focus resources on vulnerabilities that pose actual threat\n- **📋 Industry Standards**: OpenVEX-compliant documents for transparent vulnerability communication\n- **⚡ Automated Intelligence**: Combines scanning tools with human-level security analysis\n\n## Getting Started\n\n### 1️⃣ `Mode 1`: Security Scan \u0026 VEX Generation\n\n**Complete end-to-end security assessment workflow**\n\n1. **Start Assessment**: Open GitHub Copilot and use the security scan prompt\n2. **Provide Details**: Copilot will ask for:\n   - **Report Name**: `my-app-security-assessment`\n   - **Product Name**: `my-application`\n   - **Scope**: `src/` (directories to analyze)\n\n3. **Automated 4-Step Process**:\n   - 🔍 **Comprehensive Scanning**: Trivy identifies CVEs, misconfigurations, secrets, and license issues\n   - 🧠 **Exploitability Analysis**: Rigorous technical analysis determining actual exploitability\n   - 🔒 **OWASP Top 10 Review**: Manual review for application-specific vulnerabilities\n   - 📋 **VEX Documentation**: Generate OpenVEX-compliant industry-standard documents\n\n**Results**: Three deliverables automatically saved to `docs/security/reports/[report-name]/`:\n- 📄 **Summary** - Executive overview of critical findings\n- 📋 **Security Report** - Detailed technical analysis with remediation guidance\n- 🔒 **VEX Document** - Industry-standard exploitability determinations\n\n### 2️⃣ `Mode 2`: Deep CVE Exploit Analysis\n\n**Advanced technical analysis for existing security reports**\n\n1. **Prerequisites**: Existing security report with CVE findings (from Mode 1 or other sources)\n2. **Start Analysis**: Open GitHub Copilot and use the deep CVE analysis prompt\n3. **Select Report**: Copilot will show available reports in `docs/security/reports/`\n\n4. **7-Step Deep Analysis Process**:\n   - 📊 **CVE Report Analysis**: Extract and prioritize ALL CVEs from existing reports\n   - 🔍 **Intelligence Gathering**: Deep research using vulnerability databases\n   - 🧩 **Library Integration Analysis**: Trace vulnerable library usage in application context\n   - 🎯 **Exploit Development**: Create theoretical proof-of-concept demonstrations (documentation only)\n   - 📋 **Individual CVE Documentation**: Generate detailed exploit analysis per CVE\n   - ⏭️ **Progress Tracking**: Manage analysis queue and context clearing\n   - 📊 **Executive Summary**: High-level overview after processing multiple CVEs\n\n**Results**: Enhanced documentation with detailed exploit scenarios:\n- � **Individual CVE Documents**: `[CVE-ID]-exploit-analysis.md` per vulnerability\n- 📊 **Executive Summary**: `executive-summary-exploit-analysis.md` with business impact\n- 🎯 **Prioritized Findings**: Risk-based ordering of exploitable vs non-exploitable CVEs\n\n## Prompts \u0026 Instructions\n\n- **📖 Global Instructions**: [.github/instructions/vex.instructions.md](.github/instructions/vex.instructions.md) - Applies to both modes\n- **🔨 MCP Tools**: Ensure these MCP tools are made available to the agent.\n    ![MCP tools](assets/mcp_tools.png)\n- **🔍 Mode 1 Prompt**: [.github/prompts/security-scan-and-vex.prompt.md](.github/prompts/security-scan-and-vex.prompt.md)\n    ![security analysis prompt](./assets/security-analysis-prompt.png)\n\n    ![security analysis prompt example](./assets/security-analysis-prompt-example.png)\n\n- **🎯 Mode 2 Prompt**: [.github/prompts/deep-cve-exploit-analysis.prompt.md](.github/prompts/deep-cve-exploit-analysis.prompt.md)\n    ![deep cve analysis prompt](./assets/deep-cve-analysis-prompt.png)\n- **📁 Example Reports**: [docs/security/reports/](docs/security/reports/)\n\n## Setup\n\n**Development Container**: Pre-configured with all tools and MCP servers. Simply open in VS Code with Dev Containers extension.\n\n**Manual Setup**: If not using the dev container, install these prerequisites:\n\n```bash\n# Clone and setup\ngit clone \u003crepository\u003e\ncd ai_generated_vex\nmake setup  # Installs all required tools\n\n# Start MCP servers\nmake start-osv-mcp-server\n```\n\n**Prerequisites Required:**\n- **Docker** - For OSV MCP server\n- **Go** (v1.24+) - For vexctl installation\n- **Node.js** (v22+) - For vexdoc-mcp installation\n- **Trivy** (v0.63.0+) - Security scanner\n\n### MCP Configuration\n\nThe following MCP servers are automatically configured in the dev container:\n\n```json\n{\n    \"servers\": {\n        \"trivy-mcp\": {\n            \"type\": \"stdio\",\n            \"command\": \"trivy\",\n            \"args\": [\"mcp\"]\n        },\n        \"vexdoc-mcp\": {\n            \"type\": \"stdio\",\n            \"command\": \"npx\",\n            \"args\": [\"vexdoc-mcp\"]\n        },\n        \"osv-mcp\": {\n            \"type\": \"http\",\n            \"url\": \"http://localhost:3001/mcp\"\n        }\n    }\n}\n```\n\n### Helpful Commands\n\n```bash\nmake help                  # Show all available commands\nmake setup                 # Install all required tools and dependencies\nmake start-osv-mcp-server  # Start the OSV MCP server\nmake stop-osv-mcp-server   # Stop the OSV MCP server\nmake status-osv-mcp-server # Check OSV MCP server status\n```\n\n## Documentation \u0026 Examples\n\n- **📖 Complete Instructions**: [.github/instructions/vex.instructions.md](.github/instructions/vex.instructions.md)\n- **📁 Example Reports**: [docs/security/reports/](docs/security/reports/)\n- **🔗 VEX Specification**: [OpenVEX](https://github.com/openvex/spec)\n\n## Related Projects\n\n- [Trivy MCP](https://github.com/aquasecurity/trivy-mcp) - Security scanning MCP server\n- [VEX Document MCP Server](https://github.com/rosstaco/vexdoc-mcp) - VEX document generation\n- [OSV MCP Server](https://github.com/StacklokLabs/osv-mcp) - Vulnerability intelligence\n- [Vulpy Test App](https://github.com/fportantier/vulpy) - Vulnerable Python application for testing\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdasiths%2Fai_generated_vex","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdasiths%2Fai_generated_vex","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdasiths%2Fai_generated_vex/lists"}