Add support for CSAF v2.0 compliant repo

[lucaskanashiro]

Description

When trying to use a repo in a trivy call, its directory structure/files need to follow the VEX Repository Specification AFAIU. However, this specification is not followed by other standards, such as CSAF v2.0. Some big players, such as RedHat, are using a different structure that does not work with trivy out-of-the-box: https://security.access.redhat.com/data/csaf/v2/ .

Specifically for RedHat, I found out that CSAF is not yet supported (#7452), but it is used just as an example here.

I would like to have by default support for repositories following the CSAF v2.0 specification.

Currently, when using a CSAF v2.0 compliant repository fails because vex-repository.json is not defined by this standard, but it is by the aquasecurity's VEX Repository Specification.

1. $ trivy vex repo init

$ cat ~/.trivy/vex/repository.yaml
repositories:
  - name: default
    url: https://github.com/aquasecurity/vexhub
    enabled: true
    username: ""
    password: ""
    token: ""
    insecure: false
  - name: redhat
    url: https://security.access.redhat.com/data/csaf/v2/
    enabled: true

$ trivy image --vex repo registry.access.redhat.com/ubi9/ubi:latest
2026-03-27T18:45:33-03:00	INFO	[vulndb] Need to update DB
2026-03-27T18:45:33-03:00	INFO	[vulndb] Downloading vulnerability DB...
2026-03-27T18:45:33-03:00	INFO	[vulndb] Downloading artifact...	repo="mirror.gcr.io/aquasec/trivy-db:2"
88.14 MiB / 88.14 MiB [-----------------------------------------------------------------------------------------------------------------------] 100.00% 5.08 MiB p/s 18s
2026-03-27T18:45:54-03:00	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2026-03-27T18:45:54-03:00	INFO	[vex] No need to check repository updates	repo="default"
2026-03-27T18:45:56-03:00	FATAL	Fatal error	run error: init error: VEX repositories download error: failed to download vex repositories: failed to update the repository: failed to get the repository metadata: failed to download the repository metadata: failed to download the repository: failed to download https://security.access.redhat.com/data/csaf/v2/.well-known/vex-repository.json: bad response code: 404

$ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux forky/sid"
NAME="Debian GNU/Linux"
VERSION_CODENAME=forky
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
$ trivy --version
Version: 0.69.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2026-03-19 12:35:06.232779536 +0000 UTC
  NextUpdate: 2026-03-20 12:35:06.232779285 +0000 UTC
  DownloadedAt: 2026-03-27 21:45:54.329802242 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2025-11-07 00:57:14.567451663 +0000 UTC
  NextUpdate: 2025-11-10 00:57:14.567451292 +0000 UTC
  DownloadedAt: 2025-11-07 18:02:30.90748826 +0000 UTC

Target

None

Scanner

Vulnerability