If you run Trivy or Grype in CI and triage the output by CVSS, this is the thing I wish I'd had two years ago. Quick recap. Trivy and Grype hand you a list of CVEs. CVSS is a score in a vacuum — it doesn't know whether a service runs in a private subnet behind mTLS, or sits on the open internet handling payment cards. vens reads your scan output plus a YAML describing the service (exposure, data sensitivity, business criticality, controls, compliance, …), runs every CVE through an LLM with that context, and emits a CycloneDX VEX with OWASP Risk Rating scores. You gate the build on those instead. vens-action is the GitHub Action wrapper — install, invocation, build gate, packaged as a composite. Here's the minimum to drop it in. What you need A Trivy or Grype JSON report (you're probably running one of these already). A .vens/config.yaml . Three context fields are the floor; the full annotated reference is in examples/quickstart/config.yaml .…