I am evaluating how the Anchore Score—your composite security index comprising CVSS, EPSS, and CISA KEV status—is interpreted within highly regulated software supply chains, specifically for automotive programs requiring ISO/SAE 21434 and UNR155/156 compliance.
While the Anchore Score provides a robust technical baseline, in safety-critical contexts, “score-only” interpretations often conflict with the risk-assessment emphasis of ISO/SAE 21434. Practitioner-level implementation shows that vulnerability severity is frequently insufficient without explicit exploitability and operational context.
I have developed and implemented a VEX-driven interpretation layer that maps Anchore Score into automotive-specific risk categories without altering the underlying model. This approach ensures that Anchore outputs remain technically accurate while aligning risk decisions with functional safety expectations:
VEX: Not Affected → Informational, regardless of Anchore Score.
VEX: Affected + No Known Exploit + Non-safety-relevant component → Monitor.
VEX: Affected + Safety-relevant component → Elevated Risk, independent of raw CVSS/Anchore Score.
This model allows for high-assurance governance that prevents safety-relevant risks from being overshadowed by high-score but non-exploitable vulnerabilities.
I am interested in whether Anchore has seen similar interpretation patterns in other regulated environments (e.g., FedRAMP, Medical) and would welcome the opportunity to document this VEX-based risk interpretation profile for the broader community.
It sounds like you’re looking for some detail and/or solution that looks to be covered under an Anchore Enterprise license.
If your organization has an active Anchore Enterprise relationship, we recommend reaching out to your internal tools team or security platform owners. They will have a direct line to your dedicated Customer Success Team/Manager, who can provide a much faster and more detailed response than we can here in the community channel.
I originally thought that your post was a mis-routed support request because “Anchore Score” is only available in the commercial product; Grype (the open source vuln scanner) doesn’t have it; instead it has “Risk” which is a composite of EPSS, KEV, and Severity computed here:
I really don’t know the answer to that. In general, I agree that “what this software controls” and “does this software control a car / MRI machine” are very relevant questions, but the scanner can’t answer them, so I agree some interpretation of Grype results makes sense here.
You’re welcome to come to our community meetings: Events | Anchore Open Source We have researchers or industry members come and discuss stuff like this sometimes. The community meetings are, in particular, not broadcast or recorded, so they can be a nice place to discuss these sorts of things.
And, if you’re on GitHub, a fair amount of discussion happens over on the Grype issues and related repositories.