VulnScout is an open-source vulnerability assessment tool that analyzes SBOMs and aggregates results from sources such as CVE, OSV, and Yocto cve-check output. To make it directly usable within the Yocto ecosystem, we developed meta-vulnscout, a layer adding build tasks for automated and web analysis, similar in spirit to Toaster.
This talk will show how VulnScout helps improving the security envelope of Yocto-based systems and present our roadmap for tighter integration with Yocto workflows, including continuous monitoring, CI gating based on severity filters, and structured reporting. Attendees will learn how to run it today and what is coming next.