2025-12-03 –, Walnascar
VulnScout is an open-source vulnerability assessment tool that analyzes SBOMs and aggregates results from sources such as CVE, OSV, and Yocto cve-check output. To make it directly usable within the Yocto ecosystem, we developed meta-vulnscout, a layer adding build tasks for automated and web analysis, similar in spirit to Toaster.
This talk will show how VulnScout helps improving the security envelope of Yocto-based systems and present our roadmap for tighter integration with Yocto workflows, including continuous monitoring, CI gating based on severity filters, and structured reporting. Attendees will learn how to run it today and what is coming next.
The evolution of regulatory frameworks such as the EU Cyber Resilience Act require continuous vulnerability monitoring and assessment of the software supply chain. While Yocto already ensures reproducibility and transparency, maintaining visibility into vulnerabilities across hundreds of software packages remains a challenge.
VulnScout addresses this need by analyzing SBOMs (SPDX, CycloneDX, and others) and correlating components with several vulnerability data sources, including NVD, OSV, and Yocto’s native cve-check output. It can operate in interactive mode, through a web interface for efficient review and assessment, or in non-interactive mode for CI pipelines, filters, and automate the production of reports.
The accompanying meta-vulnscout layer integrates these capabilities into Yocto builds, providing tasks to:
- Generate and collect SBOMs for images or other artifacts
- Run vulnerability scans as part of BitBake builds
- Merge cve-check results with external feeds
- Optionally fail builds or generate structured reports based on severity thresholds
This session will demonstrate current features and discuss upcoming developments, including better Yocto Project integration, vulnerability assessment, and continuous monitoring. Attendees will gain a clear view of how VulnScout and meta-vulnscout can help secure Yocto-based products and how the community can collaborate on their evolution.
Jérôme is VP Technologies at Savoir-faire Linux, where he helps teams build dependable and innovative systems. Active in open-source software since the late 1990s, he has contributed to projects spanning critical and embedded industries, from aerospace and defense to multimedia and robotics. He holds a master’s degree in software engineering and has spent over 25 years designing systems where safety, security, and long-term maintainability matter.