General Availability of GHSA Vendor Severity Support

Overview

Aqua Security announces the General Availability (GA) of GHSA Vendor Severity support across all supported programming languages. This enhancement introduces more accurate severity scoring for both existing and future CVEs by using data directly from GitHub Security Advisories (GHSA).


What’s New

  • Image Assurance calculations for programming-language package CVEs now use GHSA severity (when available) instead of NVD severity.
  • The change is configurable and disabled by default to minimize disruption.
  • This update does not introduce new CVEs—only changes how existing ones are scored.
  • The ability to disable GHSA-specific severity will be removed in June 2026.


Please note, NVD as the system-wide preferred source may still be configured.


Why It Matters

Package maintainers and advisory authors often provide more accurate and ecosystem-specific severity ratings than NVD. GHSA prioritization improves accuracy and reduces false confidence in generic scores.

Summary of Severity Impacts

  • CVEs with same severity: 81.5%
  • CVEs with updated severity: 18.5%
    • Lowered severity: 61% of changed (11.2% of total)
    • Increased severity: 39% of changed (7.2% of total)


Availability

  • Effective Date: U10 (with CyberCenter update)
  • Default Behavior: GHSA prioritization disabled by default to avoid compliance drift.
  • Opt-In: Customers can enable GHSA severity scoring at any time.
  • Forced Opt-In: June 2026 Release.


How to Enable GHSA Vendor Severity

  1. Navigate in Aqua Workload Protection to: Settings → Scan Settings
  2. Enable GHSA Vendor Advisories
    “Use GHSA Vendor Advisories as the primary data source.”
  3. Rescan images.
  4. Review updated compliance status based on new severities.


Impact

  • Immediate Impact: None (disabled by default).
  • Post-Enablement: Once enabled or after June 2026, programming language CVEs will use GHSA severity in place of NVD.
  • Customers may observe severity and score changes upon rescanning, potentially affecting image compliance status.


Learn More

A full list of updated CVEs is available in the related Knowledge Base article. Customers can compare these against their known programming-language CVEs to assess impact. For questions, contact your Aqua Customer Success Team.


Data Comparison

Please review the GHSA_severity_change.xlsx for the full list of CVEs and their corresponding severity for NVD and the new GHSA support.