How can I find out if a CVE in my container image is actually being exploited?

Definitely check out CISA's KEV catalog along with the EPSS model. It gives a predictive probability score (0-100%) on whether a CVE will be exploited in the next 30 days. You can even use it as a plugin for Trivy. Links like [this one for EPSS](https://www.first.org/epss/) and [this plugin for Trivy](https://github.com/melmorabity/trivy-plugin-epss) should help. Also, tools like Wiz can automate this for you!

You might want to keep an eye on the dark web—sometimes your data might end up for sale there, or you could receive a ransom email regarding exploited vulnerabilities.

We have an advanced security system integrated with our repository manager that analyzes context to determine if a vulnerability truly applies. If something is exploitable, we get comprehensive evidence about its relevance, reducing unnecessary noise in our workflow.

CISA KEV is definitely your go-to. It tracks CVEs that are being exploited in real life, and EPSS scores indicate the likelihood of future exploitation. Most vulnerability scanners just generate noise, so switching to tools like Minimus that focus on real exploit intel can really cut down on unnecessary patching.

Instead of focusing solely on what's currently exploited, consider assessing whether the CVE exploits are applicable to your environment and threat model. This way, you can decide whether to fix, mitigate, or ignore them based on your unique situation.