{"id":37205400,"url":"https://github.com/chainguard-dev/vex","last_synced_at":"2026-01-14T23:40:02.171Z","repository":{"id":60602503,"uuid":"529720298","full_name":"chainguard-dev/vex","owner":"chainguard-dev","description":"vexctl is a tool to attest VEX impact statements","archived":true,"fork":false,"pushed_at":"2023-03-27T02:28:56.000Z","size":908,"stargazers_count":44,"open_issues_count":24,"forks_count":12,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-03-22T00:05:28.123Z","etag":null,"topics":["attestation","container","csaf","sarif","sbom","scanner","vex","vulnerability","vulnerability-detection"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chainguard-dev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-08-27T23:40:04.000Z","updated_at":"2024-08-16T18:43:46.000Z","dependencies_parsed_at":"2024-06-18T20:09:30.735Z","dependency_job_id":"8bb903ae-89ef-45d9-908b-3a4248cbf1ba","html_url":"https://github.com/chainguard-dev/vex","commit_stats":{"total_commits":113,"total_committers":9,"mean_commits":"12.555555555555555","dds":0.4513274336283186,"last_synced_commit":"e552f36c1e5204b12b9ec96467c3dbee70b78949"},"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/chainguard-dev/vex","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fvex","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fvex/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fvex/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fvex/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chainguard-dev","download_url":"https://codeload.github.com/chainguard-dev/vex/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fvex/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28439340,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T22:37:52.437Z","status":"ssl_error","status_checked_at":"2026-01-14T22:37:31.496Z","response_time":107,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["attestation","container","csaf","sarif","sbom","scanner","vex","vulnerability","vulnerability-detection"],"created_at":"2026-01-14T23:40:01.604Z","updated_at":"2026-01-14T23:40:02.156Z","avatar_url":"https://github.com/chainguard-dev.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n# Archival Notice\n\nThis repository has been archived. The work initially done here \ngrew to become the [OpenVEX project](https://openvex.dev).\n\nThe code originally hosted in this repo is now split into a couple\nof repositories in the [OpenVEX GitHub organization](https://github.com/openvex)\nlike [vexctl](https://github.com/openvex/vexctl),\n[go-vex](https://github.com/openvex/go-vex)\nand the [OpenVEX spec](https://github.com/openvex/spec).\n\nThanks for your support!\n\n:heart: Chainguard\n---\n\n\n# vexctl: A tool to make VEX work\n\n`vexctl` is a tool to apply and attest VEX (Vulnerability Exploitability eXchange)\ndata. Its purpose is to \"turn off\" alerts of vulnerabilities known not to affect\na product.\n\nVEX can be though as a \"negative security advisory\". Using VEX, software authors\ncan communicate to their users that a vulnerable component has no security\nimplications for their product.\n\n## Operational Model\n\nTo achieve its mission, `vexctl` has two main modes of operation. One\nhelps the user create VEX statements, the second applies the VEX data\nto scanner results.\n\n### 1. Create VEX Statements\n\nVEX data can be created to a file on disk or it can be captured in a\nsigned attestation which can be attached to a container image.\n\nThe data is generated from a known rule set (the Golden Data) which is\nreused and reapplied to new releases of the same project.\n\n#### Generation Examples\n\n```\n# Attest and attach vex statements in mydata.vex.json to a container image:\nvexctl attest --attach --sign mydata.vex.json cgr.dev/image@sha256:e4cf37d568d195b4..\n\n```\n\n### 2. VEXing a Results Set\n\nUsing statements in a VEX document or from an attestation, `vexctl` will filter\nsecurity scanner results to remove _vexed out_ entries.\n\n#### Filtering Examples\n\n```\n# From a VEX file:\nvexctl filter scan_results.sarif.json vex_data.csaf\n\n\n# From a stored VEX attestation:\nvexctl filter scan_results.sarif.json cgr.dev/image@sha256:e4cf37d568d195b4b5af4c36a...\n\n```\n\nThe output from both examples willl the same SARIF results data\nwithout those ulnerabilities stated as not explitable:\n\n```json\n{\n \"version\": \"2.1.0\",\n \"$schema\": \"https://json.schemastore.org/sarif-2.1.0-rtm.5.json\",\n \"runs\": [\n {\n \"tool\": {\n \"driver\": {\n \"fullName\": \"Trivy Vulnerability Scanner\",\n \"informationUri\": \"https://github.com/aquasecurity/trivy\",\n \"name\": \"Trivy\",\n \"rules\": [\n\n```\n\nWe support results files in SARIF for now. We plan to add support for the\npropietary formats of the most popular scanners.\n\n### Multiple VEX Files\n\nAssessing impact is process that takes time. VEX is designed to\ncommunicate with users as time progresses. An example timeline may look like\nthis:\n\n1. A project becomes aware of `CVE-2022-12345`, associated with one of its components.\n2. Developers issue a VEX data file with a status of `under_investigation` to\ninform their users they are aware of the CVE but are checking what impact it has.\n3. After investigation, the developers determine the CVE has no impact\nin their project because the vulnerable function in the component is never executed.\n4. They issue a second VEX document with a status of `not_affected` and using\nthe `vulnerable_code_not_in_execute_path` justification.\n\n`vexctl` will read all the documents in cronological order and \"replay\" the\nknown impacts statuses the order they were found, effectively computing the\n`not_affected` status.\n\nIf a sarif report is VEX'ed with `vexctl` any entries alerting of CVE-2022-12345\nwill be filtered out.\n\n## Build vexctl\n\nTo build `vexctl` clone this repository and run simply run make.\n\n```console\ngit clone git@github.com:chainguard-dev/vex.git\ncd vex\nmake\n\n./vexctl version\n _ _ _____ __ __ _____ _____ _\n| | | || ___|\\ \\ / // __ \\|_ _|| |\n| | | || |__ \\ V / | / \\/ | | | |\n| | | || __| / \\ | | | | | |\n\\ \\_/ /| |___ / /^\\ \\| \\__/\\ | | | |____\n \\___/ \\____/ \\/ \\/ \\____/ \\_/ \\_____/\nvexctl: A tool for working with VEX data\n\nGitVersion: devel\nGitCommit: unknown\nGitTreeState: unknown\nBuildDate: unknown\nGoVersion: go1.19\nCompiler: gc\nPlatform: linux/amd64\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchainguard-dev%2Fvex","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchainguard-dev%2Fvex","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchainguard-dev%2Fvex/lists"}