Safeguard
Tag

vex

Safeguard articles tagged "vex" — guides, analysis, and best practices for software supply chain and application security.

22 articles

SBOM

SBOM Distribution Patterns: TEA, VEX, and the Last Mile in 2026

How SBOMs actually move between producers and consumers in 2026, what TEA and VEX are solving, and the distribution patterns that hold up in production.

Jan 22, 20265 min read
Tools

Trivy v0.69 Release Deep Dive

Aqua's Trivy hit v0.69 in late 2025 with VEX-by-default scanning, ArtifactID/ReportID provenance fields, and faster misconfig scanning. We test the upgrade on a 1.2GB image.

Nov 4, 20255 min read
Vulnerability Management

VEX Adoption in the Enterprise: Lessons From Early Adopters

Vulnerability Exploitability eXchange documents promise to reduce alert fatigue by distinguishing exploitable vulnerabilities from theoretical ones. Here is how enterprises are actually using them.

Sep 18, 20257 min read
Concepts

What is a Vulnerability Exploitability eXchange (VEX) Statement

A VEX statement is a machine-readable assertion of whether a product is actually affected by a CVE — the document that stops your customers from triaging your SBOM for you.

Aug 22, 20256 min read
SBOM

VEX Documents: The Missing Context That Makes SBOMs Actio...

SBOMs list every component but stay silent on whether a CVE is actually exploitable. VEX documents supply that missing context — here's how the standard works.

Jul 29, 20257 min read
Vulnerability Management

Vulnerability Prioritization in 2025: EPSS, VEX, and the End of CVSS-Only Triage

CVSS scores alone cannot tell you what to patch first. EPSS exploit prediction and VEX documents are reshaping how mature security teams prioritize vulnerabilities at scale.

May 15, 20258 min read
Comparisons

CycloneDX vs SPDX in Practice: Choosing an SBOM Format

Both formats are standards, both are mandated somewhere, and your tooling probably emits both. What actually differs when you run CycloneDX and SPDX in production.

Oct 23, 20246 min read
Release

Safeguard v3: Compliance-First Supply Chain Security

Safeguard v3 adds compliance framework mapping, automated evidence collection, audit-ready reporting, and VEX document support for regulatory readiness.

Oct 1, 20246 min read
SBOM & Compliance

How to Build a VEX Document for Your Consumers

A hands-on tutorial for producing a CSAF-VEX document that tells your customers which CVEs actually affect your product and which do not.

Jul 22, 20246 min read
DevSecOps

VEX Explained: How Vulnerability Exploitability Exchange Cuts Through Alert Noise

VEX documents let software producers tell consumers which vulnerabilities actually affect their products. Here's how VEX works and why it matters.

Jul 20, 20227 min read
vex (Page 2) — Safeguard Blog