vex
Safeguard articles tagged "vex" — guides, analysis, and best practices for software supply chain and application security.
22 articles
SBOM Distribution Patterns: TEA, VEX, and the Last Mile in 2026
How SBOMs actually move between producers and consumers in 2026, what TEA and VEX are solving, and the distribution patterns that hold up in production.
Trivy v0.69 Release Deep Dive
Aqua's Trivy hit v0.69 in late 2025 with VEX-by-default scanning, ArtifactID/ReportID provenance fields, and faster misconfig scanning. We test the upgrade on a 1.2GB image.
VEX Adoption in the Enterprise: Lessons From Early Adopters
Vulnerability Exploitability eXchange documents promise to reduce alert fatigue by distinguishing exploitable vulnerabilities from theoretical ones. Here is how enterprises are actually using them.
What is a Vulnerability Exploitability eXchange (VEX) Statement
A VEX statement is a machine-readable assertion of whether a product is actually affected by a CVE — the document that stops your customers from triaging your SBOM for you.
VEX Documents: The Missing Context That Makes SBOMs Actio...
SBOMs list every component but stay silent on whether a CVE is actually exploitable. VEX documents supply that missing context — here's how the standard works.
Vulnerability Prioritization in 2025: EPSS, VEX, and the End of CVSS-Only Triage
CVSS scores alone cannot tell you what to patch first. EPSS exploit prediction and VEX documents are reshaping how mature security teams prioritize vulnerabilities at scale.
CycloneDX vs SPDX in Practice: Choosing an SBOM Format
Both formats are standards, both are mandated somewhere, and your tooling probably emits both. What actually differs when you run CycloneDX and SPDX in production.
Safeguard v3: Compliance-First Supply Chain Security
Safeguard v3 adds compliance framework mapping, automated evidence collection, audit-ready reporting, and VEX document support for regulatory readiness.
How to Build a VEX Document for Your Consumers
A hands-on tutorial for producing a CSAF-VEX document that tells your customers which CVEs actually affect your product and which do not.
VEX Explained: How Vulnerability Exploitability Exchange Cuts Through Alert Noise
VEX documents let software producers tell consumers which vulnerabilities actually affect their products. Here's how VEX works and why it matters.