← Back to Blog

Creating OpenVEX Documents Based on a Container Image

Sharing your internal vulnerability management knowledge with your customers establishes trust and removes security noise from their use of your container images.

A Vulnerability Exploitability eXchange (VEX) document is the mechanism used to tell a security scanner to not alert on specific issues that don’t affect your product. A report can also confirm that an issue affects your software.

Customers will scan your containers

Many SaaS platforms have downloadable components that customers run themselves, such as connectors, agents or migration tools. It’s logical for a customer to scan a container image you distribute before running it in their environment.

It’s not ideal for them to see a slew of security issues. It’s doubly bad if these issues are ones that your team has already triaged and ignored because they don’t affect your software.

Creating a VEX document about a container image

EdgeBit supports the OpenVEX standard for VEX reports. These can be created manually with vexctl or automatically by platforms like EdgeBit.

Manually creating a VEX report about an OCI artifact

The subject, or product of the VEX report should be the SHA256 of the OCI repo digest, in a very specific format:


This can be passed to vexctl along with other data:

vexctl create --product="pkg:oci/alpine@sha256:c5b1261d6..." \
  --vuln="CVE-2024-2511" \
  --status="not_affected" \

This document is now ready to be distributed to your customers and passed into scanners such as Grype or Trivy. Here’s what two supressed issues look like in Grype. Note that if you didn’t pass --show-suppressed you wouldn’t see these at all.

$ grype alpine:latest --vex alpine.vex.json --show-suppressed
 ✔ Vulnerability DB                [no update available]
 ✔ Loaded image                                                                  alpine:latest
 ✔ Parsed image                                           sha256:ace17d5d883e9ea5a21138d060...
 ✔ Cataloged packages              [16 packages]
 ✔ Scanned for vulnerabilities     [12 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 12 medium, 0 low, 0 negligible (2 unknown)
   └── by status:   2 fixed, 12 not-fixed, 2 ignored
busybox        1.36.1-r15            apk   CVE-2023-42366  Medium
busybox        1.36.1-r15            apk   CVE-2023-42365  Medium
busybox        1.36.1-r15            apk   CVE-2023-42364  Medium
busybox        1.36.1-r15            apk   CVE-2023-42363  Medium
busybox-binsh  1.36.1-r15            apk   CVE-2023-42366  Medium
busybox-binsh  1.36.1-r15            apk   CVE-2023-42365  Medium
busybox-binsh  1.36.1-r15            apk   CVE-2023-42364  Medium
busybox-binsh  1.36.1-r15            apk   CVE-2023-42363  Medium
libcrypto3     3.1.4-r5    3.1.4-r6  apk   CVE-2024-2511   Unknown (suppressed by VEX)
libssl3        3.1.4-r5    3.1.4-r6  apk   CVE-2024-2511   Unknown (suppressed by VEX)
ssl_client     1.36.1-r15            apk   CVE-2023-42366  Medium
ssl_client     1.36.1-r15            apk   CVE-2023-42365  Medium
ssl_client     1.36.1-r15            apk   CVE-2023-42364  Medium
ssl_client     1.36.1-r15            apk   CVE-2023-42363  Medium

EdgeBit’s automatically generated VEX reports

EdgeBit generates up-to-the-millisecond accurate VEX reports based on your security team’s triage, the real-time context from how your app is running on your server fleet and the current database of known vulnerabilities.

When a security issue in your software is first found, supressed or remediated, the VEX document is regenerated. For open issues, the statement communicates whether the issue is found to affect or not affect your app based on how it’s observed while running.

For many use-cases, a VEX document is more useful than providing a Vulnerability Disclosure Report (VDR) and contains a superset of the same information. Reach out to the EdgeBit team to discuss your specific circumstances.

Cut through the noise in vulnerability management

Less investigation toil.

More action on real issues.

Happy engineers.

Request Demo
Close Video