For every container image pushed to Artifact Registry, Artifact Analysis can
store an associated VEX statement. VEX is a type of security advisory that
indicates whether a product is affected by a known vulnerability.
Each statement provides:
The publisher of the VEX Statement
The artifact for which the statement is written
The vulnerability assessment (VEX status) for any known vulnerabilities
Software publishers can create VEX statements to describe the security posture
of an application. VEX statements note any vulnerabilities discovered in
specific artifacts and provide context about their impact to their customers or
regulatory bodies.
Security and policy enforcers can use VEX status to triage risks in
their software supply chains and use VEX statements to attest to the composition
of their artifacts to help organizations meet regulatory requirements.
VEX status
The VEX status indicates whether an artifact is affected by a known
vulnerability.
The status can be one of:
Not affected: No remediation is required regarding this vulnerability.
Affected: Remediation actions are recommended.
Fixed: In this version of the product, a fix has been applied to address
the vulnerability.
Under Investigation: The status of this product is yet to be determined.
The publisher will provide an updated status in a later release.
To get the permissions that
you need to upload VEX assessments and check the VEX status of vulnerabilities,
ask your administrator to grant you the
following IAM roles on the project:
PRODUCT_NAME Human-readable product name for the image.
Takes a string value. The value should be the product's full
canonical name, including version number and other attributes.
LOCATION is the region or multi-regional location of your
repository.
PROJECT_ID is the ID for the project that contains your
repository.
REPO_NAME is the name of your Docker repository in Artifact Registry.
IMAGE_NAME is the name of the image.
CVE_ID is the identifier for the vulnerability, such as
CVE-2017-11164.
PRODUCT_STATUS is the assessment of the security risk.
Artifact Analysis supports four status types: known_affected,
known_not_affected, under_investigation, and fixed.
For each vulnerability that you want to list in your VEX statement, you must
create a cve branch and define the value of the product_status.
The value of the name field in product_tree.branches.name is the image
URI. Including this value associates the VEX statement to a specific Docker
image.
What's next
Upload VEX statements your existing VEX statements or VEX
statements provided by other publishers.
Prioritize vulnerability issues using VEX. Learn how to
view VEX statements and filter vulnerabilities by VEX status.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eVEX (Vulnerability Exploitability eXchange) statements are security advisories that indicate whether a product is affected by a known vulnerability, and Artifact Analysis can store them for container images in Artifact Registry.\u003c/p\u003e\n"],["\u003cp\u003eVEX statements detail the publisher, the artifact, and the vulnerability assessment, providing context about the impact of any vulnerabilities discovered.\u003c/p\u003e\n"],["\u003cp\u003eVEX status options include "Not affected," "Affected," "Fixed," and "Under Investigation," each offering different guidance on the need for remediation.\u003c/p\u003e\n"],["\u003cp\u003eCreating VEX statements requires the use of the CSAF (Common Security Advisory Format) 2.0 standard in JSON and defining the \u003ccode\u003eproduct_status\u003c/code\u003e for each CVE (Common Vulnerabilities and Exposures) branch.\u003c/p\u003e\n"],["\u003cp\u003eTo begin, you must have container images stored in an Artifact Registry repository and possess the necessary IAM roles, such as Container Analysis Notes Editor, to create and update notes.\u003c/p\u003e\n"]]],[],null,["# Create VEX statements\n\n| **Preview**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nThis document describes how to create\n[Vulnerability Exploitability eXchange (VEX)](https://www.cisa.gov/sites/default/files/2023-04/minimum-requirements-for-vex-508c.pdf) statements.\n\nFor every container image pushed to Artifact Registry, Artifact Analysis can\nstore an associated VEX statement. VEX is a type of security advisory that\nindicates whether a product is affected by a known vulnerability.\n\nEach statement provides:\n\n- The publisher of the VEX Statement\n- The artifact for which the statement is written\n- The vulnerability assessment (VEX status) for any known vulnerabilities\n\nSoftware publishers can create VEX statements to describe the security posture\nof an application. VEX statements note any vulnerabilities discovered in\nspecific artifacts and provide context about their impact to their customers or\nregulatory bodies.\n\nSecurity and policy enforcers can use VEX status to triage risks in\ntheir software supply chains and use VEX statements to attest to the composition\nof their artifacts to help organizations meet regulatory requirements.\n\nVEX status\n----------\n\nThe VEX status indicates whether an artifact is affected by a known\nvulnerability.\n\nThe status can be one of:\n\n- **Not affected**: No remediation is required regarding this vulnerability.\n- **Affected**: Remediation actions are recommended.\n- **Fixed**: In this version of the product, a fix has been applied to address the vulnerability.\n- **Under Investigation**: The status of this product is yet to be determined. The publisher will provide an updated status in a later release.\n\nBefore you begin\n----------------\n\n- [Sign in](https://accounts.google.com/Login) to your Google Account.\n\n If you don't already have one, [sign up for a new account](https://accounts.google.com/SignUp).\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the Container Analysis, Artifact Registry APIs.\n\n\n [Enable the APIs](https://console.cloud.google.com/flows/enableapi?apiid=https://containeranalysis.googleapis.com, https://artifactregistry.googleapis.com)\n-\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n | **Note:** If you installed the gcloud CLI previously, make sure you have the latest version by running `gcloud components update`.\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the Container Analysis, Artifact Registry APIs.\n\n\n [Enable the APIs](https://console.cloud.google.com/flows/enableapi?apiid=https://containeranalysis.googleapis.com, https://artifactregistry.googleapis.com)\n-\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n | **Note:** If you installed the gcloud CLI previously, make sure you have the latest version by running `gcloud components update`.\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n\n1. Have container images stored in an Artifact Registry repository, or [create a repository](/artifact-registry/docs/repositories/create-repos) and [push your images](/artifact-registry/docs/docker/pushing-and-pulling).\n\n\u003cbr /\u003e\n\nRequired roles\n--------------\n\n\nTo get the permissions that\nyou need to upload VEX assessments and check the VEX status of vulnerabilities,\n\nask your administrator to grant you the\nfollowing IAM roles on the project:\n\n- To create and update notes: [Container Analysis Notes Editor](/iam/docs/roles-permissions/containeranalysis#containeranalysis.notes.editor) (`roles/containeranalysis.notes.editor`)\n\n\nFor more information about granting roles, see [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\nYou might also be able to get\nthe required permissions through [custom\nroles](/iam/docs/creating-custom-roles) or other [predefined\nroles](/iam/docs/roles-overview#predefined).\n\nCreate VEX statements\n---------------------\n\nArtifact Analysis supports the\n[Common Security Advisory Format (CSAF)](https://oasis-open.github.io/csaf-documentation/) 2.0 standard in JSON. To\nproduce a new VEX statement, use the [CSAF schema](https://github.com/oasis-tcs/csaf/blob/master/csaf_2.0/json_schema/csaf_json_schema.json).\n\nThe following is an example of a VEX statement for an image in Artifact Registry\nwith one `cve` branch for a known vulnerability.\n\nYou must define the value of the `product_status` for each CVE. \n\n\n {\n \"document\": {\n \"csaf_version\": \"2.0\",\n \"lang\": \"en-US\",\n \"publisher\": {\n \"name\": \"Sample-Company\",\n \"namespace\": \"https://sample-company.com\"\n },\n \"title\": \"Vex document 1.1\"\n },\n \"product_tree\": {\n \"branches\": [\n {\n \"name\": \"https://\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e-docker.pkg.dev/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/\u003cvar translate=\"no\"\u003eREPO_NAME\u003c/var\u003e/\u003cvar translate=\"no\"\u003eIMAGE_NAME\u003c/var\u003e\",\n \"product\": {\n \"name\": \"\u003cvar translate=\"no\"\u003ePRODUCT_NAME\u003c/var\u003e\",\n \"product_id\": \"\u003cvar translate=\"no\"\u003eIMAGE_NAME\u003c/var\u003e\"\n }\n }\n ]\n },\n \"vulnerabilities\": [\n {\n \"cve\": \"\u003cvar translate=\"no\"\u003eCVE_ID\u003c/var\u003e\",\n \"product_status\": {\n \"\u003cvar translate=\"no\"\u003ePRODUCT_STATUS\u003c/var\u003e\": [\n \"\u003cvar translate=\"no\"\u003eIMAGE_NAME\u003c/var\u003e\"\n ]\n }\n }\n ]\n }\n\nWhere\n\n- \u003cvar translate=\"no\"\u003ePRODUCT_NAME\u003c/var\u003e Human-readable product name for the image. Takes a string value. The value should be the product's full canonical name, including version number and other attributes.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e is the region or multi-regional location of your repository.\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e is the ID for the project that contains your repository.\n- \u003cvar translate=\"no\"\u003eREPO_NAME\u003c/var\u003e is the name of your Docker repository in Artifact Registry.\n- \u003cvar translate=\"no\"\u003eIMAGE_NAME\u003c/var\u003e is the name of the image.\n- \u003cvar translate=\"no\"\u003eCVE_ID\u003c/var\u003e is the identifier for the vulnerability, such as `CVE-2017-11164`.\n- \u003cvar translate=\"no\"\u003ePRODUCT_STATUS\u003c/var\u003e is the assessment of the security risk. Artifact Analysis supports four status types: `known_affected`, `known_not_affected`, `under_investigation`, and `fixed`.\n\nFor each vulnerability that you want to list in your VEX statement, you must\ncreate a `cve` branch and define the value of the `product_status`.\n\nThe value of the `name` field in `product_tree.branches.name` is the image\nURI. Including this value associates the VEX statement to a specific Docker\nimage.\n\nWhat's next\n-----------\n\n- [Upload VEX statements](/artifact-analysis/docs/upload-vex) your existing VEX statements or VEX statements provided by other publishers.\n- Prioritize vulnerability issues using VEX. Learn how to [view VEX statements](/artifact-analysis/docs/view-vex) and filter vulnerabilities by VEX status."]]
