Upload VEX statements

This document describes how to upload existing Vulnerability Exploitability eXchange (VEX) statements to Artifact Analysis. You can also upload statements provided by other publishers.

VEX statements must be formatted according to the Common Security Advisory Format (CSAF) 2.0 standard in JSON.

Required roles

To get the permissions that you need to upload VEX assessments and check the VEX status of vulnerabilities, ask your administrator to grant you the following IAM roles on the project:

For more information about granting roles, see Manage access.

You might also be able to get the required permissions through custom roles or other predefined roles.

Upload VEX statements

Run the artifacts vulnerabilities load-vex command to upload VEX data and store it in Artifact Analysis:

gcloud artifacts vulnerabilities load-vex /
    --source CSAF_SOURCE /
    --uri RESOURCE_URI /


  • CSAF_SOURCE is the path to your VEX statement file stored locally. The file must be a JSON file following the CSAF schema.
  • RESOURCE_URI can be one of:
    • the complete URL of the image, similar to https://LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE_ID@sha256:HASH.
    • the image URL, similar to https://LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE_ID.

Artifact Analysis converts your VEX statements to Grafeas VulnerabilityAssessment notes.

Artifact Analysis stores vulnerability assessment notes as one note per CVE. Notes are stored in the Container Analysis API, within the same project as the specified image.

When you upload VEX statements, Artifact Analysis also carries VEX status information into associated vulnerability occurrences so that you can filter vulnerabilities by VEX status. If a VEX statement is applied to an image, Artifact Analysis will carry over the VEX status to all versions of that image, including newly pushed versions.

If a single version has two VEX statements, one written for the resource URL and one written for the associated image URL, the VEX statement written for the resource URL will take precedence and will be carried over to the vulnerability occurrence.

What's next