Automic VaultAutomic Vault

brew

Install vexctl with Homebrew, Nix, zypper

Tool to create, transform and attest VEX metadata. Version 0.4.4 via Homebrew; verified 2026-06-16.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install vexctl

local Homebrew formula metadata

Linux

Nixverified · 92%
nix profile install nixpkgs#vexctl

nixpkgs package indexes · pkgs/by-name/ve/vexctl/package.nix · source: api.github.com

openSUSE zypperverified · 92%
sudo zypper install vexctl

openSUSE Tumbleweed package metadata · vexctl · source: download.opensuse.org

overview

Package summary

Tool to create, transform and attest VEX metadata

Commands and aliases

  • vexctl

history

Project history and usage

vexctl is the command-line tool of the OpenVEX project, a security-supply-chain effort for producing and consuming Vulnerability Exploitability eXchange metadata. Its practical role is to let maintainers create, merge, apply, and attest VEX documents so scanners can distinguish exploitable vulnerabilities from findings that are known not to affect a particular product.

Project history

The vexctl repository was created in January 2023, the same month Chainguard publicly introduced OpenVEX as a lightweight specification, library, and tool suite aligned with the VEX minimum requirements work associated with NTIA and CISA. The project later became part of OpenSSF's OpenVEX home, where OpenSSF describes vexctl as the flagship CLI for creating, merging, and attesting OpenVEX documents.

OpenVEX sits among several VEX encodings and security-advisory formats. OpenSSF documentation frames OpenVEX as an interoperable and embeddable implementation intended to work independently of a particular SBOM format, alongside CSAF, CycloneDX, and SPDX-based VEX approaches.

Adoption history

By late 2023, OpenSSF described OpenVEX as having a growing community of adopters, with support from companies including Anchore, Chainguard, Intel, and Microsoft. The adoption story is tied less to vexctl as a standalone utility and more to the need for machine-readable vulnerability-status signals that can reduce scanner noise in SBOM-driven workflows.

Canonical's Ubuntu VEX data feed later chose the OpenVEX specification maintained by OpenSSF, citing its clarity, minimalism, compliance, interoperability, and embeddability. That kind of downstream use makes vexctl relevant as a reference CLI for generating and manipulating the same class of documents.

How it is used

Typical vexctl usage is in supply-chain security and vulnerability-management pipelines: creating OpenVEX statements for products and CVEs, applying those statements to scanner output, merging documents, and producing attestations. Tutorials commonly pair it with scanners such as Trivy to suppress or explain false-positive vulnerability findings without discarding the underlying scan data.

Why package nerds care

For package maintainers, vexctl is a small but important glue tool in the SBOM/VEX ecosystem. It gives open-source producers a way to publish negative security advisories in a machine-readable format, and gives consumers a command-line path to feed that context into automated vulnerability triage.

Timeline

  • 2023-01: The openvex/vexctl GitHub repository was created, and Chainguard introduced OpenVEX as an open-source VEX specification and tool suite.
  • 2023-07: OpenSSF's Vulnerability Disclosures Working Group discussed planned updates to both the OpenVEX specification and vexctl tooling after OpenVEX's first months as an OpenSSF project.
  • 2023-12: OpenSSF described OpenVEX as housed in OpenSSF and supported by a growing community of adopters.
  • 2026-06: GitHub releases show vexctl continuing with v0.4.x releases.

Sources

security posture

Risk level: green

narrow executable package without higher-risk signals.

Risk classifier

green risk · low confidence · appliance

Why

  • narrow executable package without higher-risk signals

Signals

  • metadata:no-higher-risk-signals

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

executables

Installed executables

CommandKindExposureNote
vexctlcliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version0.4.4
manager updated2026-06-16
local dataok
upstreamcurrent
latest detectedv0.4.4

https://github.com/openvex/vexctl

  • okNo freshness warnings were generated.

install metadata

Package metadata

Package keybrew:vexctl
Version0.4.4
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/vexctl
Homepagehttps://openssf.org/projects/openvex/
Repositoryhttps://github.com/openvex/vexctl
Upstream docshttps://github.com/openvex/vexctl
LicenseApache-2.0
Source archivehttps://github.com/openvex/vexctl/archive/refs/tags/v0.4.4.tar.gz
Last updated2026-06-16T21:43:34Z
Pulseupdated
Build dependenciesgo
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namevexctl
Version Scheme0
Revision0
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

vexctl

nix profile install nixpkgs#vexctl
  • normalized package name match
  • Matched by: Vexctl
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/ve/vexctl/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
zypper95%

vexctl 0.4.1+git147.b7e6ef0-1.1

CLI tool to create, transform and attest VEX metadata

https://github.com/openvex/vexctl

sudo zypper install vexctl
  • License: Apache-2.0
  • Category: Productivity/Security
  • Architecture: x86_64
  • Source Package: vexctl
  • 1 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Vexctl
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: vexctl from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment