macOS
brew install vexctllocal Homebrew formula metadata
brew
Tool to create, transform and attest VEX metadata. Version 0.4.4 via Homebrew; verified 2026-06-16.
install
brew install vexctllocal Homebrew formula metadata
nix profile install nixpkgs#vexctlnixpkgs package indexes · pkgs/by-name/ve/vexctl/package.nix · source: api.github.com
sudo zypper install vexctlopenSUSE Tumbleweed package metadata · vexctl · source: download.opensuse.org
overview
Tool to create, transform and attest VEX metadata
history
vexctl is the command-line tool of the OpenVEX project, a security-supply-chain effort for producing and consuming Vulnerability Exploitability eXchange metadata. Its practical role is to let maintainers create, merge, apply, and attest VEX documents so scanners can distinguish exploitable vulnerabilities from findings that are known not to affect a particular product.
The vexctl repository was created in January 2023, the same month Chainguard publicly introduced OpenVEX as a lightweight specification, library, and tool suite aligned with the VEX minimum requirements work associated with NTIA and CISA. The project later became part of OpenSSF's OpenVEX home, where OpenSSF describes vexctl as the flagship CLI for creating, merging, and attesting OpenVEX documents.
OpenVEX sits among several VEX encodings and security-advisory formats. OpenSSF documentation frames OpenVEX as an interoperable and embeddable implementation intended to work independently of a particular SBOM format, alongside CSAF, CycloneDX, and SPDX-based VEX approaches.
By late 2023, OpenSSF described OpenVEX as having a growing community of adopters, with support from companies including Anchore, Chainguard, Intel, and Microsoft. The adoption story is tied less to vexctl as a standalone utility and more to the need for machine-readable vulnerability-status signals that can reduce scanner noise in SBOM-driven workflows.
Canonical's Ubuntu VEX data feed later chose the OpenVEX specification maintained by OpenSSF, citing its clarity, minimalism, compliance, interoperability, and embeddability. That kind of downstream use makes vexctl relevant as a reference CLI for generating and manipulating the same class of documents.
Typical vexctl usage is in supply-chain security and vulnerability-management pipelines: creating OpenVEX statements for products and CVEs, applying those statements to scanner output, merging documents, and producing attestations. Tutorials commonly pair it with scanners such as Trivy to suppress or explain false-positive vulnerability findings without discarding the underlying scan data.
For package maintainers, vexctl is a small but important glue tool in the SBOM/VEX ecosystem. It gives open-source producers a way to publish negative security advisories in a machine-readable format, and gives consumers a command-line path to feed that context into automated vulnerability triage.
security posture
narrow executable package without higher-risk signals.
green risk · low confidence · appliance
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
executables
| Command | Kind | Exposure | Note |
|---|---|---|---|
vexctl | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/openvex/vexctl
install metadata
| Package key | brew:vexctl |
|---|---|
| Version | 0.4.4 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/vexctl |
| Homepage | https://openssf.org/projects/openvex/ |
| Repository | https://github.com/openvex/vexctl |
| Upstream docs | https://github.com/openvex/vexctl |
| License | Apache-2.0 |
| Source archive | https://github.com/openvex/vexctl/archive/refs/tags/v0.4.4.tar.gz |
| Last updated | 2026-06-16T21:43:34Z |
| Pulse | updated |
| Build dependencies | go |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | vexctl |
| Version Scheme | 0 |
| Revision | 0 |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
vexctl
nix profile install nixpkgs#vexctlvexctl 0.4.1+git147.b7e6ef0-1.1
CLI tool to create, transform and attest VEX metadata
https://github.com/openvex/vexctl
sudo zypper install vexctlsource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.