# Install vexctl with Homebrew, Nix, zypper

Tool to create, transform and attest VEX metadata. Version 0.4.4 via Homebrew; verified 2026-06-16.

## Install

```sh
sudo av install brew:vexctl
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install vexctl
```

  Evidence: local Homebrew formula metadata

### Linux

- Nix (92%):

```sh
nix profile install nixpkgs#vexctl
```

  Evidence: nixpkgs package indexes: pkgs/by-name/ve/vexctl/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

- zypper (92%):

```sh
sudo zypper install vexctl
```

  Evidence: openSUSE Tumbleweed package metadata: vexctl from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

## Package facts

- **Package key:** brew:vexctl
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/vexctl>
- **Version:** 0.4.4
- **Source summary:** Tool to create, transform and attest VEX metadata
- **Homepage:** <https://openssf.org/projects/openvex/>
- **Repository:** <https://github.com/openvex/vexctl>
- **Upstream docs:** <https://github.com/openvex/vexctl>
- **License:** Apache-2.0
- **Source archive:** <https://github.com/openvex/vexctl/archive/refs/tags/v0.4.4.tar.gz>
- **Last updated:** 2026-06-16T21:43:34Z
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- vexctl (cli)
- vexctl (alias)

## Build dependencies

- go

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 0.4.4
- Package-manager updated: 2026-06-16
- Local data: ok
- Upstream repository: https://github.com/openvex/vexctl
- Upstream latest detected: v0.4.4 (current)
## Project history and usage

vexctl is the command-line tool of the OpenVEX project, a security-supply-chain effort for producing and consuming Vulnerability Exploitability eXchange metadata. Its practical role is to let maintainers create, merge, apply, and attest VEX documents so scanners can distinguish exploitable vulnerabilities from findings that are known not to affect a particular product.

### Project history

The vexctl repository was created in January 2023, the same month Chainguard publicly introduced OpenVEX as a lightweight specification, library, and tool suite aligned with the VEX minimum requirements work associated with NTIA and CISA. The project later became part of OpenSSF's OpenVEX home, where OpenSSF describes vexctl as the flagship CLI for creating, merging, and attesting OpenVEX documents.

OpenVEX sits among several VEX encodings and security-advisory formats. OpenSSF documentation frames OpenVEX as an interoperable and embeddable implementation intended to work independently of a particular SBOM format, alongside CSAF, CycloneDX, and SPDX-based VEX approaches.

### Adoption history

By late 2023, OpenSSF described OpenVEX as having a growing community of adopters, with support from companies including Anchore, Chainguard, Intel, and Microsoft. The adoption story is tied less to vexctl as a standalone utility and more to the need for machine-readable vulnerability-status signals that can reduce scanner noise in SBOM-driven workflows.

Canonical's Ubuntu VEX data feed later chose the OpenVEX specification maintained by OpenSSF, citing its clarity, minimalism, compliance, interoperability, and embeddability. That kind of downstream use makes vexctl relevant as a reference CLI for generating and manipulating the same class of documents.

### How it is used

Typical vexctl usage is in supply-chain security and vulnerability-management pipelines: creating OpenVEX statements for products and CVEs, applying those statements to scanner output, merging documents, and producing attestations. Tutorials commonly pair it with scanners such as Trivy to suppress or explain false-positive vulnerability findings without discarding the underlying scan data.

### Why package nerds care

For package maintainers, vexctl is a small but important glue tool in the SBOM/VEX ecosystem. It gives open-source producers a way to publish negative security advisories in a machine-readable format, and gives consumers a command-line path to feed that context into automated vulnerability triage.

### Timeline

- 2023-01: The openvex/vexctl GitHub repository was created, and Chainguard introduced OpenVEX as an open-source VEX specification and tool suite.
- 2023-07: OpenSSF's Vulnerability Disclosures Working Group discussed planned updates to both the OpenVEX specification and vexctl tooling after OpenVEX's first months as an OpenSSF project.
- 2023-12: OpenSSF described OpenVEX as housed in OpenSSF and supported by a growing community of adopters.
- 2026-06: GitHub releases show vexctl continuing with v0.4.x releases.

### Sources

- <https://api.github.com/repos/openvex/vexctl>
- <https://api.github.com/repos/openvex/vexctl/releases?per_page=3>
- <https://documentation.ubuntu.com/security/security-updates/vex/>
- <https://edu.chainguard.dev/open-source/sbom/what-is-openvex/>
- <https://github.com/openvex/vexctl>
- <https://openssf.org/blog/2023/09/07/vdr-vex-openvex-and-csaf/>
- <https://openssf.org/blog/2023/12/20/openvex-and-open-source-vulnerability-scanners-how-the-dynamic-duo-improves-vulnerability-management/>
- <https://openssf.org/projects/openvex/>


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals

## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** vexctl
- **Version Scheme:** 0
- **Revision:** 0
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** stable

## Other Package-Manager Records

- Nix - vexctl: normalized package name match | nixpkgs package indexes: pkgs/by-name/ve/vexctl/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- zypper - vexctl - 0.4.1+git147.b7e6ef0-1.1: normalized package name match | openSUSE Tumbleweed package metadata: vexctl from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | CLI tool to create, transform and attest VEX metadata | https://github.com/openvex/vexctl


## Related links

- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [Homebrew utility packages](https://www.automicvault.com/pkg/brew-utility-packages/) - Matched Homebrew package provider.
- [go](https://www.automicvault.com/pkg/brew/go/) - Build dependency declared by Homebrew.
- [c2patool](https://www.automicvault.com/pkg/brew/c2patool/) - Shares av.db curated category or tags: cli, metadata, security.
- [copa](https://www.automicvault.com/pkg/brew/copa/) - Shares av.db curated category or tags: cli, security, vulnerability-management.
- [mat2](https://www.automicvault.com/pkg/brew/mat2/) - Shares av.db curated category or tags: cli, metadata, security.
- [xeol](https://www.automicvault.com/pkg/brew/xeol/) - Shares av.db curated category or tags: cli, security, vulnerability-management.
- [chainloop-cli](https://www.automicvault.com/pkg/brew/chainloop-cli/) - Shares av.db curated category or tags: attestation, cli, security.
- [witness](https://www.automicvault.com/pkg/brew/witness/) - Shares av.db curated category or tags: attestation, cli, security.
- [acme.sh](https://www.automicvault.com/pkg/brew/acme-sh/) - Shares av.db curated category or tags: cli, security.
- [aescrypt](https://www.automicvault.com/pkg/brew/aescrypt/) - Shares av.db curated category or tags: cli, security.

## Combined YAML source

View the package source record on GitHub. [combined/vexctl.yml](https://github.com/automic-vault/db/blob/main/combined/vexctl.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
