Skip to main content
Root generates VEX statements for every patched vulnerability, enabling your scanners to distinguish between unaddressed CVEs and those already fixed by Root. This eliminates noise in scanner output and keeps compliance reports accurate.

VEX Statement Coverage

[What percentage of patched CVEs have VEX statements, how quickly VEX is generated after patch delivery coming soon]

Accessing VEX Statements

[Root platform UI, Root API — per-artifact and bulk endpoints, OCI annotations for images coming soon]

VEX Formats

[OpenVEX and CycloneDX VEX — format choice, field definitions, Root’s justification vocabulary coming soon]

Using VEX with Scanners

[Grype: —vex flag; Trivy: vex file support; Snyk: suppression via API; Wiz/Orca: import flows coming soon]

VEX in Compliance Workflows

[How VEX statements satisfy audit requirements — what an auditor needs to see, how to export for a compliance package coming soon]