VEX Document - CI/CD Glossary Definition
A VEX document records, per vulnerability, whether it is actually exploitable in your product, so scanners can filter out non-applicable CVEs instead of drowning teams in false positives.
A VEX (Vulnerability Exploitability eXchange) document is a machine-readable statement asserting whether a specific vulnerability actually affects a product, letting scanners suppress non-exploitable findings with a documented justification.
VEX pairs with an SBOM: the SBOM lists components, and VEX states which of their known vulnerabilities matter here.
Status values
A VEX statement marks a vulnerability as not_affected, affected, fixed, or under_investigation, with a justification. A "not_affected" claim (for example unreachable code) lets CI ignore that CVE without ignoring the scanner entirely.