Prerequisites
Before you begin, ensure you have:
- Access to a DevGuard repository with detected dependencies
- At least one scan completed (SBOM or dependency scan)
- Project admin or owner permissions
- Knowledge about VEX format
Navigate to VEX Generation
Access VEX document generation:
Navigate to Organization → Project → Repository → Dependency Risks or Dependencies.
Generate VEX Document
Create a VEX document for your repository:
Share VEX Documents
Navigate to Organization → Project → Repository → Settings
Share VEX documents with your direct Supply Chain partners:
This URL always reflects the latest VEX assessment.
VEX for Compliance
Use VEX documents for regulatory compliance:
- ISO 27001 - Document vulnerability management decisions
- CRA - Show security assessment process
- SBOM requirements - Include VEX alongside SBOM
- Audit trail - Record why decisions were made
Create events for all significant vulnerabilities to establish audit trail.
OpenVEX Format
DevGuard also supports OpenVEX (separate format):
CycloneDX VEX is integrated into SBOM format. Best for:
- Coupling vulnerability data with component data
- SBOM-centric workflows
- Standard CycloneDX tooling
Next Steps
- Manage License Compliance - Expand compliance beyond vulnerabilities
- Generate CSAF Reports - Create security advisories
- Track Fix Progress - Monitor remediation