Install vexctl; run vexctl create with the --product flag (PURL of the product), --vuln flag (CVE identifier), and --status not_affected and --justification flags to generate an OpenVEX JSON document.
Review the generated OpenVEX document structure: a statements array with subject (your product PURL), vulnerability, status, and optionally a justification and impact_statement field.
To add a second statement or update an existing one, use vexctl add or re-run vexctl create and merge the resulting documents with vexctl merge to produce a canonical merged VEX file (verify subcommand names in current vexctl docs).
Sign the merged VEX document using cosign sign-blob or attach it as an attestation to the container image so consumers can verify its authenticity.
Provide the OpenVEX file to Trivy using --vex to filter scan results and confirm that the CVE is suppressed from the output.
Known gotchas
OpenVEX uses PURLs to identify products; the PURL must exactly match how the product is identified in the SBOM or scanner database, or the VEX filtering will not suppress the finding.
vexctl is a relatively early-stage tool; command flags and subcommands may change across versions — always verify against the current vexctl README or --help output.
Merged VEX documents retain the timestamp of each original statement; tools that sort by timestamp may surface older statements differently than you expect when merging documents from different authors.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp