Upload VEX statements
Preview
This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.
This document describes how to upload existingVulnerability Exploitability eXchange (VEX)statements to Artifact Analysis. You can also upload statements provided by otherpublishers.
VEX statements must be formatted according to theCommon Security Advisory Format (CSAF) 2.0 standard in JSON.
Required roles
To get the permissions that you need to upload VEX assessments and check the VEX status of vulnerabilities, ask your administrator to grant you the following IAM roles on the project:
- To create and update notes:Container Analysis Notes Editor (
roles/containeranalysis.notes.editor)
For more information about granting roles, seeManage access to projects, folders, and organizations.
You might also be able to get the required permissions throughcustom roles or otherpredefined roles.
Upload VEX statements
Run theartifacts vulnerabilities load-vexcommand to upload VEX data and store it in Artifact Analysis:
gcloudartifactsvulnerabilitiesload-vex/--sourceCSAF_SOURCE/--uriRESOURCE_URI/Where
- CSAF_SOURCE is the path to your VEX statement file storedlocally. The file must be a JSON file following theCSAF schema.
- RESOURCE_URI can be one of:
- the complete URL of the image, similar to
https://LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE_ID@sha256:HASH. - the image URL, similar to
https://LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE_ID.
- the complete URL of the image, similar to
Artifact Analysis converts your VEX statements toGrafeasVulnerabilityAssessment notes.
Artifact Analysis stores vulnerability assessment notes as one note perCVE. Notes are stored in the Container Analysis API, within the same project as thespecified image.
When you upload VEX statements, Artifact Analysis also carries VEX statusinformation into associatedvulnerability occurrences so thatyou can filter vulnerabilities by VEX status. If a VEX statement is applied toan image, Artifact Analysis will carry over the VEX status to all versionsof that image, including newly pushed versions.
If a single version has two VEX statements, one written for the resource URLand one written for the associated image URL, the VEX statement written for theresource URL will take precedence and will be carried over to the vulnerabilityoccurrence.
What's next
- Prioritize vulnerability issues using VEX. Learn how toview VEX statements and filter vulnerabilities by their VEXstatus.
- Learn how togenerate a software bill of materials (SBOM)to support compliance requirements.
- Scan for vulnerabilities in OS packages and language packageswith Artifact Analysis.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.