Introducing Agent Safe Governance for the AI Era

Read the Blog

VEX files

Last updated: June 11, 2026

Liquibase Secure publishes VEX (Vulnerability Exploitability eXchange) files alongside each release to communicate official CVE assessments. VEX files use CycloneDX or OpenVEX format, consistent with Liquibase's existing SBOMs. These files are updated continuously and not related to any single release except for the one that is packaged with the binary. Configuring your scanner to read these files automatically applies Liquibase's assessments and reduces false positives in your scan results.

VEX status values

Each VEX status value communicates Liquibase's assessment of a CVE:

  • not_affected - The CVE exists in a dependency but cannot be exploited in Liquibase Secure's use of it

  • affected - Liquibase Secure is affected by this CVE; a fix is in progress

  • fixed - Previously affected; resolved in this or a prior release

  • under_investigation - Liquibase is still assessing the impact of this CVE

Where to find VEX files

VEX files are distributed in three locations:

  • With the binary - in the /dist directory of your Liquibase Secure installation

  • On liquibase.com - In any version of Liquibase 5.2+, you will find both Open and CDX VEX files under the associated release folder.

  • Public VEX repository - This option is valuable to users who want to configure their Trivy, Grype, or Scout scanners to point to a repository to pull the VEX files in automatically.

How to use VEX files with common scanners

Trivy, Grype, and Docker Scout and other scanners support the --vex flag, which tells the scanner to load a VEX file before running. When a scanner reads a VEX file, it automatically suppresses the CVEs Liquibase has assessed as not_affected - so those findings never appear in your results.

You can reference the VEX file two ways:

  • Locally - pass the path to a VEX file on disk. You will need to update this file each time you upgrade Liquibase Secure.

  • Dynamic enpoint URL - reference the VEX file URL directly. Liquibase maintains this URL to ensure the latest VEX assessments are always served, so your scanner stays up to date without manual updates.

All VEX file enablement instructions are available in the VEX GitHub readme.