Datadog adds OpenVEX assessments to Public Artifact Vulnerabilities page to cut CVE noise

Datadog has published a Public Artifact Vulnerabilities page that provides machine — and human — readable exploitability statements for Datadog — managed software — including the Agent, container images, and packages — to help reduce noisy CVE findings and surface issues that require action. The page supplies VEX-format assessments alongside downloadable raw OpenVEX files so teams and automated tooling can apply vendor — provided context to scanner results.

Each OpenVEX statement Datadog publishes encodes four elements: a status (not_affected, affected, fixed, or under_investigation), a justification explaining why code is or isn’t exploitable, an impact statement, and an action statement that gives remediation guidance. OpenVEX is presented as a lightweight, embeddable VEX implementation that meets requirements set out by the VEX Working Group coordinated by CISA, making the format suitable for integration into existing security workflows.

Datadog emphasizes that these OpenVEX files integrate directly with common software composition analysis (SCA) tooling. The post shows example commands such as trivy image --vex myimage:tag and grype --vex myimage:tag, and it makes the raw VEX files available for automated consumption in CI/CD and scanning pipelines. That accessibility aims to address a frequent operational problem: SCA tools continuously flag dependencies against CVE databases, but not every finding represents an exploitable or actionable risk.

The rollout sits within a broader ecosystem of VEX implementations — OpenVEX, CSAF VEX, CycloneDX VEX, and SPDX VEX-and places Datadog’s artifact assessments alongside other vendor — supplied exploitability data. According to the post, Datadog combines automation with human review to generate and validate its VEX statements, and publishing the raw files and process details is intended to increase confidence for downstream users and enable tooling to trust the vendor’s exploitability assertions. For builders and security teams running Datadog artifacts, consuming these OpenVEX files should help focus attention on issues that require remediation and keep remediation decisions aligned with the vendor’s assessments.