CLI Documentation
Complete reference for the Vibgrate Command Line Interface. Learn about commands, configuration, extended scanners, CI integration, and more.
Quick Start
# Run without installing anything
npx @vibgrate/cli scan
# Pin a version or see every command
npx @vibgrate/cli@latest --helpno install·Nothing is installed globally — ideal for CI or a one-off scan.
Overview
Commands
vg ask
Ask the code map a question using hybrid lexical + structural + semantic search. Returns a budget-bounded context block ready to paste into any AI assistant — fully offline after first use.
vg baseline
Create drift baseline snapshots for delta comparison and fitness functions.
vg benchmark
A reproducible benchmark of build time, memory, and token reduction on your own repository — honest estimates you can rerun, not marketing numbers.
vg bisect
Pinpoint the commit where a dependency crossed a version line — when a fix was adopted, or never was — and gate CI on it.
vg build
Build or update the code map incrementally. Maps source code into a graph artifact that powers all downstream queries — vg show, vg ask, vg impact, and more.
vg bundle
Build a self-contained, air-gapped bundle — parser grammars, your code map, and the library catalog — so Vibgrate runs with no network at all.
vg drift
What is outdated across your dependencies. Offline by default (inventory plus installed versions); --online queries the registry for the latest, and --fail-on gates CI on version or standards violations.
vg dsn create
Generate HMAC-signed DSN tokens for authenticating dashboard uploads.
vg embed
Precompute the semantic index so the next vg ask is instant. Local ONNX model downloaded once into a shared cache — fully offline after first run.
vg export
Export the code map in various formats: JSON, GraphML, Graphviz DOT, Neo4j Cypher, Markdown, HTML, CycloneDX SBOM, or SPDX.
vg facts
Deterministic open facts for a node — contract, invariant, characterization. Epistemic-typed: declared/static through to observed/derived.
vg fix
Analyse drift and get ranked, risk-tiered upgrade plans — safe, balanced, and full — scored on real-world exploitability. Read-only until you choose to apply.
vg guide
Cited, relevant standards and practices for a node in your code map — a free pack of guidance attached to the symbol you name.
vg impact
What breaks if you change a node? Deterministic structural blast radius using reverse reachability and decay confidence. With --tests, surfaces exactly the tests to run before shipping.
vg init
Initialize Vibgrate in your project. Creates the .vibgrate directory and config file.
vg install / vg uninstall
Add Vibgrate AI Context to your AI assistant — skill, MCP wiring, and advisory nudge. Idempotent and repo-local. Supports Claude, Cursor, Windsurf, VS Code, Codex, and Gemini.
vg lib
Version-correct library docs pinned to your lockfile — from the hosted catalog or local ingestion. The Free Dev Docs Library, served offline to any AI assistant.
vg login
Sign the CLI into your Vibgrate workspace from the browser — no DSN to copy or paste.
vg logout
Sign the CLI out of your Vibgrate workspace by clearing the stored login credential.
vg map / vg hubs / vg areas / vg oddities
Map-level insights: overview, most-depended-on hubs, natural code groupings (communities), and surprising cross-area links (architectural smells).
vg models
The local model fleet — Ollama, LM Studio, and gguf files discovered on your machine, entirely offline. See which models are available to power semantic search.
vg path
Show how node A connects to node B — the shortest path in the call graph.
vg push
Upload scan results to Vibgrate Cloud for team visibility and trend analysis.
vg report
Generate human-readable reports from scan artifacts in Markdown, text, or JSON.
vg savings
A local, privacy-safe report of the tokens and cost saved by querying the code map instead of re-reading files, estimated against a grep baseline over a window you choose.
vg sbom
Export CycloneDX or SPDX SBOMs, compare dependency deltas, and generate OpenVEX documents.
vg scan
The primary CLI command. Scan for upgrade drift with multiple output formats and quality gates.
vg scan --vulns
Detect known vulnerabilities in installed dependencies against the OSV database — online or air-gapped — with severity, CVSS, the fixing version, and git attribution.
vg serve
Start Vibgrate AI Context — the local, offline MCP server that serves your code map, drift, and version-correct library docs to any AI assistant. No account, nothing uploaded.
vg share
Make the code map committable and auto-updating for your team. Installs a pre-commit hook, deterministic merge driver, and .gitignore.
vg show
Explain a single code node: what it is, what it calls, and what calls it. The richest single-node view with callers, callees, and structural metadata.
vg status
Graph freshness, node/edge counts, staleness, and resolver rungs used. Compares the committed graph against the current working tree.
vg tests
Which tests cover a node via call or coverage linkage. --missing shows untested nodes nearby. --run prints (or --exec runs) the minimal command to exercise exactly those tests.
vg tree
The call tree rooted at a node — callees by default, callers with --callers. Depth-bounded and cycle-safe.
vg unknowns
What the code map cannot resolve, ranked by blast radius — so you can see exactly where the graph is incomplete and how much depends on those gaps.
vg update
Check for and install CLI updates.
vg why
Trace a dependency through git history — who added it, every version since, and any open vulnerabilities it carries.
Configuration
Scanners
Extended Scanners Overview
Beyond core drift scoring — platform matrix, dependency graph, security posture, and more.
Platform Matrix Scanner
Collect platform and architecture signals that predict where builds will break.
Dependency Risk Scanner
Risk classification for deprecated packages, native modules, and platform-specific dependencies.
Dependency Graph Scanner
Lockfile analysis for duplicate packages, phantom dependencies, and workspace graphs.
Tooling Inventory Scanner
Map your full technology stack by detecting packages across categories.
Build & Deploy Scanner
Detect CI/CD systems, containerization, and infrastructure-as-code.
TypeScript Modernity Scanner
Analyze tsconfig.json for strictness, module system, and ESM readiness.
Breaking Change Exposure Scanner
Flag packages and patterns known to cause upgrade pain.
File Hotspots Scanner
Lightweight complexity analysis using filesystem metadata only.
Security Posture Scanner
Structural security hygiene — lockfiles, .gitignore coverage, audit counts.
Security Scanners Scanner
Local security scanner orchestration and readiness analysis.
Service Dependencies Scanner
Map external service and platform dependencies by detecting SDK packages.
Architecture Layers Scanner
Classify source files into architectural layers and detect project archetypes.
Code Quality Scanner
Fast AST-based quality checks for cyclomatic complexity and upgrade friction hotspots.
OWASP Category Mapping
Map security findings into OWASP Top 10 categories for triage.
CI Integration
CI Integration
Integrate Vibgrate into GitHub Actions, Azure DevOps, GitLab CI, and other pipelines.
GitHub Actions
Integrate Vibgrate with GitHub Actions — SARIF upload, drift gates, and dashboard push.
Azure DevOps
Integrate Vibgrate with Azure Pipelines for .NET and Node.js projects.
GitLab CI
Integrate Vibgrate with GitLab CI/CD pipelines and SAST reports.
Reference
DriftScore
Understand how the DriftScore is calculated and what the risk levels mean.
Drift Baselines & Fitness Functions
Store scan state for delta comparison and implement drift quality gates in CI.
Output Formats
Understand the four output formats: Text, JSON, SARIF, and Markdown.
Vibgrate Cloud Upload
Push scan results to Vibgrate Cloud for team visibility and trend tracking.
Privacy & Security
Understand exactly what Vibgrate reads, collects, and never accesses.
Exit Codes
Understand CLI exit codes for scripting and CI integration.
Programmatic API
Use Vibgrate types programmatically in your Node.js applications.
Supply Chain Inventory
Use Vibgrate artifacts for SBOM-ready supply chain governance.
Approved-Alternative Library Policies
Steer AI assistants toward your approved packages: set "prefer package B over package A" and have the approved choice lead the library docs your agents read.
All Documentation Pages (68)
- 1.How It Works
- 2.Getting Started
- 3.vg ask
- 4.vg baseline
- 5.vg benchmark
- 6.vg bisect
- 7.vg build
- 8.vg bundle
- 9.vg drift
- 10.vg dsn create
- 11.vg embed
- 12.vg export
- 13.vg facts
- 14.vg fix
- 15.vg guide
- 16.vg impact
- 17.vg init
- 18.vg install / vg uninstall
- 19.vg lib
- 20.vg login
- 21.vg logout
- 22.vg map / vg hubs / vg areas / vg oddities
- 23.vg models
- 24.vg path
- 25.vg push
- 26.vg report
- 27.vg savings
- 28.vg sbom
- 29.vg scan
- 30.vg scan --vulns
- 31.vg serve
- 32.vg share
- 33.vg show
- 34.vg status
- 35.vg tests
- 36.vg tree
- 37.vg unknowns
- 38.vg update
- 39.vg why
- 40.DriftScore
- 41.Drift Baselines & Fitness Functions
- 42.Output Formats
- 43.Configuration
- 44.Extended Scanners Overview
- 45.Platform Matrix Scanner
- 46.Dependency Risk Scanner
- 47.Dependency Graph Scanner
- 48.Tooling Inventory Scanner
- 49.Build & Deploy Scanner
- 50.TypeScript Modernity Scanner
- 51.Breaking Change Exposure Scanner
- 52.File Hotspots Scanner
- 53.Security Posture Scanner
- 54.Security Scanners Scanner
- 55.Service Dependencies Scanner
- 56.Architecture Layers Scanner
- 57.Code Quality Scanner
- 58.OWASP Category Mapping
- 59.CI Integration
- 60.GitHub Actions
- 61.Azure DevOps
- 62.GitLab CI
- 63.Vibgrate Cloud Upload
- 64.Privacy & Security
- 65.Exit Codes
- 66.Programmatic API
- 67.Supply Chain Inventory
- 68.Approved-Alternative Library Policies