Config File
Run vg init to generate the config file, or create one manually:
import type { VibgrateConfig } from '@vibgrate/cli@latest';
const config: VibgrateConfig = {
exclude: ['legacy/**'],
thresholds: {
failOnError: {
eolDays: 180,
frameworkMajorLag: 3,
dependencyTwoPlusPercent: 50,
},
warn: {
frameworkMajorLag: 2,
dependencyTwoPlusPercent: 30,
},
},
scanners: {
platformMatrix: { enabled: true },
dependencyRisk: { enabled: true },
dependencyGraph: { enabled: true },
toolingInventory: { enabled: true },
buildDeploy: { enabled: true },
tsModernity: { enabled: true },
breakingChangeExposure: { enabled: true },
fileHotspots: { enabled: true },
securityPosture: { enabled: true },
securityScanners: { enabled: true },
serviceDependencies: { enabled: true },
},
};
export default config;
Also supports vibgrate.config.js and vibgrate.config.json.
Thresholds
Control when findings are raised and when the CLI should fail.
| Threshold | Default | Triggers |
|---|---|---|
failOnError.eolDays | 180 | Error when runtime EOL within N days |
failOnError.frameworkMajorLag | 3 | Error when framework N+ majors behind |
failOnError.dependencyTwoPlusPercent | 50 | Error when N+% deps 2+ majors behind |
warn.frameworkMajorLag | 2 | Warning when framework N+ majors behind |
warn.dependencyTwoPlusPercent | 30 | Warning when N+% deps 2+ majors behind |
Scanner Toggles
Each extended scanner can be individually disabled:
scanners: {
platformMatrix: { enabled: false }, // Disable this scanner
dependencyRisk: { enabled: true },
// ...
}
Set scanners: false to disable all extended scanners (core drift scan always runs).
Exclusions
Exclude paths from scanning:
exclude: [
'legacy/**',
'examples/**',
'node_modules/**',
'**/test/**',
]
Uses glob patterns matched against the workspace root.
CLI Excludes
For one-off scans you can add excludes on the command line with --exclude (alias -e) instead of editing config. The flag is repeatable and accepts comma/semicolon-separated values:
vg scan --exclude "legacy/**" --exclude "vendor/**"
vg scan -e "legacy/**,vendor/**;dist/**"
CLI excludes are additive — they're merged (and de-duplicated) with the config file's exclude list rather than replacing it, so committed defaults always apply. See vg scan for details.