Skip to main content
Commands

vg sbom

Export CycloneDX or SPDX SBOMs, compare dependency deltas, and generate OpenVEX documents.

Overview

The vg sbom command family provides supply-chain evidence — Software Bill of Materials (SBOM) export, dependency deltas, and OpenVEX exploitability statements — for compliance, audit, and supply chain security workflows.

Three commands: sbom export generates SBOMs, sbom delta compares dependency changes, and sbom vex produces OpenVEX documents.


Usage

# Export SBOM from scan artifact
vg sbom export [options]

# Compare dependencies between two scans
vg sbom delta --from <file> --to <file> [options]

# Generate an OpenVEX document
vg sbom vex [options]

sbom export

Options

FlagDefaultDescription
--in <file>.vibgrate/scan_result.jsonInput scan artifact
--format <type>cyclonedxSBOM format: cyclonedx, spdx
--out <file>stdoutOutput file path

Supported Formats

FormatSpecificationFile Extension
🟢 CycloneDXcyclonedx.org.cdx.json
🔵 SPDXspdx.dev.spdx.json

Examples

# Export CycloneDX SBOM
vg sbom export --format cyclonedx --out sbom.cdx.json

# Export SPDX SBOM
vg sbom export --format spdx --out sbom.spdx.json

# Export from specific artifact
vg sbom export --in ./archive/scan-q1.json --out sbom-q1.cdx.json

sbom delta

Options

FlagRequiredDescription
--from <file>First (older) scan artifact
--to <file>Second (newer) scan artifact
--out <file>Output file path

Example

vg sbom delta \
  --from .vibgrate/baseline.json \
  --to .vibgrate/scan_result.json \
  --out dependency-changes.json

Delta Output

{
  "summary": {
    "added": 5,
    "removed": 2,
    "changed": 12,
    "driftDelta": -8
  },
  "changes": [
    {
      "package": "lodash",
      "type": "upgraded",
      "from": "4.17.19",
      "to": "4.17.21"
    },
    {
      "package": "moment",
      "type": "removed",
      "note": "Replaced with date-fns"
    }
  ]
}

sbom vex

Generate a spec-compliant OpenVEX document stating the exploitability of components, ready to attach as a signed attestation. The generator is input-agnostic — it assembles a complete document from the statements you supply, so it works regardless of which scanner flagged the components. A zero-statement document is valid and honest: it asserts no known affected components.

Options

FlagDefaultDescription
--from <file>Read statements from a JSON file (array, or an object with a statements array)
--statement <json>Add a statement as inline JSON (repeatable)
--product <ref>Default product for statements without their own (e.g. an image digest)
--author <name>VibgrateDocument author
--timestamp <iso> / --id <uri>Pin for reproducible output
--out <file>stdoutOutput file path

Example

# Generate VEX and attest it to a signed image
vg sbom vex --product "$IMAGE_REF" \
  --statement '{"vulnerability":"CVE-2024-1","status":"not_affected","justification":"vulnerable_code_not_present"}' \
  --out openvex.json
cosign attest --yes --type openvex --predicate openvex.json "$IMAGE_REF"

Use Cases

Use CaseCommandOutput
📋 Compliancesbom export --format cyclonedxProcurement/regulatory submissions
🔍 Auditsbom delta --from baseline --to currentTrack changes between releases
🛡️ Supply Chainsbom export --format spdxFeed to Dependency-Track, Grype
📝 Change Managementsbom deltaReview before merging upgrade PRs
Exploitabilitysbom vex --product <ref>OpenVEX attestation alongside the SBOM

Integrations

Dependency-Track

# Export and upload to Dependency-Track
vg sbom export --format cyclonedx --out sbom.cdx.json
curl -X POST "https://dtrack.example.com/api/v1/bom" \
  -H "X-Api-Key: $DTRACK_API_KEY" \
  -F "bom=@sbom.cdx.json"

Grype Vulnerability Scanning

# Export and scan with Grype
vg sbom export --format spdx --out sbom.spdx.json
grype sbom:sbom.spdx.json

Related Commands

Example use cases

Expand any use case to watch a live replay of the real @vibgrate/cli running against one of our test repositories. Nothing executes in your browser — these are recordings of actual runs, with the scan time shown as of now.

vg sbom export --format cyclonedx --out sbom.cdx.json

Related Documentation

Related Help Articles