Overview
The vg sbom command family provides supply-chain evidence — Software Bill of Materials (SBOM) export, dependency deltas, and OpenVEX exploitability statements — for compliance, audit, and supply chain security workflows.
Three commands: sbom export generates SBOMs, sbom delta compares dependency changes, and sbom vex produces OpenVEX documents.
Usage
# Export SBOM from scan artifact
vg sbom export [options]
# Compare dependencies between two scans
vg sbom delta --from <file> --to <file> [options]
# Generate an OpenVEX document
vg sbom vex [options]
sbom export
Options
| Flag | Default | Description |
|---|
--in <file> | .vibgrate/scan_result.json | Input scan artifact |
--format <type> | cyclonedx | SBOM format: cyclonedx, spdx |
--out <file> | stdout | Output file path |
Supported Formats
Examples
# Export CycloneDX SBOM
vg sbom export --format cyclonedx --out sbom.cdx.json
# Export SPDX SBOM
vg sbom export --format spdx --out sbom.spdx.json
# Export from specific artifact
vg sbom export --in ./archive/scan-q1.json --out sbom-q1.cdx.json
sbom delta
Options
| Flag | Required | Description |
|---|
--from <file> | ✅ | First (older) scan artifact |
--to <file> | ✅ | Second (newer) scan artifact |
--out <file> | — | Output file path |
Example
vg sbom delta \
--from .vibgrate/baseline.json \
--to .vibgrate/scan_result.json \
--out dependency-changes.json
Delta Output
{
"summary": {
"added": 5,
"removed": 2,
"changed": 12,
"driftDelta": -8
},
"changes": [
{
"package": "lodash",
"type": "upgraded",
"from": "4.17.19",
"to": "4.17.21"
},
{
"package": "moment",
"type": "removed",
"note": "Replaced with date-fns"
}
]
}
sbom vex
Generate a spec-compliant OpenVEX document stating the exploitability of components, ready to attach as a signed attestation. The generator is input-agnostic — it assembles a complete document from the statements you supply, so it works regardless of which scanner flagged the components. A zero-statement document is valid and honest: it asserts no known affected components.
Options
| Flag | Default | Description |
|---|
--from <file> | — | Read statements from a JSON file (array, or an object with a statements array) |
--statement <json> | — | Add a statement as inline JSON (repeatable) |
--product <ref> | — | Default product for statements without their own (e.g. an image digest) |
--author <name> | Vibgrate | Document author |
--timestamp <iso> / --id <uri> | — | Pin for reproducible output |
--out <file> | stdout | Output file path |
Example
# Generate VEX and attest it to a signed image
vg sbom vex --product "$IMAGE_REF" \
--statement '{"vulnerability":"CVE-2024-1","status":"not_affected","justification":"vulnerable_code_not_present"}' \
--out openvex.json
cosign attest --yes --type openvex --predicate openvex.json "$IMAGE_REF"
Use Cases
| Use Case | Command | Output |
|---|
| 📋 Compliance | sbom export --format cyclonedx | Procurement/regulatory submissions |
| 🔍 Audit | sbom delta --from baseline --to current | Track changes between releases |
| 🛡️ Supply Chain | sbom export --format spdx | Feed to Dependency-Track, Grype |
| 📝 Change Management | sbom delta | Review before merging upgrade PRs |
| ✅ Exploitability | sbom vex --product <ref> | OpenVEX attestation alongside the SBOM |
Integrations
Dependency-Track
# Export and upload to Dependency-Track
vg sbom export --format cyclonedx --out sbom.cdx.json
curl -X POST "https://dtrack.example.com/api/v1/bom" \
-H "X-Api-Key: $DTRACK_API_KEY" \
-F "bom=@sbom.cdx.json"
Grype Vulnerability Scanning
# Export and scan with Grype
vg sbom export --format spdx --out sbom.spdx.json
grype sbom:sbom.spdx.json
Related Commands