Overview
Vibgrate artifacts include dependency graph and package inventory data for supply-chain governance:
- Lockfile-derived counts —
totalUnique,totalInstalled - Duplicate-version hotspots — prioritize remediation
- Phantom dependency evidence — undeclared dependencies
- Inventory metadata — pairs with SBOM pipelines
SBOM Export
Generate standards-based SBOMs:
# CycloneDX
vg sbom export --format cyclonedx --out sbom.cdx.json
# SPDX
vg sbom export --format spdx --out sbom.spdx.json
Raw Inventory
Access inventory data directly from scan_result.json:
{
"dependencyGraph": {
"totalUnique": 245,
"totalInstalled": 892,
"duplicates": [...],
"phantomDependencies": [...]
}
}
Integration Options
Choose between:
- Built-in SBOM export —
vg sbom export - Raw inventory consumption — parse
scan_result.json - Custom SBOM pipelines — use inventory data as input
Use Cases
- Procurement compliance: Generate SBOMs for vendors
- Vulnerability management: Feed to Dependency-Track, Grype
- Audit trail: Track dependency changes over releases
- License compliance: Inventory all third-party packages