Skip to main content
Reference

Supply Chain Inventory

Use Vibgrate artifacts for SBOM-ready supply chain governance.

Overview

Vibgrate artifacts include dependency graph and package inventory data for supply-chain governance:

  • Lockfile-derived countstotalUnique, totalInstalled
  • Duplicate-version hotspots — prioritize remediation
  • Phantom dependency evidence — undeclared dependencies
  • Inventory metadata — pairs with SBOM pipelines

SBOM Export

Generate standards-based SBOMs:

# CycloneDX
vg sbom export --format cyclonedx --out sbom.cdx.json

# SPDX
vg sbom export --format spdx --out sbom.spdx.json

Raw Inventory

Access inventory data directly from scan_result.json:

{
  "dependencyGraph": {
    "totalUnique": 245,
    "totalInstalled": 892,
    "duplicates": [...],
    "phantomDependencies": [...]
  }
}

Integration Options

Choose between:

  • Built-in SBOM exportvg sbom export
  • Raw inventory consumption — parse scan_result.json
  • Custom SBOM pipelines — use inventory data as input

Use Cases

  • Procurement compliance: Generate SBOMs for vendors
  • Vulnerability management: Feed to Dependency-Track, Grype
  • Audit trail: Track dependency changes over releases
  • License compliance: Inventory all third-party packages

Related Documentation

Related Help Articles