Skip to main content
Commands

vg scan --vulns

Detect known vulnerabilities in installed dependencies against the OSV database — online or air-gapped — with severity, CVSS, the fixing version, and git attribution.

Overview

vg scan --vulns adds known-vulnerability detection to a scan. It matches every installed dependency against the public OSV database and reports each advisory with its severity, CVSS score, and the version that fixes it.

Opt in: vulnerability detection is off by default — add --vulns, or run vg scan --full for drift, vulnerabilities, and a banned-dependency report together.


Usage

vg scan --vulns
vg scan --full

How Detection Works

Vibgrate reads the installed version of each dependency from your lockfile and queries OSV for advisories affecting that exact version. Each finding carries the advisory id and CVE, a qualitative severity derived from the CVSS v3 vector, the affected package and version, and the fixing version when one is published.

Critical and high findings are emitted as errors and moderate as warnings, so --fail-on gates apply to vulnerabilities just as they do to drift.


Offline / Air-Gapped

Supply advisories in a package-version manifest and skip the network entirely:

vg scan --vulns --offline --package-manifest ./package-versions.zip

Supported Ecosystems

Detection reads each project's lockfile, covering npm / pnpm / yarn, pip / poetry / pipenv, cargo, composer, bundler, go, pub, hex, NuGet, and Maven/Gradle.


Exposure Attribution

In a git repository, each finding is attributed to the commit, author, and date that introduced the vulnerable version, with the days you have been exposed. Those windows roll up into CRA remediation metrics. See vg why.


In CI

vg scan --vulns --format sarif --out vibgrate.sarif --fail-on error

Upload the SARIF with the GitHub upload-sarif action to surface vulnerabilities in the Security tab.

On GitHub, the maintained vibgrate/cli Action does the scan, the PR gate, and the SARIF upload in one step (the workflow needs permissions: security-events: write):

- uses: actions/checkout@v4
  with:
    fetch-depth: 0
- uses: vibgrate/cli@v1
  with:
    vulns: true
    fail-on: error
    upload-sarif: true
    category: vibgrate-vulns

Related

  • vg scan — the base drift scan
  • vg why — who introduced a dependency or vulnerable version

Example use cases

Expand any use case to watch a live replay of the real @vibgrate/cli running against one of our test repositories. Nothing executes in your browser — these are recordings of actual runs, with the scan time shown as of now.

vg scan --vulns --offline --package-manifest package-versions.json

Related Documentation

Related Help Articles