Overview
vg scan --vulns adds known-vulnerability detection to a scan. It matches every installed dependency against the public OSV database and reports each advisory with its severity, CVSS score, and the version that fixes it.
Opt in: vulnerability detection is off by default — add --vulns, or run vg scan --full for drift, vulnerabilities, and a banned-dependency report together.
Usage
vg scan --vulns
vg scan --full
How Detection Works
Vibgrate reads the installed version of each dependency from your lockfile and queries OSV for advisories affecting that exact version. Each finding carries the advisory id and CVE, a qualitative severity derived from the CVSS v3 vector, the affected package and version, and the fixing version when one is published.
Critical and high findings are emitted as errors and moderate as warnings, so --fail-on gates apply to vulnerabilities just as they do to drift.
Offline / Air-Gapped
Supply advisories in a package-version manifest and skip the network entirely:
vg scan --vulns --offline --package-manifest ./package-versions.zip
Supported Ecosystems
Detection reads each project's lockfile, covering npm / pnpm / yarn, pip / poetry / pipenv, cargo, composer, bundler, go, pub, hex, NuGet, and Maven/Gradle.
Exposure Attribution
In a git repository, each finding is attributed to the commit, author, and date that introduced the vulnerable version, with the days you have been exposed. Those windows roll up into CRA remediation metrics. See vg why.
In CI
vg scan --vulns --format sarif --out vibgrate.sarif --fail-on error
Upload the SARIF with the GitHub upload-sarif action to surface vulnerabilities in the Security tab.
On GitHub, the maintained vibgrate/cli Action does the scan, the PR gate, and the SARIF upload in one step (the workflow needs permissions: security-events: write):
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: vibgrate/cli@v1
with:
vulns: true
fail-on: error
upload-sarif: true
category: vibgrate-vulns