Skip to main content
Vibgrate Cloud·dash.vibgrate.com

Drift insights for your
whole team

Vibgrate Cloud transforms CLI scan results into interactive reports, an estate inventory, security posture, modernization projects, governance and embeddable widgets — giving every stakeholder the context they need to act on technical debt.

Open Vibgrate CloudGet the CLI first

How it works

Vibgrate Cloud is the team-facing layer on top of the Vibgrate CLI. You push scan results with vibgrate push, and Vibgrate Cloud handles everything else — reports, trends, modernization tracking, and sharing.

1
Scan your codebase

Run the Vibgrate CLI locally or in CI to generate a drift report.

2
Push to Vibgrate Cloud

Upload results with `vibgrate push`. Your workspace is provisioned automatically.

3
Explore and act

Open Vibgrate Cloud to view reports, triage issues, and track upgrade work.

Drift Reports

Overview

Your whole codebase health, at a glance

Free

Every scan you push becomes a comprehensive drift report. See your estate DriftScore, how it breaks down across runtime, framework, dependency and EOL risk, and exactly what changed since the last scan.

  • Composite DriftScore broken down by runtime, framework, dependency and EOL risk
  • 30-day trend so you see drift improving or regressing after every push
  • Per-project scores inside monorepos
  • Code-quality signals — complexity, dead code and nesting — alongside drift
  • Shareable, exportable reports (PDF / JSON) for stakeholders and audits

Real dashboard widgets · swipe to explore

Scans & History

Scans

Every scan, tracked over time

Free

The Scans hub keeps a complete history of every scan — pushed from the CLI or run on a schedule — so you can watch your DriftScore move, catch regressions right after a release, and prove coverage across the estate.

  • Full scan history with DriftScore over any 7d / 30d / 90d window
  • Regression detection immediately after releases
  • Scan status, volume and duration at a glance
  • Scheduled and CI-pushed scans in one timeline
  • Per-repository scan coverage tracking

Real dashboard widgets · swipe to explore

Repository Portfolio

Estate

Every repo, ranked by health

Free

Connect GitHub, GitLab, Bitbucket or Azure DevOps and Vibgrate scores and ranks every repository by modernization risk — so you always know which repos need attention first.

  • Every connected repo scored and ranked by modernization risk
  • Health distribution across the entire estate
  • Drift and CVE status per repository
  • Works with GitHub, GitLab, Bitbucket and Azure DevOps
  • Filter and sort by environment, business unit or score

Real dashboard widgets · swipe to explore

Dependency Intelligence

Estate

Every package, version and upgrade path

Team

A live register of every dependency across all repositories — versions, licenses, duplicates and known vulnerabilities — with an upgrade backlog ranked by how much of your estate each fix improves.

  • Upgrade backlog ranked by how many repos each fix touches
  • Every dependency, version and license across all repos
  • Phantom, duplicated and deprecated packages surfaced automatically
  • Known CVEs mapped to affected and fixed-in versions
  • Supplier and license register for governance

Real dashboard widgets · swipe to explore

Security & Vulnerabilities

Security

Know your exposure before it becomes a breach

Team

Surface dependencies with known CVEs, end-of-life runtimes and insecure configurations. Every finding is enriched with severity, fixed-in version and OWASP category so your team can act fast.

  • Known CVEs with severity, CVSS and fixed-in guidance
  • EOL runtimes and frameworks flagged before they bite
  • OWASP Top 10 category mapping across the estate
  • Risk distribution and security posture over time
  • Secret-scanning and lockfile hygiene checks

Real dashboard widgets · swipe to explore

Architecture & Layers

Estate

Understand structure, not just dependencies

Team

Vibgrate detects your architecture archetype and maps the codebase into layers — frontend, backend, data, infra — so you can see where drift concentrates and understand the blast radius of an upgrade.

  • Automatic archetype detection — monorepo, microservices, modular monolith
  • Codebase mapped into layers: frontend, backend, data, infra
  • Layer-level drift and blast-radius for upgrades
  • Cross-layer dependency and service-coupling risk
  • Project-size classification across the estate

Real dashboard widgets · swipe to explore

Application Portfolio

Estate

Group repos into the apps your business runs

Team

Roll repositories up into the applications and business units your organization actually runs, so drift and risk are reported in terms leadership understands — by product, team and environment.

  • Group repositories into the applications your business runs
  • Roll drift and risk up to application and business-unit level
  • Technology mix across your whole portfolio
  • Discovery from scans, CMDB and manual mapping
  • Environment-aware views (prod, staging, dev)

Real dashboard widgets · swipe to explore

Integrations & Webhooks

Integrations

Drift signals in the tools you already use

Team

Push Vibgrate events into Slack, Jira, Linear, PagerDuty or any webhook receiver. Fire on new scans, threshold breaches, new CVEs and project updates — with signed payloads and a live delivery log.

  • Native Slack, Jira, Linear and PagerDuty connectors
  • Fire on scan pushed, threshold breached, CVE detected or project updated
  • Signed (HMAC) JSON payloads with full scan context
  • Automatic retries with exponential backoff
  • Live delivery log for debugging

Real dashboard widgets · swipe to explore

AI Copilot

AI

Ask questions about your estate in plain language

Team

The built-in Copilot turns your scan data into answers. Ask what is driving your DriftScore, which repos need attention, or what an upgrade will impact — and connect Claude Code over MCP to act on it.

  • Ask questions about your estate in plain language
  • Explains what is driving your DriftScore and what changed
  • Ranks what to fix first, with reasoning
  • Summarises the difference between any two scans
  • MCP token for Claude Code and other AI tools

Real dashboard widgets · swipe to explore

Modernization Projects

Act

Turn upgrade debt into tracked, completable work

Business

Create modernization projects from any set of drift findings, assign owners, set targets and watch progress update from real scan results — perfect for coordinating large dependency or framework migrations.

  • Turn scan findings into tracked, ownable projects
  • Auto-populate tasks from the highest-impact upgrades
  • Progress tied to real scan results, not manual updates
  • Effort-vs-value scoring to sequence the work
  • Roadmap, timeline and ROI views

Real dashboard widgets · swipe to explore

SBOM Hub

Govern

Generate, track and attest software bills of materials

Business

Produce CycloneDX and SPDX SBOMs from every scan, track component inventory and coverage, and attach vulnerabilities, licenses and signed attestations — then diff SBOMs between releases.

  • Generate CycloneDX / SPDX SBOMs from every scan
  • Track component inventory and coverage across repos
  • Vulnerabilities and licenses mapped to components
  • Build provenance and signed attestations
  • Diff SBOMs between releases

Real dashboard widgets · swipe to explore

Policies & Governance

Govern

Define the rules, prove compliance

Business

Codify your engineering standards as policies and enforce them across every repository. Compliance is scored per policy estate-wide, with violations grouped by category and exceptions tracked with owners and expiry.

  • Define policies once and enforce them across every repo
  • Compliance scored per policy, estate-wide
  • Violations grouped by category with drill-down
  • Exceptions with owners, expiry and audit log
  • Coverage heatmap across teams and services

Real dashboard widgets · swipe to explore

Approvals & Sign-off

Govern

Require sign-off before risky changes ship

Enterprise

Add human approval gates in front of high-risk changes. Route requests by risk and scope, track them against SLAs, delegate coverage, and keep a complete approval history for audit.

  • Require human sign-off before high-risk changes ship
  • Approval queues with SLAs and escalation
  • Policy-driven routing by risk and scope
  • Delegation and coverage so nothing blocks
  • Complete approval history for audit

Real dashboard widgets · swipe to explore

Which plan do I need?

Each feature above shows the minimum plan that unlocks it. Higher plans include everything below them.

Free
3 features unlock here
Team
6 features unlock here
Business
3 features unlock here
Enterprise
1 feature unlock here
See full pricing

See your codebase in Vibgrate Cloud

Run a scan with the CLI, push results, and your reports are live in under a minute.

Open Vibgrate CloudGet the CLI
08:53Z[DRIFT]Next.jsNext.js is 2 major versions behind (current: 14.2.35, latest: 16.1.6).
08:54Z[OWASP]A03:2021 – InjectionUnescaped user input rendered into HTML template (src/routes/admin.ts:42)
08:52Z[SCANNER]semgrepscan signature set is up to date
08:48Z[DRIFT]of dependencies are 2+ major versions behind in acme.39% of dependencies are 2+ major versions behind in acme.
08:50Z[OWASP]A02:2021 – Cryptographic FailuresJWT secret is hardcoded — use environment variables (src/auth/jwt.ts:18)
08:45Z[SCANNER]gitleaksscan signature set is up to date
08:43Z[DRIFT]@types/node@types/node is 3 major versions behind (spec: 22.15.29, latest: 25.2.3).
08:46Z[OWASP]A03:2021 – InjectionRegular expression built from user input — potential ReDoS (src/utils/search.ts:67)
08:38Z[SCANNER]trufflehogstatus: unavailable
08:38Z[DRIFT]electronelectron is 3 major versions behind (spec: ^37.6.0, latest: 40.4.1).
08:42Z[OWASP]A03:2021 – InjectiondangerouslySetInnerHTML used with potentially untrusted content (src/components/RichText.tsx:31)
08:33Z[DRIFT]@types/node@types/node is 5 major versions behind (spec: ^20.17.52, latest: 25.2.3).
08:38Z[OWASP]A05:2021 – Security MisconfigurationCookie set without httpOnly or secure flags (src/middleware/session.ts:12)
08:28Z[DRIFT]@types/supertest@types/supertest is 4 major versions behind (spec: ^2.0.16, latest: 6.0.3).
08:34Z[OWASP]A03:2021 – Injectioneval() called with dynamic expression (src/utils/template-engine.ts:88)
08:23Z[DRIFT]VitestVitest is 4 major versions behind (current: 0.34.6, latest: 4.0.18).
08:30Z[OWASP]A01:2021 – Broken Access ControlRedirect URL comes from user-controlled parameter (src/pages/auth/callback.tsx:15)
08:18Z[DRIFT]@types/node@types/node is 5 major versions behind (spec: ^20.8.0, latest: 25.2.3).
08:26Z[OWASP]A03:2021 – InjectionUnsanitised input passed to MongoDB query (src/services/users.ts:34)
08:13Z[DRIFT]vitestvitest is 4 major versions behind (spec: ^0.34.6, latest: 4.0.18).
08:22Z[OWASP]A03:2021 – InjectionChild process spawned with user-controlled arguments (src/utils/pdf-generator.ts:52)
08:08Z[DRIFT]of dependencies are 2+ major versions behind in @acme/api.31% of dependencies are 2+ major versions behind in @acme/api.
08:18Z[OWASP]A05:2021 – Security MisconfigurationExternal link opened without rel="noreferrer" (src/components/ExternalLink.tsx:8)
08:03Z[DRIFT]@types/node@types/node is 5 major versions behind (spec: ^20.11.0, latest: 25.2.3).
08:14Z[OWASP]A02:2021 – Cryptographic FailuresMath.random() used for token generation — use crypto.randomBytes (src/utils/token.ts:6)
07:58Z[DRIFT]of dependencies are 2+ major versions behind in @acme/workflow-engine.52% of dependencies are 2+ major versions behind in @acme/workflow-engine.
08:10Z[OWASP]A05:2021 – Security MisconfigurationExpress app without Helmet security headers middleware (src/server.ts:1)
07:53Z[DRIFT]@types/node@types/node is 5 major versions behind (spec: ^20.19.9, latest: 25.2.3).
07:48Z[DRIFT]@types/node@types/node is 3 major versions behind (spec: ^22.15.29, latest: 25.2.3).
08:53Z[DRIFT]Next.jsNext.js is 2 major versions behind (current: 14.2.35, latest: 16.1.6).
08:54Z[OWASP]A03:2021 – InjectionUnescaped user input rendered into HTML template (src/routes/admin.ts:42)
08:52Z[SCANNER]semgrepscan signature set is up to date
08:48Z[DRIFT]of dependencies are 2+ major versions behind in acme.39% of dependencies are 2+ major versions behind in acme.
08:50Z[OWASP]A02:2021 – Cryptographic FailuresJWT secret is hardcoded — use environment variables (src/auth/jwt.ts:18)
08:45Z[SCANNER]gitleaksscan signature set is up to date
08:43Z[DRIFT]@types/node@types/node is 3 major versions behind (spec: 22.15.29, latest: 25.2.3).
08:46Z[OWASP]A03:2021 – InjectionRegular expression built from user input — potential ReDoS (src/utils/search.ts:67)
08:38Z[SCANNER]trufflehogstatus: unavailable
08:38Z[DRIFT]electronelectron is 3 major versions behind (spec: ^37.6.0, latest: 40.4.1).
08:42Z[OWASP]A03:2021 – InjectiondangerouslySetInnerHTML used with potentially untrusted content (src/components/RichText.tsx:31)
08:33Z[DRIFT]@types/node@types/node is 5 major versions behind (spec: ^20.17.52, latest: 25.2.3).
08:38Z[OWASP]A05:2021 – Security MisconfigurationCookie set without httpOnly or secure flags (src/middleware/session.ts:12)
08:28Z[DRIFT]@types/supertest@types/supertest is 4 major versions behind (spec: ^2.0.16, latest: 6.0.3).
08:34Z[OWASP]A03:2021 – Injectioneval() called with dynamic expression (src/utils/template-engine.ts:88)
08:23Z[DRIFT]VitestVitest is 4 major versions behind (current: 0.34.6, latest: 4.0.18).
08:30Z[OWASP]A01:2021 – Broken Access ControlRedirect URL comes from user-controlled parameter (src/pages/auth/callback.tsx:15)
08:18Z[DRIFT]@types/node@types/node is 5 major versions behind (spec: ^20.8.0, latest: 25.2.3).
08:26Z[OWASP]A03:2021 – InjectionUnsanitised input passed to MongoDB query (src/services/users.ts:34)
08:13Z[DRIFT]vitestvitest is 4 major versions behind (spec: ^0.34.6, latest: 4.0.18).
08:22Z[OWASP]A03:2021 – InjectionChild process spawned with user-controlled arguments (src/utils/pdf-generator.ts:52)
08:08Z[DRIFT]of dependencies are 2+ major versions behind in @acme/api.31% of dependencies are 2+ major versions behind in @acme/api.
08:18Z[OWASP]A05:2021 – Security MisconfigurationExternal link opened without rel="noreferrer" (src/components/ExternalLink.tsx:8)
08:03Z[DRIFT]@types/node@types/node is 5 major versions behind (spec: ^20.11.0, latest: 25.2.3).
08:14Z[OWASP]A02:2021 – Cryptographic FailuresMath.random() used for token generation — use crypto.randomBytes (src/utils/token.ts:6)
07:58Z[DRIFT]of dependencies are 2+ major versions behind in @acme/workflow-engine.52% of dependencies are 2+ major versions behind in @acme/workflow-engine.
08:10Z[OWASP]A05:2021 – Security MisconfigurationExpress app without Helmet security headers middleware (src/server.ts:1)
07:53Z[DRIFT]@types/node@types/node is 5 major versions behind (spec: ^20.19.9, latest: 25.2.3).
07:48Z[DRIFT]@types/node@types/node is 3 major versions behind (spec: ^22.15.29, latest: 25.2.3).