What is a DriftScore?
Every software stack drifts over time. Runtimes age past their support window, frameworks reach end-of-life, dependencies accumulate known vulnerabilities. Your DriftScore measures that exposure in a single, actionable number — the metric at the heart of Code Drift Intelligence.
Software drifts from its known-good baseline
Even a codebase that was fully up-to-date six months ago is drifting right now. EOL calendars roll forward, CVEs are published daily, and framework maintainers drop support without announcement. Teams that don't actively track this accumulate invisible risk.
Dependencies age
npm, pip, Maven, Cargo — packages stop receiving security patches long before teams notice.
Frameworks go EOL
Node LTS, Python minor versions, .NET releases — every major ecosystem has a clock ticking.
OWASP risks accumulate
Vulnerable transitive dependencies hide in the dependency graph, not just your direct requires.
How DriftScore works
Vibgrate CLI scans your repository and collects the runtime versions, framework versions, and dependency manifests it finds. Each item is scored against:
- EOL dates from 2,400+ tracked runtimes and frameworks
- Major-version lag for runtimes and core frameworks
- CycloneDX and SPDX SBOM formats for dependency provenance
- Age and maintenance status of direct and transitive dependencies
Those individual signals are normalized and combined into a single 0–100 DriftScore. A score of 0 means every component is current. A score of 100 means everything is maximally drifted. Most production repos sit somewhere in between — and Vibgrate shows you exactly where. Known vulnerabilities are a separate, opt-in check: add vg scan --vulns to include vulnerability data from OSV.
What Vibgrate measures
Node, Python, Ruby, Java, Go, .NET, PHP, and hundreds more — every major ecosystem.
Pulled from authoritative upstream sources and updated continuously.
Read and write industry-standard SBOMs for supply-chain compliance.
How to use your DriftScore
Run vg in your repo
Install Vibgrate CLI and run vg in any repository. Bare vg scans the current directory — no path needed.
Get your DriftScore in seconds
The Vibgrate CLI analyzes your runtimes, frameworks, and dependencies against live EOL and version data and prints a 0–100 DriftScore with a breakdown by risk category.
Connect to Vibgrate Cloud
Push results to Vibgrate Cloud for historical trending, team-wide reporting, and portfolio-level DriftScore tracking across all your repos.
Scan your first repo free
Get your DriftScore in under a minute. No credit card required. Connect to Vibgrate Cloud for team reporting whenever you're ready.