Frequently Asked Questions
Find answers to common questions about migrations, cloud platforms, best practices, and the Vibgrate platform. Expert guidance for your migration journey.
What is Vibgrate?
Vibgrate is a command-line tool (CLI) that scans your codebase for upgrade drift — the gap between the dependency versions you run and the versions you should run. It produces a deterministic DriftScore (0–100) and actionable findings to help you maintain healthy, up-to-date software.
What is the DriftScore and how is it calculated?
The DriftScore is a metric from 0–100 that represents how far behind your codebase is relative to current stable ecosystem baselines. Lower scores mean a healthier upgrade posture — 0 means no drift (fully current) and 100 means maximum drift. Higher is worse. It's calculated from four weighted components: Runtime (Node.js/.NET version lag), Frameworks (major version distance for React, Next.js, etc.), Dependencies (age distribution across all deps), and EOL Risk (proximity to end-of-life dates).
What do the DriftScore risk levels mean?
Scores of 0–30 indicate Low risk (you're in good shape — little to no drift). Scores of 31–60 indicate Moderate risk (some attention needed). Scores of 61–100 indicate High risk (significant upgrade debt). The score is deterministic — the same inputs always produce the same score, making it suitable for CI quality gates.
What does Vibgrate Cloud show?
Vibgrate Cloud provides a shared view of drift across your projects, including historical trend charts, portfolio-level risk assessment, and team visibility. You can track drift scores over time, compare projects, and monitor improvement trends. Uploading to Vibgrate Cloud is always optional — the CLI provides full value locally without any server connection.
How do I install Node.js to run the Vibgrate CLI?
The Vibgrate CLI requires Node.js >= 22.0.0. On macOS, install via Homebrew: brew install node@22. On Windows, download from nodejs.org or use winget install OpenJS.NodeJS.LTS. On Linux, use your package manager or nvm: nvm install 22. Verify installation with node --version.
How do I install Node.js on macOS?
Use Homebrew (recommended): brew install node@22. Alternatively, use nvm for version management: curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh | bash then nvm install 22. You can also download the installer directly from nodejs.org. After installation, verify with node --version to ensure you have version 20 or higher.
How do I install Node.js on Windows?
Use winget (recommended): winget install OpenJS.NodeJS.LTS. Alternatively, download the Windows installer from nodejs.org and run it. You can also use Chocolatey: choco install nodejs-lts. After installation, open a new terminal and verify with node --version. Note: You may need to restart your terminal or computer for PATH changes to take effect.
How do I install the Vibgrate CLI?
Install as a dev dependency in your project: npm install -D @vibgrate/cli@latest (or use pnpm, yarn, bun). You can also run without installing using npx: npx @vibgrate/cli scan. For global installation: npm install -g @vibgrate/cli@latest. After installation, run vibgrate --help to see available commands.
How do I run my first scan?
Run vg scan in your project directory. The scan recursively discovers projects (package.json, .csproj, pom.xml, requirements.txt), detects runtime versions and dependencies, queries registries for latest versions, computes drift, and generates findings. The default output is a colored, human-readable report in your terminal.
What does the scan command analyze?
The scan analyzes: runtime versions (Node.js, .NET, Python, Java, Go, Rust, PHP, Ruby, and more), framework versions (React, Next.js, Angular, Vue, NestJS, etc.), all dependencies from manifests like package.json, .csproj, requirements.txt, pom.xml, go.mod, Cargo.toml, composer.json, or Gemfile, lockfile data (duplicates, phantom deps), TypeScript configuration (strict mode, module system), and end-of-life risk for runtimes. Core analysis reads only manifest/config files — no source code execution.
How do I create a drift baseline?
Run vg baseline to perform a full scan and save the result to .vibgrate/baseline.json. This snapshot becomes your reference point for measuring whether drift is improving or worsening. Commit the baseline to version control so all branches compare against the same reference. Use vg init --baseline to create both config and baseline in one step.
What output formats does the scan support?
Four formats: Text (default, colored human-readable), JSON (full artifact for automation), SARIF (for GitHub Code Scanning, Azure DevOps), and Markdown (for PRs, wikis, docs). Use --format json, --format sarif, or --format md. Use --out filename to write to a file instead of stdout.
How do I set up the DSN (Data Source Name) for dashboard uploads?
Set the VIBGRATE_DSN environment variable with your DSN token. System-wide: add export VIBGRATE_DSN="your-dsn" to ~/.zshrc or ~/.bashrc (macOS/Linux) or set via System Properties > Environment Variables (Windows). Project-level: add to your .env file (never commit this). In CI, store as a secret (GitHub Secrets, Azure DevOps Variables, GitLab CI Variables).
What are the best practices for managing the VIBGRATE_DSN?
Never commit DSN tokens to source control. Store DSNs as CI/CD secrets. Use separate DSNs for different environments (dev, staging, production) if needed. Rotate DSN tokens periodically. For local development, add VIBGRATE_DSN to your .env file and ensure .env is in .gitignore. In CI, always use the secret manager provided by your platform.
How do I set environment variables on macOS?
For zsh (default on modern macOS): add export VIBGRATE_DSN="your-dsn" to ~/.zshrc, then run source ~/.zshrc. For bash: add to ~/.bash_profile or ~/.bashrc. For a single session: run export VIBGRATE_DSN="your-dsn" directly in terminal. Project-level: create a .env file with VIBGRATE_DSN=your-dsn and use a tool like direnv or dotenv to load it.
How do I set environment variables on Windows?
GUI method: Search 'Environment Variables' > Edit system environment variables > Environment Variables button > User variables > New > Name: VIBGRATE_DSN, Value: your-dsn. Command line (current session): set VIBGRATE_DSN=your-dsn (cmd) or $env:VIBGRATE_DSN="your-dsn" (PowerShell). Persistent via PowerShell: [Environment]::SetEnvironmentVariable('VIBGRATE_DSN', 'your-dsn', 'User'). Restart terminals after changes.
What are common errors when running the CLI on Windows?
Common issues: 'node' is not recognized (Node.js not in PATH — restart terminal or reinstall). Execution policy errors in PowerShell (run Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned). Long path errors (enable long paths: registry key HKLM\SYSTEM\CurrentControlSet\Control\FileSystem LongPathsEnabled=1). Permission denied on node_modules (run terminal as Administrator or fix folder permissions).
What are common errors when running the CLI on macOS?
Common issues: 'command not found: vibgrate' (package not installed globally or npx not used). Permission denied (use sudo cautiously or fix with sudo chown -R $(whoami) ~/.npm). EACCES errors (npm cache permissions — run npm cache clean --force). SSL certificate errors (try npm config set strict-ssl false temporarily). xcode-select errors (run xcode-select --install).
How do I fix permission denied errors on macOS?
For npm global packages: avoid sudo, instead fix ownership with sudo chown -R $(whoami) ~/.npm and sudo chown -R $(whoami) /usr/local/lib/node_modules. For project files: chmod -R u+rw your-project/. If using nvm, permission issues are rare since packages install in your home directory. For EACCES on .vibgrate folder: chmod -R 755 .vibgrate.
How do I fix permission denied errors on Windows?
Run terminal as Administrator (right-click > Run as Administrator). For persistent issues: check folder permissions (Properties > Security tab), ensure your user has Full Control. For npm global packages: consider using nvm-windows which avoids permission issues. If antivirus is blocking: add node.exe and your project folder to exclusions. For file locking errors: close VS Code or other editors accessing the files.
What does the vg init command do?
The vg init command sets up Vibgrate in your project by creating a .vibgrate/ directory for scan artifacts and baselines, plus a vibgrate.config.ts file with sensible defaults. Use --baseline to also create an initial drift baseline. Use --yes to skip confirmation prompts. This is typically the first command when adopting Vibgrate.
What flags does the scan command support?
Key flags: --format (text/json/sarif/md), --out (output file), --fail-on (error/warn - exit code 2 if findings exist), --baseline (compare against baseline), --drift-budget (fail if score exceeds value), --drift-worsening (fail if drift worsens by %), --push (upload to dashboard), --dsn (DSN for push), --offline (no network calls), --max-privacy (minimal data collection).
How do I upload scan results to the dashboard?
Use vibgrate push after running a scan, or combine them with vg scan --push. The DSN is read from VIBGRATE_DSN environment variable or pass with --dsn. Use --strict to fail if upload fails (for CI). Use --region eu for EU data residency. Uploading to Vibgrate Cloud is always optional — the CLI provides full value locally.
How do I generate reports from existing scans?
Use vg report to render existing scan artifacts into different formats without re-scanning. By default, it reads .vibgrate/scan_result.json. Use --in path/to/artifact.json for a specific file. Use --format md for Markdown (great for PRs), --format text, or --format json. The report command never runs a new scan.
How do I export SBOMs from Vibgrate scans?
Use vg sbom export to emit CycloneDX or SPDX SBOMs from scan artifacts. Example: vg sbom export --format cyclonedx --out sbom.cdx.json. Use vg sbom delta --from old.json --to new.json to compare dependencies between two scans, showing packages added, removed, or changed. Use vg sbom vex --product <ref> --statement '{...}' --out openvex.json to generate a spec-compliant OpenVEX document of exploitability statements you can attach as a signed attestation.
How do I integrate Vibgrate into CI/CD pipelines?
The CLI requires no login for scanning and returns meaningful exit codes (0=success, 2=threshold exceeded). Basic CI integration: npx @vibgrate/cli scan --fail-on error. For drift budgets: add --baseline .vibgrate/baseline.json --drift-budget 40. For SARIF upload (GitHub Code Scanning): add --format sarif --out vibgrate.sarif. Works with GitHub Actions, Azure DevOps, GitLab CI, Jenkins, and any CI system with Node.js.
How do I upload SARIF results to GitHub Code Scanning?
Run scan with SARIF output: npx @vibgrate/cli scan --format sarif --out vibgrate.sarif --fail-on error. Then use github/codeql-action/upload-sarif@v3 with sarif_file: vibgrate.sarif. Requires security-events: write permission. Findings appear in the Security tab and inline on PRs.
How do I gate pull requests on known vulnerabilities with GitHub Actions?
Use the maintained vibgrate/cli Action: `uses: vibgrate/cli@v1` with `vulns: true`, `fail-on: error`, and `upload-sarif: true`. It scans installed dependencies against OSV, fails the check on critical/high findings (blocking the merge), and uploads the SARIF to code scanning in one step — the workflow needs `permissions: security-events: write`. Check out with `fetch-depth: 0` so each finding is attributed to the commit that introduced it. The copy-paste template is examples/github-actions/vulnerabilities-sarif.yml; the raw-CLI equivalent is `npx @vibgrate/cli scan --vulns --format sarif --out vibgrate.sarif --fail-on error` followed by github/codeql-action/upload-sarif@v3.
What languages and ecosystems does Vibgrate support?
Vibgrate supports Node.js/TypeScript (package.json, npm/pnpm/yarn/bun lockfiles), .NET (*.csproj, *.sln, NuGet), Python (requirements.txt, pyproject.toml, Pipfile, setup.py), and Java (pom.xml for Maven, build.gradle for Gradle). Each ecosystem gets drift analysis against its respective package registry (npm, NuGet, PyPI, Maven Central).
Does Vibgrate support monorepos?
Yes. Vibgrate automatically discovers every project in your workspace (multiple package.json files, .csproj files, go.mod, etc.). For npm/pnpm/yarn workspaces, each package is scanned individually and scores aggregate up. Each project is also automatically sized for billing into a micro, small or standard tier, so a serverless monorepo of hundreds of tiny functions costs only a fraction of its raw count — we bill billable projects, not detected projects. Use exclude patterns in vibgrate.config.ts to skip directories like examples/** or legacy/**, or pass --exclude (alias -e) on the command line for a single run; CLI excludes are merged with the config list.
How do I configure Vibgrate?
Create a vibgrate.config.ts (or .js/.json) file in your project root. Configure exclude patterns to skip directories, thresholds to control finding severity (eolDays, frameworkMajorLag, dependencyTwoPlusPercent), and scanners to enable/disable extended scanners. Run vg init to generate a default config file. For one-off runs you can also add excludes on the command line with vg scan --exclude <glob> (alias -e), which are merged with the config exclude list.
What are extended scanners?
Beyond core drift scoring, Vibgrate runs extended scanners: Platform Matrix (detects OS-specific dependencies), Dependency Risk (deprecated packages, native modules), TypeScript Modernity (strict mode analysis), Security Posture (lockfile presence, .gitignore coverage), Build & Deploy (CI systems, Docker, IaC detection), and more. All are read-only and can be individually toggled in config.
What is a drift budget and how do I use it?
A drift budget sets a maximum acceptable drift score. Use --drift-budget 40 to fail the scan (exit code 2) if your drift score exceeds 40. Combine with --drift-worsening 5 to fail if drift has worsened by more than 5% compared to baseline. This creates 'fitness functions' that prevent drift regression in CI.
What do the CLI exit codes mean?
Exit code 0: Success (scan completed, all gates passed). Exit code 1: Runtime error (invalid flags, missing files, crash). Exit code 2: Threshold exceeded (--fail-on severity gate or drift budget/worsening gate triggered). Use these codes to control CI pipeline flow.
Can I run Vibgrate without internet access?
Yes. Use --offline with --package-manifest ./latest-packages.zip (pre-downloaded manifest). Download the manifest from github.com/vibgrate/manifests on a connected machine, transfer to your air-gapped environment, then run offline scans. Offline scores are as current as the manifest file. Pushing to Vibgrate Cloud is unavailable in offline mode.
What data does Vibgrate collect?
Vibgrate is privacy-first. It NEVER reads source code (only manifest/config files), never scans for secrets, never reads environment values, never accesses git identity data. It DOES collect package names and versions, config structure flags (e.g., strict: true), file names/sizes (not contents), and public registry metadata. Use --max-privacy for minimal collection.
Should I use npx or install Vibgrate globally?
Use npx @vibgrate/cli scan for one-off scans without installation — always gets the latest version. For projects, install as devDependency (npm install -D @vibgrate/cli@latest) for reproducible scans with a pinned version. Avoid global install (npm install -g) in CI; prefer npx or project-local install for consistency.
I'm getting Node.js version errors. What should I do?
Vibgrate requires Node.js >= 22.0.0. Check your version: node --version. If too old, upgrade using nvm (nvm install 22), Homebrew (brew upgrade node), or download from nodejs.org. If you have multiple Node versions, use nvm or similar to switch: nvm use 22. CI environments should specify node-version: 22 in their setup steps.
The scan says lockfile not found. Is that a problem?
Lockfile warnings indicate you don't have a package-lock.json, yarn.lock, pnpm-lock.yaml, or bun.lockb. This affects dependency graph analysis and duplicate detection but won't block the scan. For full analysis, generate a lockfile: npm install (creates package-lock.json), yarn install (creates yarn.lock), or pnpm install (creates pnpm-lock.yaml).
How do I scan a specific directory instead of the whole project?
Pass the path as an argument: vg scan packages/api or vg scan /absolute/path/to/project. The scan will discover projects recursively from that path. To exclude subdirectories, use the exclude array in vibgrate.config.ts, or pass --exclude (alias -e) on the command line for a one-off scan — for example vg scan --exclude "legacy/**" --exclude "vendor/**". The flag is repeatable, accepts comma/semicolon-separated values, and is merged with (not a replacement for) the config exclude list.
What's the difference between --fail-on error and --fail-on warn?
--fail-on error exits with code 2 only if error-level findings exist (e.g., runtime near EOL, framework 3+ majors behind). --fail-on warn exits with code 2 if warning-level OR error-level findings exist. Use --fail-on error in CI to catch critical issues; add --fail-on warn when you want stricter enforcement.
How do I update the Vibgrate CLI?
Run vg update to check for and install updates. Use --check to see if updates are available without installing. For project installs: npm update @vibgrate/cli@latest or reinstall with npm install -D @vibgrate/cli@latest. For npx users, it automatically fetches the latest version each time.
Why is the scan taking a long time?
Slow scans are usually due to registry network calls. Try --concurrency 16 to increase parallel registry requests. For repeated scans, results are cached. If scanning many projects in a monorepo, consider excluding irrelevant directories. For air-gapped or slow networks, use --offline with a pre-downloaded manifest.
Should I add .vibgrate to .gitignore?
Add .vibgrate/scan_result.json to .gitignore (it changes on every scan). Keep .vibgrate/baseline.json in version control so CI can compare against it and all branches use the same reference. The generated vibgrate.config.ts should also be committed.
How does Vibgrate analyze TypeScript configuration?
Vibgrate reads tsconfig.json to assess TypeScript modernity: TypeScript version, strict mode flags (strict, noImplicitAny, strictNullChecks), module system (module, moduleResolution, target), and ESM vs CJS classification. Strict TypeScript configurations score higher in the modernity assessment. This is part of the extended scanners.
What data residency options are available for the dashboard?
Vibgrate supports US (default, us.ingest.vibgrate.com) and EU (eu.ingest.vibgrate.com) data residency. Use --region eu with the push command to route data to the EU endpoint. You can also specify the region when creating a DSN: vibgrate dsn create --workspace ws-123 --region eu.
What are EOL (End of Life) findings?
EOL findings alert you when your runtime (Node.js, .NET, Python) is approaching or past its end-of-life date. Running unsupported runtimes poses security risks. Default threshold: error if EOL is within 180 days. Adjust in vibgrate.config.ts under thresholds.failOnError.eolDays. Check nodejs.org/en/about/releases for Node.js EOL dates.
How do I interpret scan findings?
Findings have three severity levels: error (critical issues like EOL runtime, 3+ major framework lag), warning (moderate issues like 2 major framework lag, 30%+ deps behind), and info (informational items). Each finding includes a rule ID, message, description, and location. Address error-level findings first, then warnings.
The scan mentions missing security scanners. What should I do?
Extended security scanners check for installed tools like npm audit. If tools are missing, install the recommended tools manually (for example via Homebrew on macOS). These scanners are optional — core drift analysis runs regardless of whether security tools are installed.
Can I use Vibgrate programmatically in my own code?
Yes. Import types from @vibgrate/cli@latest for type-safe access to scan artifacts: import type { VibgrateConfig, ScanArtifact, DriftScore, Finding } from '@vibgrate/cli@latest'. Read .vibgrate/scan_result.json as JSON and type it as ScanArtifact. Schema is versioned (schemaVersion: '1.0') for stability.
I'm getting network timeout errors during scans. How do I fix this?
Network timeouts usually occur when querying package registries. Solutions: increase timeout with --timeout 60000, reduce concurrency with --concurrency 4, or use offline mode with a pre-downloaded manifest. If behind a corporate proxy, ensure npm is configured: npm config set proxy http://proxy:port. Check your network connectivity to registry.npmjs.org.
How do I compare two scan results?
Use vg sbom delta --from old-scan.json --to new-scan.json to see dependencies added, removed, and changed between scans. For drift score comparison, use baselines: create a baseline, run a new scan with --baseline .vibgrate/baseline.json, and the output shows the delta. Vibgrate Cloud also shows historical trends.
How do I generate a DSN token?
Run vibgrate dsn create --workspace ws-abc123 to generate an HMAC-signed DSN token. Use --region eu for EU data residency. Use --write .vibgrate/.dsn to save to a file (add to .gitignore). The DSN format is: vibgrate+https://<key_id>:<secret>@<ingest_host>/<workspace_id>. Never commit DSN tokens to source control.
How do I scan a Node.js or TypeScript project?
Run vg scan in your project directory. Vibgrate detects package.json files, lockfiles (npm, pnpm, yarn), .nvmrc/.node-version, and tsconfig.json. It analyzes runtime version, framework versions (React, Next.js, etc.), all dependencies from package.json, lockfile duplicates, and TypeScript modernity. Works with monorepos automatically.
How do I scan a .NET project?
Run vg scan /path/to/dotnet-solution. Vibgrate discovers .sln and .csproj files, evaluates target framework version (net6.0, net7.0, net8.0), .NET SDK version from global.json, NuGet packages from PackageReference elements, and EOL risk for .NET versions. Each project gets its own drift score, with aggregate scores for solutions.
How do I scan a Python project?
Run vg scan /path/to/python-project. Vibgrate detects requirements.txt, pyproject.toml, setup.py, and Pipfile. It analyzes Python version from .python-version or pyproject.toml, all dependencies, package version lag against PyPI, and EOL risk for Python versions. Supports Poetry, PEP 621, and Pipenv formats.
How do I scan a Java project?
Run vg scan /path/to/java-project. Vibgrate discovers pom.xml (Maven) and build.gradle/build.gradle.kts (Gradle) files. It analyzes Java version, all dependencies, package version lag against Maven Central, framework versions (Spring Boot, Quarkus, etc.), and EOL risk. Multi-module projects are fully supported.
How do I set up Vibgrate in Azure DevOps?
Add NodeTool@0 task with versionSpec: '22.x', then run npx @vibgrate/cli scan --fail-on error. For SARIF artifacts: add --format sarif --out vibgrate.sarif, then use PublishBuildArtifacts@1 task. Store VIBGRATE_DSN in pipeline variables for dashboard push. Works with both classic and YAML pipelines.
How do I set up Vibgrate in GitLab CI?
Use node:22 image and run npx @vibgrate/cli scan --format sarif --out vibgrate.sarif --fail-on error. Add artifacts.reports.sast: vibgrate.sarif for SAST integration. Findings appear in Security Dashboard and merge requests. Store VIBGRATE_DSN in CI/CD variables for pushing to Vibgrate Cloud.
How do I run Vibgrate in Jenkins?
Use node:22 Docker image or ensure Node.js 22+ is installed on agents. Run npx @vibgrate/cli scan --format sarif --out vibgrate.sarif --fail-on error. Archive vibgrate.sarif as artifact. The CLI returns exit code 2 on threshold failures, which Jenkins interprets as build failure. No special plugin required.
What is the baseline.json file for?
The .vibgrate/baseline.json file is a snapshot of your drift score at a point in time. It serves as a reference point for CI gates — you can fail builds if drift worsens beyond a threshold compared to baseline. Create it with vg baseline after your main branch is stable. Commit it to version control. Refresh after planned upgrade sprints.
What is the scan_result.json file?
The .vibgrate/scan_result.json file is the full output artifact from your most recent scan. It contains all raw data, scores, findings, and VCS metadata in a stable JSON schema (schemaVersion: '1.0'). Add it to .gitignore since it changes on every scan. Use it for programmatic consumption or to generate reports with vg report.
What are native module warnings?
Native module warnings indicate your project depends on packages that compile native code (e.g., sharp, bcrypt, node-gyp). These can cause issues when building on different architectures (ARM vs x64) or operating systems. The Platform Matrix scanner detects these to help predict where builds might break during CI runner or container migrations.
What do deprecated package warnings mean?
Deprecated package warnings appear when the npm registry marks a package as deprecated. This usually means the package is unmaintained, has security issues, or has been replaced by a better alternative. Common examples: request, node-sass, tslint, moment. Replace these packages to improve your drift score and reduce security risk.
What does --max-privacy mode do?
--max-privacy enables hardened privacy mode: runs only minimal scanners, writes no local artifacts (.vibgrate/*.json), and reduces data collection to the bare minimum needed for drift scoring. Use this in highly regulated environments or when you want to minimize any local file writes.
What does the --changed-only flag do?
The --changed-only flag scans only files that have changed (typically detected via git diff). This speeds up scans in CI by skipping unchanged projects in monorepos. Useful for pull request checks where you only care about drift in modified code. Still compares against full baseline for accurate regression detection.
What does --strict do on the push command?
When --strict is set, the push command exits with error code if the dashboard upload fails (network error, authentication problem, etc.). Without --strict, push failures are logged but don't affect the exit code. Use --strict in CI when you want builds to fail if metrics can't be uploaded to the dashboard.
What payment methods does Vibgrate accept?
Vibgrate accepts all major credit and debit cards including Visa, Mastercard, American Express, and Discover. Payments are processed securely through Stripe, a PCI-compliant payment processor. All transactions are charged in USD. For Enterprise plans, we can also accommodate invoicing and wire transfers upon request.
What is the difference between monthly and annual billing?
Monthly billing charges your card each month at the listed price. Annual billing charges once per year at a discounted rate — you pay for ten months and get two months free. Vibgrate prices per billable project on a banded scale, so your annual total is simply ten months of your monthly estimate. Use the calculator on the pricing page to compare monthly and annual side by side. You can switch billing cycles at any time from your account settings.
Can I switch from monthly to annual billing?
Yes, you can switch from monthly to annual billing at any time from your account settings. When you switch, you'll receive a prorated credit for any unused time on your current monthly subscription, which is applied to your annual payment. The annual plan begins immediately and you'll start saving right away.
How do I update my payment information?
To update your payment method, log into Vibgrate Cloud at dash.vibgrate.com, navigate to Settings > Billing, and click 'Update Payment Method'. You can add a new card or update your existing card details. Changes take effect immediately. You'll also receive email notifications before any payment is processed.
How does proration work when I upgrade or downgrade my plan?
When you upgrade, you're charged immediately for the difference between your current plan and the new plan, prorated for the remaining time in your billing cycle. When you downgrade, you'll receive a credit toward future invoices for the unused portion of your current plan. Changes take effect immediately.
Where can I find my invoices and receipts?
All invoices and receipts are available in your Vibgrate Cloud under Settings > Billing > Invoice History. You can view, download as PDF, or email any invoice to your accounts payable team. Invoices are also automatically sent to the billing email on file after each successful payment.
What currency is Vibgrate billed in, and is tax included?
All Vibgrate subscriptions are billed in US Dollars (USD). Prices shown on the pricing page are exclusive of tax. Depending on your location, applicable sales tax, VAT, or GST may be added to your invoice at checkout. Tax amounts are calculated automatically by Stripe based on your billing address.
How do I cancel my Vibgrate subscription?
To cancel, go to Vibgrate Cloud at dash.vibgrate.com, navigate to Settings > Billing, and click 'Cancel Subscription'. Your access continues until the end of your current billing period. You won't be charged again after cancellation. Your data is retained for 30 days after expiration in case you decide to resubscribe.
What is Vibgrate's refund policy?
We offer a full refund within 14 days of your initial purchase if you're not satisfied. For annual subscriptions, refund requests after 14 days are handled on a case-by-case basis with a prorated amount. To request a refund, contact support@vibgrate.com with your account details. Refunds are typically processed within 5-10 business days.
What happens if my payment fails?
If a payment fails, we'll notify you by email and automatically retry the charge after 3 days. We'll make up to 3 retry attempts over 9 days. During this time, your service continues uninterrupted. If all retries fail, your subscription will be paused until you update your payment method in Settings > Billing.
How does micro-project pricing work?
We don't bill every package as a full project. Each scanned project is automatically sized into one of four tiers — nano, micro, small or standard — and billed as a fraction of a project: standard counts as 1, small as one third (⅓), micro as one tenth (⅒), and nano as one twenty-fifth (1/25). We total the fractions across your estate and round down to the nearest whole number. That total is your billable projects. For example, a serverless monorepo with 247 detected projects might be just 49 billable projects.
How is a project's size — and its billing fraction — decided?
By three measured signals on every scan: source-file count, source byte size, and declared dependency count. A project lands in the lowest tier whose limits it meets on at least two of the three. Nano requires under 10 source files, under 1 MB of source, and under 5 dependencies; Micro requires under 20 source files, under 2.5 MB of source, and under 10 dependencies; Small requires under 30 source files, under 5 MB of source, and under 25 dependencies; anything larger is Standard. It's automatic — there is nothing to configure and no way to manually reclassify a project.
Does a big lockfile push my project into a higher billing tier?
No. Size is measured on source code only. Lockfiles (such as pnpm-lock.yaml, package-lock.json, yarn.lock, Cargo.lock, go.sum and poetry.lock), generated manifests, vendored dependency directories like node_modules, vendor, and CocoaPods Pods (and Carthage), and build output like dist or .next are all excluded from the file-count and byte-size signals. A single pnpm-lock.yaml can exceed 1 MB on its own, so excluding it is exactly why a one-file Lambda with a big lockfile is still correctly billed as nano.
My project grew into a bigger tier. Will my bill jump immediately?
No. A project's tier is re-evaluated on every scan, but billing changes are applied carefully so your bill never rises unexpectedly mid-month. If a project crosses up a tier, it keeps its cheaper rate for the rest of the current billing cycle and the higher rate takes effect from the next cycle — the pending change is flagged in advance in the dashboard as a pending upgrade. If a project shrinks, the cheaper rate applies immediately.
How is the billable project number rounded?
Always down to the nearest whole number — never to nearest, never up. We add up each project's fraction (standard ×1, small ×⅓, micro ×⅒, nano ×1/25) to get a raw total, then floor it. So 1.9 billable raw is billed as 1, and nine micro-projects (0.9 raw) cost nothing. Rounding down at the estate level is what lets a monorepo of tiny functions sit cheaply — or even free — under governance.
Do nano, micro and small projects count for less toward my DriftScore?
No — billing weight is not risk weight. Every project, whatever its size, is fully included in your DriftScore, the portfolio view, and every risk and compliance report. Only the billing fraction is reduced. A nano project that is dangerously out of date still shows full risk on the CTO dashboard; it just costs a twenty-fifth of a standard project to govern.
What is a container?
A container is a lightweight, standalone unit that packages an application together with its dependencies, libraries, and configuration so it runs consistently across environments. Containers share the host operating system kernel and isolate processes using OS features such as namespaces and cgroups, which makes them far smaller and faster to start than virtual machines. They are the standard way to build, ship, and run cloud-native applications. Docker popularized the format, and the Open Container Initiative (OCI) now defines the image and runtime standards.
What is the difference between a Docker container and a virtual machine?
A virtual machine (VM) virtualizes hardware and runs a full guest operating system on top of a hypervisor, so each VM carries its own kernel and is heavy in size and boot time. A container virtualizes the operating system instead, sharing the host kernel and isolating only the application and its dependencies, which makes it megabytes rather than gigabytes and starts in seconds. VMs offer stronger isolation and can run different operating systems, while containers offer higher density and faster deployment. Many production systems combine both, running containers inside VMs for layered isolation.
What is Kubernetes?
Kubernetes is an open-source platform for automating the deployment, scaling, and operation of containerized applications. It groups containers into logical units, schedules them across a cluster of machines, restarts failed workloads, and rolls out updates without downtime. Originally developed at Google and now governed by the Cloud Native Computing Foundation (CNCF), it has become the de facto standard for container orchestration. Users describe the desired state in declarative manifests, and Kubernetes continuously reconciles the actual state to match it.
What is the difference between a Kubernetes pod and a container?
A container is a single packaged process, while a pod is the smallest deployable unit in Kubernetes and can hold one or more containers that share the same network namespace and storage volumes. Containers in a pod are always scheduled together on the same node and can communicate over localhost. Most pods run a single primary container, but a pod may include helper containers such as sidecars or init containers. Kubernetes manages pods, not individual containers, when scaling and scheduling.
What is a service mesh?
A service mesh is an infrastructure layer that manages communication between microservices, handling traffic routing, load balancing, retries, encryption, and observability without changing application code. It typically works by injecting a lightweight proxy (a sidecar) alongside each service that intercepts all network traffic. Popular implementations include Istio, Linkerd, and Consul. A service mesh is most valuable in large microservice deployments where consistent security, reliability, and telemetry are needed across many services.
What is serverless computing?
Serverless computing is a cloud model where the provider automatically provisions, scales, and manages the servers, so developers deploy code that runs on demand without managing infrastructure. Functions-as-a-Service (FaaS) offerings such as AWS Lambda, Azure Functions, and Google Cloud Functions run code in response to events and bill only for actual execution time. Serverless suits event-driven, spiky, or unpredictable workloads and removes the need for capacity planning. Trade-offs include cold-start latency, execution time limits, and reduced control over the runtime environment.
What is the difference between IaaS, PaaS, and SaaS?
These are the three main cloud service models, distinguished by how much the provider manages. **IaaS** (Infrastructure as a Service) provides raw compute, storage, and networking, such as virtual machines, leaving the operating system and applications to you. **PaaS** (Platform as a Service) adds a managed runtime and tooling so you deploy code without managing servers. **SaaS** (Software as a Service) delivers fully managed applications over the internet, where you only configure and use the software. The trade-off is control versus operational burden: IaaS gives the most control, SaaS the least.
What is autoscaling in the cloud?
Autoscaling automatically adjusts the number of running resources, such as virtual machines, containers, or pods, in response to demand or defined metrics. Horizontal scaling adds or removes instances, while vertical scaling changes the size of an existing instance. Scaling policies can be reactive, triggered by metrics like CPU or request rate, or predictive, based on forecasted load. Autoscaling improves resilience and cost efficiency by matching capacity to actual usage instead of provisioning for peak load.
What is a cloud landing zone?
A landing zone is a pre-configured, secure, and scalable cloud environment that establishes a baseline for accounts, networking, identity, security, and governance before workloads are deployed. It codifies best practices such as account separation, centralized logging, guardrail policies, and standardized networking so teams can onboard new workloads quickly and safely. AWS Control Tower, Azure Landing Zones, and Google Cloud foundations provide reference implementations. Landing zones are a foundational step in enterprise cloud adoption at scale.
What is the difference between cloud regions and availability zones?
A region is a distinct geographic area where a cloud provider operates data centers, chosen for proximity to users, latency, and data-residency requirements. An availability zone (AZ) is one or more isolated data centers within a region, each with independent power, cooling, and networking. Regions are far apart and isolate large-scale failures and legal boundaries, while AZs within a region are close enough for low-latency replication but isolated enough to survive a single data-center outage. Deploying across multiple AZs is the standard pattern for high availability.
What is multi-cloud?
Multi-cloud is the practice of using services from more than one cloud provider, such as AWS, Azure, and Google Cloud, within a single organization or architecture. Reasons include avoiding vendor lock-in, meeting regulatory or data-residency needs, using best-of-breed services, and improving resilience. Multi-cloud differs from hybrid cloud, which combines public cloud with on-premises infrastructure. The main challenges are added operational complexity, inconsistent tooling and APIs, and the need for skills across multiple platforms.
When should I use Kubernetes?
Kubernetes makes sense when you run many containerized services that need automated scaling, self-healing, rolling updates, and consistent deployment across environments. It is a strong fit for microservice architectures, multi-team platforms, and workloads with variable load. For a single small application or a simple website, Kubernetes often adds unnecessary operational complexity, and a managed container service, platform-as-a-service, or serverless option may be simpler. The decision should weigh the operational cost of running Kubernetes against the scale and flexibility you actually need.
What is a sidecar container?
A sidecar is a secondary container that runs alongside the main application container in the same pod to extend or support it without changing the application itself. Common uses include log shipping, metrics collection, configuration syncing, and acting as a service-mesh proxy. Because containers in a pod share the network and can share storage, the sidecar can transparently intercept traffic or read and write the same files. The sidecar pattern keeps cross-cutting concerns separate from business logic and reusable across services.
What is a Kubernetes ingress controller?
An ingress controller is a component that implements Kubernetes Ingress resources, routing external HTTP and HTTPS traffic to services inside the cluster based on rules such as hostnames and URL paths. The Ingress object defines the routing rules, but a controller, such as NGINX, Traefik, or a cloud load-balancer integration, must be installed to enforce them. Ingress controllers commonly handle TLS termination, name-based virtual hosting, and path-based routing. They provide a single, centralized entry point instead of exposing each service separately.
What is a container image?
A container image is a read-only template that contains everything needed to run an application: code, runtime, libraries, environment variables, and configuration. Images are built in layers, where each instruction adds a layer that can be cached and shared, making builds and distribution efficient. When you run an image, the container engine adds a writable layer on top to create a running container. Images follow the Open Container Initiative (OCI) standard and are stored in registries such as Docker Hub or a private registry.
What is a container registry?
A container registry is a storage and distribution system for container images, allowing them to be pushed after a build and pulled at deployment time. Public registries such as Docker Hub host shared images, while private registries such as Amazon ECR, Google Artifact Registry, Azure Container Registry, and Harbor host an organization's own images. Registries support versioning through tags and digests and often add features like vulnerability scanning, access control, and image signing. They are a core part of any container delivery pipeline.
What is the difference between hybrid cloud and multi-cloud?
Hybrid cloud combines private infrastructure, such as on-premises data centers or a private cloud, with one or more public clouds, integrating them so workloads and data can move between them. Multi-cloud means using two or more public cloud providers, with or without any private infrastructure. Hybrid cloud is often driven by data sovereignty, latency, or legacy systems that cannot move, while multi-cloud is driven by avoiding lock-in and choosing best-of-breed services. The terms overlap, and an architecture can be both hybrid and multi-cloud at once.
What is infrastructure as code?
Infrastructure as code (IaC) is the practice of defining and provisioning infrastructure, such as servers, networks, and databases, through machine-readable configuration files rather than manual setup. Declarative tools like Terraform and AWS CloudFormation describe the desired end state, while imperative tools specify the steps to reach it. IaC makes infrastructure versionable, repeatable, reviewable, and testable, reducing configuration drift and manual error. It is a foundation of modern DevOps and reliable cloud operations.
What is container orchestration?
Container orchestration is the automated management of the lifecycle of containers across a cluster of machines, including scheduling, scaling, networking, load balancing, and self-healing. As the number of containers grows, manual management becomes impractical, and an orchestrator handles placement, restarts failed containers, and rolls out updates safely. Kubernetes is the dominant orchestrator, with alternatives such as Docker Swarm, HashiCorp Nomad, and managed services like Amazon ECS. Orchestration is what makes large-scale containerized systems operable and reliable.
What is a Kubernetes namespace?
A namespace is a way to divide a single Kubernetes cluster into multiple virtual clusters, providing a scope for names and a boundary for resources. Namespaces let teams or environments such as development, staging, and production share one cluster while keeping their objects logically separated. They enable resource quotas, access control through role-based policies, and network policies to be applied per group. Namespaces provide logical isolation but not strong security isolation between workloads on their own.
What does cloud native mean?
Cloud native describes an approach to building and running applications that fully exploits the elasticity, automation, and managed services of the cloud. It commonly combines containers, microservices, declarative infrastructure, continuous delivery, and dynamic orchestration so systems scale on demand and recover from failure automatically. The Cloud Native Computing Foundation (CNCF) stewards many of the core technologies, including Kubernetes. Being cloud native is about architecture and practices, not just running software on a cloud provider.
What is a Kubernetes service?
A Kubernetes Service is an abstraction that gives a stable network identity and address to a dynamic set of pods, since pods are ephemeral and their IP addresses change. It load-balances traffic across the matching pods using label selectors, so clients connect to the service rather than to individual pods. Common types are ClusterIP for internal access, NodePort and LoadBalancer for external access, and ExternalName for mapping to an external host. Services are how reliable communication between components is achieved inside a cluster.
What is the difference between SQL and NoSQL databases?
SQL (relational) databases store data in tables with fixed schemas and use SQL for queries, offering strong consistency and powerful joins; examples include PostgreSQL, MySQL, and SQL Server. NoSQL databases trade rigid schemas for flexibility and horizontal scale, and come in families such as document (MongoDB), key-value (Redis), wide-column (Cassandra), and graph (Neo4j). Use SQL when you need complex relationships, transactions, and ad-hoc queries; reach for NoSQL when you need schema flexibility, very high write throughput, or scale-out across many nodes. Many systems use both, choosing the right store per workload.
What does ACID mean in databases?
ACID is a set of guarantees that make database transactions reliable: Atomicity (a transaction either fully completes or fully rolls back), Consistency (a transaction moves the database from one valid state to another), Isolation (concurrent transactions do not interfere with each other), and Durability (committed changes survive crashes). These properties are the foundation of relational databases and are essential for workloads like financial transfers. The opposing model, often called BASE, relaxes some of these guarantees for higher availability and scale.
What is the CAP theorem?
The CAP theorem states that a distributed data store can provide at most two of three guarantees at the same time: Consistency (every read sees the latest write), Availability (every request gets a non-error response), and Partition tolerance (the system keeps working despite network failures between nodes). Because network partitions are unavoidable in real distributed systems, the practical choice is between consistency and availability during a partition. CP systems reject some requests to stay consistent, while AP systems stay available but may return stale data. In practice, partition tolerance is a given, so the trade-off is really CP versus AP.
What is database sharding?
Sharding is a horizontal partitioning technique that splits a large dataset across multiple database instances, each holding a subset of the rows. A shard key (such as a user ID) determines which shard a record lives on, letting the system spread storage and query load across many servers. It enables scale beyond what a single machine can handle but adds complexity: cross-shard queries, joins, and transactions become harder, and choosing a poor shard key can create hot spots. Sharding is typically a last resort after vertical scaling, read replicas, and caching are exhausted.
What is the difference between normalization and denormalization?
Normalization organizes data to eliminate redundancy by splitting it into related tables, which reduces anomalies and keeps a single source of truth for each fact. Denormalization deliberately reintroduces redundancy, duplicating data across tables to avoid expensive joins and speed up reads. Normalized schemas favor write integrity and storage efficiency, while denormalized schemas favor read performance at the cost of more complex updates. OLTP systems lean toward normalization, whereas analytics and read-heavy systems often denormalize.
What is a database index and why does it matter?
An index is a separate data structure, usually a B-tree, that lets the database find rows matching a query without scanning the entire table. It dramatically speeds up reads on indexed columns, much like the index in the back of a book. The trade-off is that indexes consume storage and slow down writes, since every insert, update, or delete must also maintain the index. Choosing the right columns to index, and avoiding redundant indexes, is one of the most impactful database tuning tasks.
What is the difference between OLTP and OLAP?
OLTP (Online Transaction Processing) handles many short, concurrent transactions like orders, payments, and updates, optimized for fast writes and row-level access with normalized schemas. OLAP (Online Analytical Processing) supports complex analytical queries over large historical datasets, optimized for aggregation and reads, often using columnar storage and denormalized or star schemas. In short, OLTP runs the business in real time while OLAP analyzes it. Data is typically moved from OLTP systems into OLAP systems such as data warehouses through ETL or ELT pipelines.
What is the difference between a data warehouse, a data lake, and a lakehouse?
A data warehouse stores structured, modeled data optimized for fast SQL analytics, typically loaded through schema-on-write pipelines; examples include Snowflake, BigQuery, and Redshift. A data lake stores raw data of any type (structured, semi-structured, or unstructured) cheaply in object storage with schema-on-read, which is flexible but can become a disorganized 'data swamp.' A lakehouse combines both: it keeps data in open formats on cheap object storage while adding warehouse-style features such as ACID transactions, schema enforcement, and performance via table formats like Delta Lake, Apache Iceberg, or Hudi. The lakehouse aims to serve both data science and BI from one copy of the data.
What is the difference between ETL and ELT?
ETL (Extract, Transform, Load) transforms data before loading it into the target system, which suited traditional warehouses with limited compute and enforced quality up front. ELT (Extract, Load, Transform) loads raw data first and transforms it inside the target using its compute, which fits modern cloud warehouses and lakes that scale elastically. ELT keeps raw data available for reprocessing and lets analysts transform with SQL using tools like dbt, while ETL can reduce storage and apply governance before landing. The right choice depends on your platform's compute model, governance needs, and data volume.
What is change data capture (CDC)?
Change data capture is a technique that detects and streams row-level changes (inserts, updates, deletes) from a source database so downstream systems can stay in sync in near real time. The most efficient approach reads the database transaction log (such as the MySQL binlog or PostgreSQL WAL) rather than repeatedly polling tables, which avoids extra load and captures every change in order. CDC powers data replication, cache invalidation, search indexing, and feeding data lakes and streaming pipelines. Common tools include Debezium, and many managed services offer built-in CDC.
What is eventual consistency?
Eventual consistency is a model in distributed systems where replicas may temporarily hold different values, but if no new writes occur they will all converge to the same value over time. It trades the immediate, strong consistency of ACID systems for higher availability and lower latency, which is the AP side of the CAP theorem. It is well suited to use cases that tolerate brief staleness, such as social feeds, shopping carts, or DNS, but poorly suited to operations like bank balances that demand strict accuracy. Techniques like read-your-writes consistency and conflict resolution help manage the trade-offs.
What is the difference between a primary key and a foreign key?
A primary key uniquely identifies each row in a table and cannot be null or duplicated; it is the column (or set of columns) the database uses to address a specific record. A foreign key is a column in one table that references the primary key of another table, establishing a relationship and enforcing referential integrity so you cannot reference a row that does not exist. For example, an orders table might have a customer_id foreign key pointing to the customers table's primary key. Together they model relationships and keep the data consistent across tables.
What is a materialized view?
A materialized view is a database object that stores the precomputed result of a query physically on disk, unlike a regular view which runs its query every time it is accessed. This makes reads of expensive aggregations or joins very fast, at the cost of stale data and the need to refresh. Refreshes can be manual, scheduled, or in some databases incremental, updating only what changed. Materialized views are common in analytics and reporting where the same heavy query is run repeatedly and slight staleness is acceptable.
When should I use Redis?
Redis is an in-memory key-value data store known for very low latency, making it ideal as a cache in front of a slower primary database. Beyond caching, it is widely used for session storage, rate limiting, leaderboards, real-time counters, pub/sub messaging, and simple queues, thanks to rich data structures like sorted sets and hashes. Because data lives in memory, it is fast but capacity is bounded by RAM and durability requires configuring persistence or replication. Use it to offload read-heavy or latency-sensitive workloads, not as the system of record for critical data unless durability is carefully configured.
What is a vector database?
A vector database stores and searches high-dimensional vector embeddings, the numeric representations of text, images, or other data produced by machine learning models. Instead of exact matching, it finds the nearest vectors by similarity using approximate nearest neighbor (ANN) algorithms such as HNSW, enabling semantic search. They are central to AI applications like retrieval-augmented generation (RAG), recommendation systems, and image search. Options include dedicated stores like Pinecone, Milvus, Qdrant, and Weaviate, as well as vector extensions for existing databases such as pgvector for PostgreSQL.
What is database replication?
Replication keeps copies of a database on multiple servers, typically a primary that accepts writes and one or more replicas that receive the changes. It improves read scalability by spreading queries across replicas, increases availability through failover if the primary fails, and can place data closer to users geographically. Replication can be synchronous, where a write waits for replicas to confirm (stronger consistency, higher latency), or asynchronous, where replicas lag slightly behind (faster writes, possible stale reads). It differs from backups, which protect against data loss but are not live copies serving traffic.
What is a data pipeline?
A data pipeline is a series of automated steps that move data from sources to destinations, transforming and validating it along the way so it is ready for analytics, machine learning, or applications. Pipelines can run in batch (processing data on a schedule) or streaming mode (processing events continuously as they arrive). Orchestration tools such as Apache Airflow, Dagster, or Prefect schedule and monitor the steps, handling dependencies, retries, and failures. Reliable pipelines emphasize idempotency, observability, and data quality checks so downstream consumers can trust the output.
What is the difference between batch and stream processing?
Batch processing handles large volumes of data in scheduled chunks, such as a nightly job that aggregates the previous day's sales; it is simple and efficient but introduces latency. Stream processing handles data continuously as individual events arrive, enabling near real-time results for use cases like fraud detection, monitoring, and live dashboards. Streaming frameworks such as Apache Flink, Kafka Streams, and Spark Structured Streaming manage state, windowing, and exactly-once semantics. Many architectures combine both, using streaming for low-latency needs and batch for heavy historical reprocessing.
What is columnar storage and why is it faster for analytics?
Columnar storage organizes data on disk by column rather than by row, so all values of a single column are stored together. Analytical queries that scan or aggregate a few columns across millions of rows read only the relevant columns, drastically reducing I/O compared with row storage. Storing similar values together also yields excellent compression, further cutting scan cost. Formats like Apache Parquet and ORC, and warehouses like BigQuery and Redshift, use columnar layouts, which is why they excel at OLAP while row stores remain better for OLTP point lookups and writes.
What is Apache Parquet?
Apache Parquet is an open, columnar file format designed for efficient storage and querying of large analytical datasets. It stores data by column, which enables strong compression and lets query engines read only the columns they need, and it embeds schema and statistics that allow engines to skip irrelevant data blocks. Parquet is the de facto standard in data lakes and lakehouses and is supported by Spark, Trino, BigQuery, Snowflake, and most modern tools. It is preferred over row formats like CSV or JSON for analytics because it is far smaller and faster to scan.
What is data partitioning?
Partitioning divides a large table or dataset into smaller, manageable pieces based on a key such as date, region, or category. In databases it improves query performance through partition pruning, where the engine skips partitions that cannot match a query, and it makes maintenance like dropping old data efficient. In data lakes, partitioning by columns (for example, year/month/day directories) lets engines read only relevant files. Partitioning differs from sharding: partitioning typically splits data within a single system, while sharding spreads it across separate database instances.
What is data modeling?
Data modeling is the practice of defining how data is structured, related, and stored to meet an application's or analytics needs. It usually progresses from a conceptual model (high-level entities and relationships), to a logical model (attributes, keys, and normalization rules), to a physical model (concrete tables, types, and indexes for a specific database). In analytics, dimensional modeling with star and snowflake schemas organizes data into fact and dimension tables for fast querying. Good modeling balances integrity, performance, and clarity, and shapes how easily the system can evolve.
What is the difference between REST and GraphQL?
REST exposes data through multiple fixed endpoints, each returning a predefined resource representation, and relies on HTTP verbs and status codes. GraphQL exposes a single endpoint and lets the client specify exactly which fields it wants in one query, avoiding over-fetching and under-fetching. REST is simpler to cache with standard HTTP tooling, while GraphQL offers flexible queries at the cost of more complex caching and server-side query-cost controls. Choose REST for simple, resource-oriented APIs and GraphQL when clients need varied, nested data with fewer round trips.
What is gRPC and when should I use it?
gRPC is a high-performance remote procedure call framework that uses Protocol Buffers for compact binary serialization and HTTP/2 for transport, including multiplexed streams. It supports unary calls plus client, server, and bidirectional streaming, and generates strongly typed client and server stubs from a `.proto` contract. gRPC excels for low-latency, high-throughput service-to-service communication inside a network. It is less suited to direct browser use, where REST or GraphQL over JSON is usually easier, though gRPC-Web bridges some of that gap.
What is an API gateway?
An API gateway is a server that sits in front of one or more backend services and acts as a single entry point for clients. It handles cross-cutting concerns such as routing, authentication, rate limiting, request and response transformation, caching, and observability, so individual services do not each reimplement them. In microservice architectures it also aggregates calls and shields clients from internal topology changes. Common implementations include managed offerings and self-hosted proxies like Kong, Envoy, and NGINX.
What is the difference between OAuth 2.0 and OpenID Connect?
OAuth 2.0 is an authorization framework: it lets an application obtain delegated access to resources on a user's behalf without sharing the user's credentials, issuing access tokens for that purpose. OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0 that adds authentication, returning a signed ID token (a JWT) describing who the user is. In short, OAuth answers "what can this app access" and OIDC answers "who is this user." Use OIDC when you need login and user identity, and plain OAuth when you only need delegated authorization.
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format that carries claims as a base64url-encoded header, payload, and signature separated by dots. The signature, using HMAC or a public/private key, lets a recipient verify the token was issued by a trusted party and not altered, without a database lookup. JWTs are widely used for stateless authentication and for passing identity claims between services. Note that the payload is encoded, not encrypted, so it should never contain secrets, and tokens should be short-lived because they are hard to revoke before expiry.
Sessions vs tokens: what is the difference for authentication?
Session-based authentication stores state on the server and gives the client an opaque session ID, usually in a cookie; the server looks up the session on each request, which makes revocation easy but requires shared session storage to scale. Token-based authentication, typically using JWTs, encodes the user's identity and claims in a self-contained token the server verifies by signature, avoiding a lookup but making early revocation harder. Sessions suit traditional server-rendered apps; tokens suit stateless APIs, mobile clients, and distributed services. Many systems combine both, using short-lived access tokens with server-tracked refresh tokens.
What is CORS and why do I get CORS errors?
Cross-Origin Resource Sharing (CORS) is a browser security mechanism that controls whether a web page can make requests to a different origin (scheme, host, or port) than the one that served it. Browsers block such cross-origin requests by default unless the responding server returns headers like `Access-Control-Allow-Origin` that explicitly permit them. CORS errors mean the server did not return the required headers, not that the request itself failed on the server. The fix is to configure the API to allow the calling origin, methods, and headers; for credentialed requests the server must echo a specific origin rather than a wildcard.
What is rate limiting and how does it work?
Rate limiting caps how many requests a client may make in a given window to protect a service from overload, abuse, and runaway costs. Common algorithms include the token bucket and leaky bucket, which allow bursts up to a limit, and fixed or sliding windows that count requests per interval. When a client exceeds the limit the API typically returns HTTP 429 Too Many Requests, often with a `Retry-After` header. Limits are usually keyed by API key, user, or IP, and well-behaved clients should back off and retry rather than hammering the endpoint.
What does idempotency mean in APIs?
An operation is idempotent if performing it multiple times has the same effect as performing it once. In HTTP, GET, PUT, and DELETE are defined as idempotent while POST generally is not, which matters when a network error makes a client unsure whether its request succeeded. Designing idempotent endpoints lets clients safely retry without creating duplicate side effects such as double charges or duplicate records. For inherently non-idempotent operations, an idempotency key lets the server deduplicate retries.
What is an idempotency key?
An idempotency key is a unique client-generated identifier, often a UUID, sent with a request so the server can recognize and safely deduplicate retries of the same operation. On the first request the server processes it and stores the result keyed by that value; if a retry arrives with the same key, the server returns the original result instead of repeating the side effect. This is essential for non-idempotent operations like payments or order creation where network failures may prompt automatic retries. Keys are usually passed in a header such as `Idempotency-Key` and expire after a defined window.
What is a webhook?
A webhook is a way for one system to push real-time notifications to another by sending an HTTP POST to a URL the receiver registered in advance. Instead of the receiver repeatedly polling for changes, the source service calls back when an event occurs, such as a payment succeeding or a build finishing. Receivers should verify authenticity, commonly via an HMAC signature header, respond quickly with a 2xx, and process work asynchronously. Because delivery can fail or duplicate, robust webhook handlers are idempotent and rely on the sender's retry mechanism.
What is the difference between HTTP/2 and HTTP/3?
HTTP/2 introduced multiplexing of multiple requests over a single TCP connection, header compression, and server push, reducing latency compared with HTTP/1.1. However, because it runs over TCP, packet loss on one stream stalls all streams, a problem called head-of-line blocking. HTTP/3 solves this by running over QUIC, a transport built on UDP, where streams are independent so loss affects only the affected stream, and it integrates TLS 1.3 for faster connection setup. HTTP/3 also resumes connections more smoothly across network changes, benefiting mobile clients.
What is TLS and how does it secure connections?
Transport Layer Security (TLS) is the protocol that encrypts data in transit, providing confidentiality, integrity, and server authentication for HTTPS and many other protocols. During the handshake the client and server agree on cipher suites and use the server's certificate, validated against a trusted certificate authority, to establish session keys via key exchange. Once established, application data is encrypted with symmetric keys for performance. TLS 1.3, the current major version, removed legacy insecure options and reduced the handshake to fewer round trips.
What is mutual TLS (mTLS)?
Mutual TLS extends standard TLS so that both the client and the server present and verify certificates, rather than only the client verifying the server. This gives strong, bidirectional authentication without passwords or bearer tokens, since each side proves its identity with a private key. mTLS is widely used for service-to-service communication, especially inside service meshes and zero-trust networks, where every workload gets a short-lived certificate. The trade-off is the operational overhead of issuing, rotating, and revoking many certificates.
What is DNS and how does it work?
The Domain Name System (DNS) translates human-readable names like example.com into the IP addresses machines use to route traffic. A resolver queries a hierarchy of servers, from root to top-level domain to the domain's authoritative name server, caching answers along the way based on each record's time-to-live (TTL). Common record types include A and AAAA for addresses, CNAME for aliases, MX for mail, and TXT for verification and policy data. DNS changes propagate gradually because caches honor the TTL, which is why updates are not always instant.
What is the difference between TCP and UDP?
TCP is a connection-oriented transport protocol that guarantees ordered, reliable delivery using handshakes, acknowledgments, retransmission, and flow and congestion control. UDP is connectionless and sends datagrams with no delivery guarantees, ordering, or congestion control, trading reliability for lower latency and overhead. Use TCP when correctness and completeness matter, such as web pages, APIs, and file transfer. Use UDP when speed and timeliness matter more than perfect delivery, such as live video, voice, gaming, and DNS lookups.
What is a CDN?
A content delivery network (CDN) is a geographically distributed set of edge servers that cache and serve content close to users, reducing latency and offloading origin servers. When a user requests a resource, the nearest edge node serves it from cache or fetches it from the origin and stores it for subsequent requests. CDNs accelerate static assets like images, scripts, and video, and increasingly run logic at the edge and absorb traffic spikes and DDoS attacks. Cache behavior is controlled by HTTP headers such as `Cache-Control` and by configurable invalidation.
What are common API versioning strategies?
API versioning lets you evolve an interface without breaking existing clients. Common approaches are URI versioning (`/v1/orders`), which is explicit and cache-friendly; header or media-type versioning, which keeps URLs stable but is less visible; and query-parameter versioning, which is simple but easy to overlook. A strong practice is to version only on breaking changes, add new fields additively, and document deprecation timelines clearly. Whichever scheme you pick, apply it consistently and give clients a clear migration path before retiring an old version.
What is the difference between an access token and a refresh token?
An access token is a short-lived credential a client sends with each request to prove it is authorized to call an API, typically expiring in minutes. A refresh token is a longer-lived credential used only to obtain new access tokens when the current one expires, without forcing the user to log in again. Keeping access tokens short-lived limits the damage if one leaks, while refresh tokens are stored more securely and can be revoked server-side. This pairing balances security with a smooth user experience in OAuth 2.0 and OIDC flows.
What is an API key and how is it different from a token?
An API key is a static secret string that identifies and authenticates a calling application or project, usually passed in a header and tied to a set of permissions and quotas. Unlike short-lived OAuth access tokens, API keys typically do not expire on their own and identify an application rather than an end user, which makes them simple but riskier if leaked. They suit server-to-server integrations and usage metering, but should be scoped narrowly, rotated regularly, and never embedded in client-side code. For user-specific authorization with delegated scopes and expiry, OAuth tokens are the better fit.
What is a reverse proxy?
A reverse proxy is a server that sits in front of backend servers and forwards client requests to them, returning the responses as if it were the origin. It commonly handles load balancing, TLS termination, caching, compression, and request routing, hiding the internal topology from clients. This contrasts with a forward proxy, which acts on behalf of clients reaching out to the internet. Popular reverse proxies include NGINX, HAProxy, and Envoy, and an API gateway is a specialized reverse proxy focused on API concerns.
What is a load balancer?
A load balancer distributes incoming network traffic across multiple servers so no single instance becomes a bottleneck, improving availability and scalability. It uses algorithms such as round robin, least connections, or hashing, and performs health checks to route traffic only to healthy targets. Layer 4 load balancers operate on TCP/UDP connections, while Layer 7 balancers understand HTTP and can route by path, host, or header. Combined with autoscaling, load balancers let a system handle growth and tolerate the failure of individual nodes.
What is zero trust security?
Zero trust is a security model that assumes no user, device, or network is inherently trustworthy, even inside the corporate perimeter. Every access request must be authenticated, authorized, and continuously validated based on identity, device posture, and context before access is granted. It replaces the old "trust but verify" perimeter model with "never trust, always verify," using least privilege and micro-segmentation to limit lateral movement after a breach.
What is an SBOM (software bill of materials)?
An SBOM is a formal, machine-readable inventory of all components, libraries, and dependencies that make up a piece of software, including their versions and licenses. It lets organizations quickly determine whether they are affected when a new vulnerability is disclosed in a third-party component. Common standardized formats are SPDX and CycloneDX, and SBOMs are increasingly required by regulations and procurement policies for supply-chain transparency.
What is the difference between SAST and DAST?
SAST (Static Application Security Testing) analyzes source code, bytecode, or binaries without running the application, finding flaws like injection or hardcoded secrets early in development. DAST (Dynamic Application Security Testing) tests a running application from the outside, simulating attacks against the live endpoints to find runtime issues such as authentication or configuration weaknesses. They are complementary: SAST has broad code coverage but more false positives, while DAST finds real exploitable behavior but only on code paths it actually exercises.
What is a CVE and what is CVSS?
A CVE (Common Vulnerabilities and Exposures) is a unique public identifier, such as CVE-2021-44228, assigned to a specific known security vulnerability so everyone can reference it unambiguously. CVSS (Common Vulnerability Scoring System) is the standard that scores a vulnerability's severity from 0.0 to 10.0 based on factors like attack vector, complexity, and impact. Together they let teams identify a flaw and prioritize remediation, though the CVSS base score should be adjusted with environmental and exploit-availability context.
What is software supply-chain security?
Software supply-chain security protects the integrity of everything that goes into building and delivering software: source code, third-party dependencies, build pipelines, container images, and deployment infrastructure. It guards against attacks like dependency confusion, compromised packages, and tampered build artifacts that inject malicious code before it reaches production. Common practices include SBOMs, dependency pinning, artifact signing, provenance attestation (such as SLSA), and securing CI/CD systems.
How do I prove an SBOM from Vibgrate is authentic?
In Vibgrate Cloud, the SBOM Hub can export your SBOM wrapped in a signed attestation — an in-toto Statement in a DSSE envelope whose subject is the SBOM's cryptographic digest — so a consumer can confirm it came from Vibgrate and has not been altered. Download it from the SBOM Hub Reports tab with "Download signed bundle". The dashboard shows a Verified badge once the signature and the SBOM's digest both check out, and leaves the report plainly marked as unsigned when they do not. Because it is a standard in-toto and DSSE attestation, you can also verify it offline with the supply-chain tooling you already use.
What is the principle of least privilege?
The principle of least privilege (PoLP) states that every user, process, or system should have only the minimum permissions required to perform its task, and no more. Limiting access reduces the blast radius of a compromised account or service and shrinks the attack surface available to an intruder. In practice it means scoped IAM roles, time-bound or just-in-time access, and regular review to remove unused or excessive permissions.
What is multi-factor authentication (MFA)?
Multi-factor authentication requires a user to present two or more independent proofs of identity from different categories: something you know (a password), something you have (a phone or hardware key), or something you are (a fingerprint). Because an attacker would need to compromise multiple factors at once, MFA blocks the vast majority of account-takeover attacks that rely on stolen passwords. Phishing-resistant factors like FIDO2/WebAuthn hardware keys are stronger than SMS one-time codes, which can be intercepted or SIM-swapped.
What is the difference between symmetric and asymmetric encryption?
Symmetric encryption uses a single shared secret key to both encrypt and decrypt data; it is fast and ideal for bulk data, with AES being the common standard. Asymmetric encryption uses a mathematically linked key pair, a public key to encrypt and a private key to decrypt, which solves secure key exchange and enables digital signatures (RSA, ECC). In practice systems combine both: asymmetric crypto negotiates or wraps a symmetric session key, which then handles the actual data, as in TLS.
What is encryption at rest versus encryption in transit?
Encryption at rest protects stored data on disks, databases, and backups so that someone who obtains the physical media or storage volume cannot read it, typically using AES-256 with managed keys. Encryption in transit protects data as it moves across networks between clients and servers, usually via TLS, so it cannot be intercepted or tampered with on the wire. Strong security requires both, since data is vulnerable both while it sits in storage and while it travels.
What is a secret manager?
A secret manager is a dedicated service that securely stores, controls access to, and audits sensitive credentials such as API keys, database passwords, tokens, and certificates. It keeps secrets out of source code and config files, enforces fine-grained access policies, and supports automatic rotation and short-lived credentials. Common examples include HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, and Google Secret Manager.
What is SOC 2 compliance?
SOC 2 is an audit framework from the AICPA that evaluates how a service organization manages customer data against five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. A Type I report assesses controls at a single point in time, while a Type II report tests that those controls operated effectively over a period, usually 3 to 12 months. SOC 2 reports are commonly requested by enterprise customers as evidence that a SaaS vendor handles data responsibly.
What is GDPR in a nutshell?
The General Data Protection Regulation (GDPR) is an EU law that governs how organizations collect, process, and store the personal data of people in the EU and EEA, regardless of where the organization is based. It grants individuals rights such as access, correction, deletion ("right to be forgotten"), and portability, and requires a lawful basis for processing, data-protection-by-design, and breach notification within 72 hours. Non-compliance can incur fines of up to 20 million euros or 4% of global annual revenue, whichever is higher.
What is PII (personally identifiable information)?
PII is any data that can identify a specific individual, either on its own or when combined with other information. Direct identifiers include name, email, government ID, and biometric data, while indirect identifiers like IP address, device ID, or location can identify someone in combination. Handling PII triggers obligations under regulations such as GDPR and CCPA, so it should be minimized, encrypted, access-controlled, and retained only as long as necessary.
What is threat modeling?
Threat modeling is a structured exercise to identify potential threats, attack vectors, and weaknesses in a system before they are exploited, ideally during design. Teams map data flows and trust boundaries, then enumerate threats using frameworks like STRIDE (spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege) and decide on mitigations. Doing it early is far cheaper than fixing vulnerabilities after deployment and helps prioritize security effort where it matters most.
What is a WAF (web application firewall)?
A web application firewall inspects HTTP/HTTPS traffic between clients and a web application and filters or blocks malicious requests before they reach the app. It defends against common attacks such as SQL injection, cross-site scripting, and known exploit patterns using managed rule sets, rate limiting, and bot mitigation. A WAF is a useful layer of defense but does not replace secure coding; it mitigates attacks rather than fixing the underlying vulnerabilities.
What is the OWASP Top 10?
The OWASP Top 10 is a widely referenced, regularly updated list published by the Open Worldwide Application Security Project that ranks the most critical web application security risks. Recent editions cover categories such as broken access control, cryptographic failures, injection, insecure design, security misconfiguration, and vulnerable components. It serves as an awareness and prioritization baseline for developers and security teams, not an exhaustive checklist.
What is the difference between OAuth 2.0 and OpenID Connect?
OAuth 2.0 is an authorization framework that lets an application obtain delegated, scoped access to a user's resources without sharing their password, by exchanging tokens. OpenID Connect (OIDC) is an authentication layer built on top of OAuth 2.0 that adds a standardized ID token (a signed JWT) so an application can verify who the user is. In short, OAuth 2.0 answers "what is this app allowed to do," while OIDC answers "who is this user."
What is the difference between RBAC and ABAC?
RBAC (role-based access control) grants permissions based on a user's assigned role, such as admin or editor, which is simple to manage and audit but can lead to role explosion in complex environments. ABAC (attribute-based access control) makes decisions dynamically by evaluating attributes of the user, resource, action, and context, like department, data classification, or time of day. ABAC is far more flexible and fine-grained but harder to set up and reason about, so many systems combine both.
What is penetration testing?
Penetration testing is an authorized, simulated attack on a system, network, or application performed by security professionals to find and safely exploit vulnerabilities before real attackers do. Unlike automated scanning, a pen test combines tooling with human creativity to chain weaknesses and demonstrate real business impact, then reports findings with remediation guidance. Engagements range from black-box (no prior knowledge) to white-box (full access), and many compliance frameworks require periodic testing.
What is HIPAA compliance?
HIPAA (the Health Insurance Portability and Accountability Act) is a US law that sets standards for protecting sensitive patient health information, known as protected health information (PHI). Its Security Rule requires administrative, physical, and technical safeguards such as access controls, encryption, and audit logging, while the Privacy Rule governs how PHI may be used and disclosed. Software vendors that handle PHI on behalf of healthcare organizations are typically considered business associates and must sign a Business Associate Agreement (BAA).
What is ISO 27001?
ISO/IEC 27001 is an international standard that specifies the requirements for an information security management system (ISMS), a risk-based framework of policies, processes, and controls for protecting information assets. Organizations identify risks, select and implement controls (guided by the Annex A control set), and can pursue independent certification by an accredited auditor. Unlike SOC 2, which produces an audit report, ISO 27001 results in a formal certificate that is recognized globally, especially outside the US.
What is a large language model (LLM)?
A large language model is a neural network trained on vast amounts of text to predict the next token in a sequence, which lets it generate and understand natural language. Modern LLMs use the transformer architecture and contain billions of parameters learned during training. They can perform tasks like summarization, translation, code generation, and question answering without task-specific training, often guided only by a prompt.
What is retrieval-augmented generation (RAG)?
Retrieval-augmented generation is a technique that supplements a language model with relevant documents fetched at query time, rather than relying only on knowledge baked into the model's weights. A retriever searches a knowledge source (often a vector database) for passages related to the user's question, and those passages are inserted into the prompt as context. RAG reduces hallucination, lets models answer about private or recent data, and avoids retraining when the underlying information changes.
What are embeddings in machine learning?
Embeddings are dense numerical vectors that represent text, images, or other data in a continuous space where semantic similarity corresponds to geometric closeness. A model maps each input to a fixed-length vector so that related items sit near each other, enabling similarity search, clustering, and classification. Embeddings power semantic search and retrieval-augmented generation, where queries and documents are compared by the distance between their vectors.
What is the difference between fine-tuning and RAG?
Fine-tuning updates a model's weights by training it further on domain-specific examples, changing how the model behaves and what style or skills it has. RAG leaves the model unchanged and instead supplies relevant information at inference time through the prompt. Use RAG when knowledge changes often or must stay external and auditable; use fine-tuning to teach consistent formats, tone, or specialized tasks. The two are complementary and are often combined.
What is fine-tuning a model?
Fine-tuning is the process of continuing to train a pre-trained model on a smaller, task-specific dataset so it adapts to a particular domain, style, or behavior. It adjusts the model's weights, which makes the changes persistent and removes the need to include lengthy instructions in every prompt. Parameter-efficient methods like LoRA fine-tune only a small subset of weights, cutting compute and storage costs while preserving most of the base model.
What is a token in the context of LLMs?
A token is the basic unit of text that a language model reads and produces, typically a word fragment, whole word, or punctuation mark rather than a single character. A tokenizer splits input text into tokens and maps them to integer IDs the model can process. As a rough guide, one token is about four characters or three-quarters of a word in English, and model limits and pricing are usually measured in tokens.
What is a context window?
A context window is the maximum number of tokens a language model can consider at once, covering both the input prompt and the generated output. If a conversation or document exceeds this limit, earlier content must be truncated, summarized, or retrieved selectively. Larger context windows allow more documents and history to be included, but they increase cost and latency and do not guarantee the model attends equally to everything in the window.
What is prompt engineering?
Prompt engineering is the practice of designing the instructions, examples, and context given to a language model to get reliable, accurate outputs. Techniques include giving clear roles and constraints, providing examples (few-shot prompting), and asking the model to reason step by step (chain-of-thought). Good prompts reduce ambiguity and hallucination, and they are often the cheapest way to improve results before resorting to fine-tuning.
What is an AI agent?
An AI agent is a system that uses a language model to decide and take actions toward a goal, rather than producing a single response. It typically operates in a loop: the model reasons about the task, calls tools or APIs, observes the results, and repeats until the goal is met. Agents can search the web, run code, query databases, or control other software, which makes guardrails, permissions, and observability essential.
What is hallucination in LLMs?
Hallucination is when a language model produces text that sounds confident and plausible but is factually wrong or unsupported by its sources. It happens because the model generates statistically likely text rather than retrieving verified facts, so gaps in knowledge are filled with fabrication. Mitigations include grounding answers with retrieval (RAG), asking for citations, lowering temperature, and validating outputs against trusted data before acting on them.
What is temperature in LLM generation?
Temperature is a parameter that controls the randomness of a language model's output by scaling the probability distribution over the next token. A low temperature near zero makes the model pick the most likely tokens, producing focused and deterministic responses, while a higher value increases diversity and creativity at the cost of consistency. Use low temperature for factual or structured tasks and higher temperature for brainstorming or varied creative writing.
What is inference in machine learning?
Inference is the phase where a trained model is used to make predictions or generate output on new inputs, as opposed to training where the model learns from data. For LLMs, inference means running a forward pass to produce tokens, and it is where latency, throughput, and serving cost matter most in production. Techniques such as batching, caching, and quantization are used to make inference faster and cheaper at scale.
What is MLOps?
MLOps is a set of practices for reliably building, deploying, monitoring, and maintaining machine learning systems in production, applying DevOps principles to the ML lifecycle. It covers data and model versioning, automated training and evaluation pipelines, deployment, and ongoing monitoring for drift and performance decay. The goal is reproducible, auditable models that can be retrained and rolled out safely as data and requirements change.
What is the difference between supervised and unsupervised learning?
Supervised learning trains a model on labeled examples, where each input has a known target, so the model learns to predict labels for new data in tasks like classification and regression. Unsupervised learning works with unlabeled data and finds structure on its own, such as grouping similar items through clustering or reducing dimensionality. Supervised learning needs costly labeled datasets but gives precise targets, while unsupervised learning explores patterns without labels.
What is overfitting in machine learning?
Overfitting happens when a model learns the training data too closely, including its noise and quirks, so it performs well on that data but poorly on new, unseen inputs. It usually signals that the model is too complex relative to the amount of data or that training ran too long. Common remedies include more or more varied training data, regularization, dropout, cross-validation, and early stopping.
What is a transformer architecture?
The transformer is a neural network architecture, introduced in 2017, that processes sequences using a self-attention mechanism instead of recurrence. Self-attention lets each token weigh the relevance of every other token in the input, capturing long-range relationships in parallel rather than step by step. Transformers scale efficiently on modern hardware and underpin nearly all current large language models and many vision and multimodal models.
What is quantization in machine learning?
Quantization reduces the numerical precision of a model's weights and activations, for example from 32-bit floating point to 8-bit or 4-bit integers, to shrink memory use and speed up inference. It lets large models run on smaller or cheaper hardware with only modest accuracy loss when done carefully. Post-training quantization applies after training, while quantization-aware training accounts for the lower precision during training to preserve accuracy.
What is the Model Context Protocol (MCP)?
The Model Context Protocol is an open standard that defines how AI applications connect to external tools, data sources, and services in a consistent way. An MCP server exposes resources, tools, and prompts that an MCP-aware client and its language model can discover and use over a standard interface. By standardizing these integrations, MCP lets the same connectors work across different AI clients instead of building one-off integrations for each.
What is chain-of-thought prompting?
Chain-of-thought prompting asks a language model to work through a problem step by step before giving a final answer, rather than responding immediately. Exposing intermediate reasoning often improves accuracy on math, logic, and multi-step tasks because the model allocates more computation to the problem. The trade-off is longer, more expensive outputs, and the visible reasoning is a plausible explanation rather than a guaranteed account of the model's internal process.
What is responsible AI?
Responsible AI is the practice of designing, building, and operating AI systems so they are fair, transparent, accountable, secure, and respectful of privacy. It addresses risks such as biased outputs, lack of explainability, misuse, and harm to individuals, often guided by frameworks like the NIST AI Risk Management Framework or the EU AI Act. In practice it combines governance policies, bias and safety testing, human oversight, and ongoing monitoring throughout the model lifecycle.
What is CI/CD?
CI/CD stands for Continuous Integration and Continuous Delivery (or Deployment). Continuous Integration means developers merge code into a shared branch frequently, with each merge triggering an automated build and test run to catch problems early. Continuous Delivery extends this by automatically preparing every validated change for release, while Continuous Deployment goes one step further and pushes passing changes to production with no manual gate. Together they shorten feedback loops and make releases smaller, safer, and more frequent.
What is GitOps?
GitOps is an operational model where the desired state of infrastructure and applications is declared in a Git repository, and an automated controller continuously reconciles the running system to match it. Git becomes the single source of truth, so deployments happen through pull requests rather than ad-hoc commands. This gives you version history, code review, and easy rollback by reverting a commit. Tools like Argo CD and Flux implement GitOps for Kubernetes by watching the repo and applying changes automatically.
What is the difference between blue-green and canary deployments?
Both are strategies for releasing new versions with minimal risk. In a blue-green deployment you run two identical environments—one live (blue) and one with the new version (green)—then switch all traffic over at once, with instant rollback by switching back. In a canary deployment you release the new version to a small subset of users first, watch metrics, and gradually increase traffic if it stays healthy. Blue-green favors a fast, clean cutover; canary favors incremental risk control and early detection of problems under real load.
What is a microservice?
A microservice is a small, independently deployable service that owns a single business capability and communicates with other services over the network, typically via HTTP/REST, gRPC, or messaging. Each microservice has its own codebase and usually its own data store, allowing teams to develop, deploy, and scale it without coordinating with the rest of the system. The trade-off for this independence is added operational complexity: distributed transactions, network failures, and observability across many services all become harder.
Monolith vs microservices: which should I choose?
A monolith packages all functionality into a single deployable unit, which keeps development, testing, and deployment simple and is usually the right starting point for new or small systems. Microservices split functionality into independent services, enabling separate scaling and team ownership at the cost of distributed-systems complexity. Choose a monolith when the domain is still evolving or the team is small; consider microservices when clear bounded contexts, independent scaling needs, and multiple teams justify the operational overhead. Many teams succeed with a well-structured 'modular monolith' before splitting.
What is an SLO, SLI, and error budget?
An SLI (Service Level Indicator) is a measured metric of service health, such as request success rate or latency. An SLO (Service Level Objective) is the target you set for that indicator, for example 99.9% of requests succeed over 30 days. The error budget is the allowed amount of failure—the gap between 100% and your SLO—that the service may consume before changes are halted to focus on reliability. Together they give teams a data-driven way to balance shipping features against maintaining reliability.
What is the difference between observability and monitoring?
Monitoring is collecting and alerting on predefined metrics and checks—it answers known questions like 'is CPU above 90%?' Observability is the broader property of being able to understand a system's internal state from its external outputs, so you can investigate problems you did not anticipate. Monitoring tells you that something is wrong; observability helps you ask new questions and discover why. In practice observability builds on rich telemetry—metrics, logs, and traces—while monitoring is one consumer of that data.
What are the three pillars of observability?
The three pillars of observability are metrics, logs, and traces. Metrics are numeric time-series data, such as request rate or error count, that are cheap to store and ideal for dashboards and alerts. Logs are timestamped records of discrete events, useful for detailed, contextual debugging. Traces follow a single request as it flows across services, revealing where time is spent and where failures occur in a distributed system. Used together, they let you detect, diagnose, and understand problems.
What is technical debt?
Technical debt is the implied future cost of choosing a quick or easy solution now instead of a better approach that would take longer. Like financial debt, it accrues 'interest' in the form of slower development, more bugs, and harder maintenance until it is paid down through refactoring. Some debt is deliberate and strategic—shipping fast to learn—while some is accidental, from outdated knowledge or shifting requirements. Managing it well means tracking it, communicating its impact, and paying it down before interest compounds.
What is Domain-Driven Design (DDD)?
Domain-Driven Design (DDD) is an approach to building software that puts the business domain and its language at the center of the design. It encourages a shared 'ubiquitous language' between developers and domain experts, and organizes the system into bounded contexts—self-contained models with clear boundaries. Tactical patterns like entities, value objects, aggregates, and repositories help structure the code within each context. DDD is most valuable for complex domains where aligning the model with real business rules reduces ambiguity and rework.
What is event-driven architecture?
Event-driven architecture is a style where components communicate by producing and reacting to events—records that something happened—rather than calling each other directly. Producers publish events to a broker or stream such as Kafka or a message queue, and consumers subscribe and act independently and asynchronously. This decouples services, improves scalability, and lets new consumers be added without changing producers. The trade-offs are eventual consistency, harder debugging, and the need to handle duplicate or out-of-order events.
What is the difference between compiled and interpreted languages?
A compiled language is translated ahead of time into machine code by a compiler, producing a standalone executable that the CPU runs directly—languages like C, Go, and Rust work this way and tend to run fast. An interpreted language is executed line by line at runtime by an interpreter, as with classic Python or Ruby, which trades some speed for flexibility and faster iteration. The line is blurry: many modern languages, such as Java and C#, compile to bytecode that a virtual machine then interprets or just-in-time compiles. The distinction is really about implementation, not the language itself.
What is type safety?
Type safety is the degree to which a programming language prevents type errors—operations applied to values of the wrong type, like adding a number to a function. Statically typed languages such as Java, Go, and TypeScript check types at compile time, catching many mistakes before the code runs. Dynamically typed languages such as Python and JavaScript check types at runtime, offering more flexibility but deferring errors until execution. Stronger type safety generally improves reliability and tooling support at the cost of some upfront strictness.
What is the test pyramid?
The test pyramid is a guideline for balancing automated tests by type and quantity. Its wide base is many fast, cheap unit tests; the middle is a smaller number of integration tests that verify components working together; and the narrow top is a few slow, expensive end-to-end tests that exercise the whole system. The shape reminds teams to favor lower-level tests because they run quickly and pinpoint failures, while keeping costly UI-level tests to a minimum. An inverted or 'ice cream cone' distribution—too many e2e tests—tends to be slow and brittle.
What is the difference between unit, integration, and end-to-end tests?
Unit tests verify a single function or class in isolation, often with dependencies mocked, and run very fast. Integration tests check that multiple components work correctly together—for example, code talking to a real database—covering the seams that unit tests miss. End-to-end (e2e) tests exercise the entire application from the user's perspective, such as driving a browser through a full workflow, giving the highest confidence but the slowest, most fragile feedback. A healthy suite uses many unit tests, fewer integration tests, and a small set of e2e tests.
What is Test-Driven Development (TDD)?
Test-Driven Development (TDD) is a practice where you write a failing automated test before writing the code that makes it pass. The cycle is 'red, green, refactor': write a test that fails (red), write the minimal code to make it pass (green), then clean up the design while keeping tests passing (refactor). This keeps code testable, documents intended behavior, and builds a safety net of regression tests. The trade-off is discipline and upfront effort, which pays off most on logic-heavy code with clear requirements.
What is a feature flag?
A feature flag (or feature toggle) is a configuration switch that turns functionality on or off at runtime without deploying new code. It lets teams decouple deployment from release, ship unfinished code safely behind a disabled flag, run gradual rollouts and A/B tests, and instantly disable a problematic feature as a kill switch. Flags can target specific users, segments, or percentages of traffic. The main cost is added complexity and 'flag debt'—stale flags that should be removed once a feature is fully rolled out.
What is the Twelve-Factor App methodology?
The Twelve-Factor App is a set of principles for building cloud-native, portable, and scalable software-as-a-service applications. Key factors include storing configuration in the environment, treating backing services as attached resources, building stateless processes that scale horizontally, keeping development and production as similar as possible, and treating logs as event streams. Following these guidelines makes applications easier to deploy on modern platforms and to operate consistently across environments. It remains a widely cited baseline for designing well-behaved services and containers.
What is the difference between imperative and declarative programming?
Imperative programming describes how to achieve a result through explicit step-by-step instructions that change program state, as in a typical for-loop that mutates a counter. Declarative programming describes what result you want and lets the system figure out how, as in SQL queries, HTML, or functional operations like map and filter. Declarative code is often more concise and easier to reason about, while imperative code gives finer control over execution. Many languages and tools blend both styles depending on the problem.
What is chaos engineering?
Chaos engineering is the practice of deliberately injecting failures into a system to test its resilience before real incidents expose weaknesses. Teams form a hypothesis about how the system should behave, then run controlled experiments—killing instances, adding latency, or cutting network links—often starting in staging and limiting the blast radius in production. Observing what breaks reveals hidden dependencies and gaps in failover, retries, and alerting. The goal is to build confidence that the system withstands turbulent, real-world conditions.
How do I scan for known vulnerabilities?
Run `vg scan --vulns`. It matches every installed dependency against the public OSV database and reports known vulnerabilities with advisory id and CVE, severity, CVSS score, and the version that fixes each one — in the terminal, in the scan artifact, and as SARIF for CI code scanning. Use `vg scan --full` to run drift, vulnerabilities, and a banned-dependency report in one pass.
Can I scan for vulnerabilities offline or air-gapped?
Yes. `vg scan --vulns` queries the OSV database over the network by default, but you can supply advisories in a package-version manifest and run fully offline: `vg scan --vulns --offline --package-manifest ./package-versions.zip`. Nothing leaves your machine.
Which ecosystems support vulnerability detection and attribution?
Detection and attribution read each project's lockfile, covering npm / pnpm / yarn, pip / poetry / pipenv, cargo, composer, bundler, go, pub, hex, NuGet, and Maven/Gradle. Deep drift scoring focuses on Node.js/TypeScript, .NET, Python, and Java; vulnerability detection and `vg why` attribution span the broader set.
What does the vg why command do?
`vg why <package>` traces a dependency through your git history: who added it, every version change since, and who made each one. If your latest `vg scan --vulns` found open vulnerabilities for that package, `vg why` lists them with the commit that introduced the affected version and how long you have been exposed.
What does the vg bisect command do?
`vg bisect <package> <constraint>` pinpoints the commit where a dependency crossed a version line. Where `vg why` narrates every version change, `vg bisect` answers one question: when did we cross this line? A bare version means "reached or surpassed" (`vg bisect lodash 4.17.21` equals `vg bisect lodash '>=4.17.21'`), or you can pass an explicit semver range. It reads the same offline lockfile history and reports the crossing commit — or tells you the line was never crossed and shows the latest version in history, so an unadopted fix is obvious.
Can vg bisect fail my build until a dependency is patched?
Yes. Add `--assert`: `vg bisect lodash 4.17.21 --assert` exits non-zero when the current version does not satisfy the constraint, so a CI step blocks the merge until the fix is adopted. Exit codes are 0 when the query resolves, 2 when `--assert` finds the constraint unsatisfied, 3 when the package has no version history, and 5 for an invalid version or range.
What are CRA remediation metrics?
When `vg scan --vulns` runs in a git repository, Vibgrate attributes each vulnerability to the commit that introduced the affected version and measures how long you have been exposed. Those exposure windows roll up into remediation metrics framed around the EU Cyber Resilience Act (CRA): open counts by severity, mean and maximum time exposed, and per-severity SLA breaches. They show whether remediation keeps pace; they are not a compliance certification.
Does Vibgrate measure real mean time to remediate (MTTR)?
Yes. As well as how long open vulnerabilities have been exposed, Vibgrate reconstructs closed exposure windows from git history — a vulnerable version that was later bumped past the fix or removed from the lockfile entirely. The time from the introducing commit to that fix is a real remediation time, and their average is your actual MTTR, measured rather than estimated. Offline, a package-version manifest lets this also count advisories that are fully fixed today, so a dependency that is clean now but was once vulnerable still contributes to the record. The metrics live in the scan artifact and the local `vuln_attribution` tool.
What does vg scan --full do?
`vg scan --full` runs a comprehensive scan in one command: the normal DriftScore, known-vulnerability detection (the same as `--vulns`), and, when a standards policy is committed, a banned-dependency report. It is the quickest way to get the complete picture without remembering individual flags.