Drift is the leading indicator of the next CVE.
One scan checks every dependency against known OSV advisories — severity, CVSS, and the fixed version — and, with git history, measures how long you were exposed and how fast you remediate.
vg scan --vulnsFree CLI · no agents · nothing uploads unless you push it
Your first 10 minutes
Free CLI, no agents. Nothing uploads unless you push it.
Every dependency checked against known OSV advisories — severity, CVSS, and the fixed version to upgrade to.
Who introduced the dependency, every version change since, and which of its vulnerabilities are still open.
A CycloneDX SBOM for your supply chain. SPDX and OpenVEX exports come from the same scan.
Supply Chain Security Starts Here
Every day a dependency stays below its fixed version is exposure you can measure. But measuring it across dozens of repos — each with its own stack and tooling — usually means stitching together half a dozen scanners.
Vibgrate helps you find the gaps from one scan: known vulnerabilities with fix versions, remediation metrics from your own git history, and which security scanners each repo actually has configured. Push scans to Vibgrate Cloud for a cross-repo vulnerabilities view. No agents. Nothing uploads unless you push it.
- OSV advisory check per dependency — severity, CVSS, fixed version
- Exposure windows and time-to-remediate computed from your git history
- SBOM export (CycloneDX & SPDX), OpenVEX, and SBOM deltas
- Signed, verifiable SBOMs in Vibgrate Cloud — prove a report came from you and was not altered
- Export findings as SARIF for GitHub code scanning
Why Security Engineers Choose Vibgrate
Known Vulnerabilities, With Fix Versions
vg scan --vulns checks every dependency against known OSV advisories — severity, CVSS, and the fixed version to upgrade to.
CRA Remediation Metrics
With git history, Vibgrate computes exposure windows, mean time to remediate, and per-severity SLA breaches — framed around the EU Cyber Resilience Act (CRA).
SBOM, VEX & Licenses
Export SBOMs in CycloneDX and SPDX, publish OpenVEX, diff SBOMs between scans, and see the SPDX license of every dependency.
Scanner Coverage & OWASP Guidance
Scan results show which security scanners each repo has configured, findings carry OWASP tags, and the free vg guide pack cites OWASP Top 10 2021 and CWE.
Dependency Drift = Risk
Drift measures how far behind you are; advisories tell you when that becomes a known vulnerability. Vibgrate scores both — dependency age and majors behind feed the DriftScore, and vg why traces who introduced a dependency and which of its vulnerabilities are still open.
Combine drift data with breaking-change signals from release notes to prioritize the upgrades that close security gaps without causing production incidents.
Every day on a version below the fixed release is exposure you can measure. Vibgrate computes that window from your git history — per advisory, per severity.
Audit Your Security Posture Now
Run vg scan --vulns in any repo — known vulnerabilities with fix versions, scanner coverage, and remediation metrics in one pass. No sign-up. Nothing uploads unless you push it.
Need it mapped to a framework? See what Vibgrate assesses for DORA, CRA, ISO 27001, SOC 2 & more →