Skip to main content
Back to Home
For Security Engineers

Drift is the leading indicator of the next CVE.

One scan checks every dependency against known OSV advisories — severity, CVSS, and the fixed version — and, with git history, measures how long you were exposed and how fast you remediate.

Get the Vibgrate CLIvg scan --vulns

Free CLI · no agents · nothing uploads unless you push it

Quick Start

Your first 10 minutes

Free CLI, no agents. Nothing uploads unless you push it.

1Check known vulnerabilities
$ vg scan --vulns

Every dependency checked against known OSV advisories — severity, CVSS, and the fixed version to upgrade to.

2Trace the exposure
$ vg why <package>

Who introduced the dependency, every version change since, and which of its vulnerabilities are still open.

3Export the SBOM
$ vg sbom export --format cyclonedx

A CycloneDX SBOM for your supply chain. SPDX and OpenVEX exports come from the same scan.

The Challenge

Supply Chain Security Starts Here

Every day a dependency stays below its fixed version is exposure you can measure. But measuring it across dozens of repos — each with its own stack and tooling — usually means stitching together half a dozen scanners.

Vibgrate helps you find the gaps from one scan: known vulnerabilities with fix versions, remediation metrics from your own git history, and which security scanners each repo actually has configured. Push scans to Vibgrate Cloud for a cross-repo vulnerabilities view. No agents. Nothing uploads unless you push it.

  • OSV advisory check per dependency — severity, CVSS, fixed version
  • Exposure windows and time-to-remediate computed from your git history
  • SBOM export (CycloneDX & SPDX), OpenVEX, and SBOM deltas
  • Signed, verifiable SBOMs in Vibgrate Cloud — prove a report came from you and was not altered
  • Export findings as SARIF for GitHub code scanning
Key Benefits

Why Security Engineers Choose Vibgrate

Known Vulnerabilities, With Fix Versions

vg scan --vulns checks every dependency against known OSV advisories — severity, CVSS, and the fixed version to upgrade to.

CRA Remediation Metrics

With git history, Vibgrate computes exposure windows, mean time to remediate, and per-severity SLA breaches — framed around the EU Cyber Resilience Act (CRA).

SBOM, VEX & Licenses

Export SBOMs in CycloneDX and SPDX, publish OpenVEX, diff SBOMs between scans, and see the SPDX license of every dependency.

Scanner Coverage & OWASP Guidance

Scan results show which security scanners each repo has configured, findings carry OWASP tags, and the free vg guide pack cites OWASP Top 10 2021 and CWE.

Risk

Dependency Drift = Risk

Drift measures how far behind you are; advisories tell you when that becomes a known vulnerability. Vibgrate scores both — dependency age and majors behind feed the DriftScore, and vg why traces who introduced a dependency and which of its vulnerabilities are still open.

Combine drift data with breaking-change signals from release notes to prioritize the upgrades that close security gaps without causing production incidents.

Security Insight

Every day on a version below the fixed release is exposure you can measure. Vibgrate computes that window from your git history — per advisory, per severity.

Audit Your Security Posture Now

Run vg scan --vulns in any repo — known vulnerabilities with fix versions, scanner coverage, and remediation metrics in one pass. No sign-up. Nothing uploads unless you push it.

Need it mapped to a framework? See what Vibgrate assesses for DORA, CRA, ISO 27001, SOC 2 & more →