Skip to main content

vg sbom — Export, Compare & Attest SBOMs

Export CycloneDX or SPDX SBOMs from scan artifacts, compare dependency deltas between two scans, and generate OpenVEX exploitability statements for supply-chain governance.

Vibgrate Docs

Vibgrate Help

Usage

# Export an SBOM
vg sbom export [--in <file>] [--format cyclonedx|spdx] [--out <file>]

# Compare two artifacts
vg sbom delta --from <file> --to <file> [--out <file>]

# Generate an OpenVEX document
vg sbom vex [--from <file>] [--statement <json>...] [--product <ref>] [--out <file>]

What It Does

The vg sbom command family treats SBOMs as operational intelligence rather than static compliance output.

sbom export

Emits a standards-based SBOM (CycloneDX or SPDX) from an existing scan artifact. This integrates with your organization's existing SBOM governance pipelines.

sbom delta

Compares dependencies between two scan artifacts and produces a diff: packages added, removed, changed, plus the drift score delta.

sbom vex

Generates a spec-compliant OpenVEX document (exploitability statements) ready to attach as a signed attestation. It is input-agnostic — it assembles a complete document from the statements you supply, so it works regardless of which scanner flagged the components. A zero-statement document is valid and honest: it asserts no known affected components.

Flags — export

FlagDefaultDescription
--in.vibgrate/scan_result.jsonInput scan artifact
--formatcyclonedxSBOM format: cyclonedx or spdx
--outstdoutOutput file path

Flags — delta

FlagDescription
--fromFirst (older) scan artifact
--toSecond (newer) scan artifact
--outOutput file path

Flags — vex

FlagDefaultDescription
--fromRead statements from a JSON file (array, or an object with a statements array)
--statementAdd a statement as inline JSON (repeatable)
--productDefault product for statements without their own (e.g. an image digest)
--authorVibgrateDocument author
--timestamp / --idPin for reproducible output
--outstdoutOutput file path

Examples

Export CycloneDX SBOM

vg sbom export --format cyclonedx --out sbom.cdx.json

Export SPDX SBOM

vg sbom export --format spdx --out sbom.spdx.json

Compare two scans

vg sbom delta \
  --from .vibgrate/baseline.json \
  --to .vibgrate/scan_result.json \
  --out dependency-changes.json

Generate VEX and attest it to a signed image

vg sbom vex --product "$IMAGE_REF" \
  --statement '{"vulnerability":"CVE-2024-1","status":"not_affected","justification":"vulnerable_code_not_present"}' \
  --out openvex.json
cosign attest --yes --type openvex --predicate openvex.json "$IMAGE_REF"

Use Cases

  • Compliance: Generate SBOMs required by procurement or regulatory teams
  • Audit: Track which dependencies changed between releases
  • Supply chain: Feed SBOM data into vulnerability management tools like Dependency-Track or Grype
  • Change management: Use sbom delta to review dependency changes before merging large upgrade PRs
  • Exploitability: Use sbom vex to publish OpenVEX attestations stating which CVEs actually affect your product

Related Commands