Usage
# Export an SBOM
vg sbom export [--in <file>] [--format cyclonedx|spdx] [--out <file>]
# Compare two artifacts
vg sbom delta --from <file> --to <file> [--out <file>]
# Generate an OpenVEX document
vg sbom vex [--from <file>] [--statement <json>...] [--product <ref>] [--out <file>]
What It Does
The vg sbom command family treats SBOMs as operational intelligence rather than static compliance output.
sbom export
Emits a standards-based SBOM (CycloneDX or SPDX) from an existing scan artifact. This integrates with your organization's existing SBOM governance pipelines.
sbom delta
Compares dependencies between two scan artifacts and produces a diff: packages added, removed, changed, plus the drift score delta.
sbom vex
Generates a spec-compliant OpenVEX document (exploitability statements) ready to attach as a signed attestation. It is input-agnostic — it assembles a complete document from the statements you supply, so it works regardless of which scanner flagged the components. A zero-statement document is valid and honest: it asserts no known affected components.
Flags — export
| Flag | Default | Description |
|---|---|---|
--in | .vibgrate/scan_result.json | Input scan artifact |
--format | cyclonedx | SBOM format: cyclonedx or spdx |
--out | stdout | Output file path |
Flags — delta
| Flag | Description |
|---|---|
--from | First (older) scan artifact |
--to | Second (newer) scan artifact |
--out | Output file path |
Flags — vex
| Flag | Default | Description |
|---|---|---|
--from | — | Read statements from a JSON file (array, or an object with a statements array) |
--statement | — | Add a statement as inline JSON (repeatable) |
--product | — | Default product for statements without their own (e.g. an image digest) |
--author | Vibgrate | Document author |
--timestamp / --id | — | Pin for reproducible output |
--out | stdout | Output file path |
Examples
Export CycloneDX SBOM
vg sbom export --format cyclonedx --out sbom.cdx.json
Export SPDX SBOM
vg sbom export --format spdx --out sbom.spdx.json
Compare two scans
vg sbom delta \
--from .vibgrate/baseline.json \
--to .vibgrate/scan_result.json \
--out dependency-changes.json
Generate VEX and attest it to a signed image
vg sbom vex --product "$IMAGE_REF" \
--statement '{"vulnerability":"CVE-2024-1","status":"not_affected","justification":"vulnerable_code_not_present"}' \
--out openvex.json
cosign attest --yes --type openvex --predicate openvex.json "$IMAGE_REF"
Use Cases
- Compliance: Generate SBOMs required by procurement or regulatory teams
- Audit: Track which dependencies changed between releases
- Supply chain: Feed SBOM data into vulnerability management tools like Dependency-Track or Grype
- Change management: Use
sbom deltato review dependency changes before merging large upgrade PRs - Exploitability: Use
sbom vexto publish OpenVEX attestations stating which CVEs actually affect your product