Usage
# Export an SBOM
vibgrate sbom export [--in <file>] [--format cyclonedx|spdx] [--out <file>]
# Compare two artifacts
vibgrate sbom delta --from <file> --to <file> [--out <file>]
What It Does
The vibgrate sbom command family treats SBOMs as operational intelligence rather than static compliance output.
sbom export
Emits a standards-based SBOM (CycloneDX or SPDX) from an existing scan artifact. This integrates with your organization's existing SBOM governance pipelines.
sbom delta
Compares dependencies between two scan artifacts and produces a diff: packages added, removed, changed, plus the drift score delta.
Flags — export
| Flag | Default | Description |
|---|---|---|
--in | .vibgrate/scan_result.json | Input scan artifact |
--format | cyclonedx | SBOM format: cyclonedx or spdx |
--out | stdout | Output file path |
Flags — delta
| Flag | Description |
|---|---|
--from | First (older) scan artifact |
--to | Second (newer) scan artifact |
--out | Output file path |
Examples
Export CycloneDX SBOM
vibgrate sbom export --format cyclonedx --out sbom.cdx.json
Export SPDX SBOM
vibgrate sbom export --format spdx --out sbom.spdx.json
Compare two scans
vibgrate sbom delta \
--from .vibgrate/baseline.json \
--to .vibgrate/scan_result.json \
--out dependency-changes.json
Use Cases
- Compliance: Generate SBOMs required by procurement or regulatory teams
- Audit: Track which dependencies changed between releases
- Supply chain: Feed SBOM data into vulnerability management tools like Dependency-Track or Grype
- Change management: Use
sbom deltato review dependency changes before merging large upgrade PRs