Skip to main content

vg scan --vulns — Find Known Vulnerabilities

Detect known vulnerabilities in your installed dependencies against the OSV database, online or air-gapped, with severity, CVSS, the fixing version, and git attribution.

Vibgrate Docs

Vibgrate Help

Usage

vg scan --vulns            # drift score + known vulnerabilities
vg scan --full             # drift + vulnerabilities + a banned-dependency report

What It Does

vg scan --vulns matches every installed dependency against the public OSV database and reports each known vulnerability — advisory id and CVE, severity, CVSS score, and the version that fixes it. Findings land in the scan artifact, in the terminal report, and in SARIF for CI code scanning. vg scan --full runs the same vulnerability pass plus a banned-dependency report (when a standards policy is committed) on top of the normal drift score.

Online and Offline

By default detection queries OSV over the network. For air-gapped environments, supply advisories in a package-version manifest and run offline:

vg scan --vulns --offline --package-manifest ./package-versions.zip

Supported Ecosystems

Detection reads each project's lockfile, so it covers npm / pnpm / yarn, pip / poetry / pipenv, cargo, composer, bundler, go, pub, hex, NuGet, and Maven/Gradle.

Severity and Findings

Each advisory is reported with a qualitative severity (low, moderate, high, critical) derived from its CVSS v3 vector, the fixing version when one is published, and the affected package and installed version. Critical and high findings are emitted as errors and moderate as warnings, so --fail-on gates work against vulnerabilities the same way they work against drift.

Output Formats

vg scan --vulns --format sarif --out vibgrate.sarif   # GitHub Code Scanning / Azure DevOps
vg scan --vulns --format json --out scan.json          # full artifact for automation

Exposure Attribution

In a git repository, each finding is attributed to the commit, author, and date that introduced the vulnerable version, with the number of days you have been exposed. See CRA remediation metrics and the vg why command.

In CI

vg scan --vulns --format sarif --out vibgrate.sarif --fail-on error

Upload the SARIF with the GitHub upload-sarif action to surface vulnerabilities in the Security tab.

Related Commands