Skip to main content

Combine Drift Scoring and SBOM in One Workflow

Run drift scoring and SBOM export together so a single build produces both a DriftScore for upgrade risk and a Software Bill of Materials for supply-chain visibility.

Vibgrate Docs

Vibgrate Help

Drift scoring and SBOM export answer different questions — "how far behind are my dependencies?" and "what exactly do I depend on?" — but both come from the same dependency graph. This guide shows how to run them together in one workflow so a single build produces both. It is for developers and platform engineers standardizing their pipelines.

Why run them together

The DriftScore (0–100) measures how far your dependencies have drifted from current, well-supported versions; the SBOM is the inventory of those dependencies. Running both in one job means:

  • The SBOM and the DriftScore describe the identical dependency set.
  • You get upgrade-risk signals and supply-chain evidence from one pass.
  • There is one place in CI to maintain instead of two.

The combined workflow

Run the scan first to compute your DriftScore and apply any gates, then export the SBOM:

vg scan --fail-on error
vg sbom export --format cyclonedx --out sbom.cdx.json

The scan can fail the build on serious findings, while the export records what was scanned. In a no-install CI environment:

npx @vibgrate/cli scan --fail-on error
npx @vibgrate/cli sbom export --format cyclonedx --out sbom.cdx.json

Adding a drift budget

If you want to gate specifically on drift, set a budget so the scan fails when drift exceeds a threshold:

vg scan --drift-budget 60

Follow it with the SBOM export to capture the inventory behind that score.

Sending both to Vibgrate Cloud

To track DriftScore trends across builds, push the scan to Vibgrate Cloud:

vg scan --push

The SBOM file remains a local artifact you attach to releases, while the dashboard tracks drift over time. See the Vibgrate Cloud Upload documentation for authentication.

Suggested ordering

  1. Install or resolve dependencies deterministically.
  2. Run the scan (with --fail-on or --drift-budget as your gate).
  3. Export the SBOM.
  4. Upload the SBOM as a build artifact and, optionally, push the scan.

Tips

  • Keep both steps in the same job so they see the same resolved dependencies.
  • Use explicit --format and --out for reproducible SBOMs.
  • Treat the gate as the scan's job and the evidence as the SBOM's job.

Related

  • "Generate an SBOM in Your CI Pipeline" for CI specifics.
  • "Verifying Your Supply-Chain Posture" for the bigger picture.
  • See the DriftScore documentation for how the score is computed.

Related Commands