Drift scoring and SBOM export answer different questions — "how far behind are my dependencies?" and "what exactly do I depend on?" — but both come from the same dependency graph. This guide shows how to run them together in one workflow so a single build produces both. It is for developers and platform engineers standardizing their pipelines.
Why run them together
The DriftScore (0–100) measures how far your dependencies have drifted from current, well-supported versions; the SBOM is the inventory of those dependencies. Running both in one job means:
- The SBOM and the DriftScore describe the identical dependency set.
- You get upgrade-risk signals and supply-chain evidence from one pass.
- There is one place in CI to maintain instead of two.
The combined workflow
Run the scan first to compute your DriftScore and apply any gates, then export the SBOM:
vg scan --fail-on error
vg sbom export --format cyclonedx --out sbom.cdx.json
The scan can fail the build on serious findings, while the export records what was scanned. In a no-install CI environment:
npx @vibgrate/cli scan --fail-on error
npx @vibgrate/cli sbom export --format cyclonedx --out sbom.cdx.json
Adding a drift budget
If you want to gate specifically on drift, set a budget so the scan fails when drift exceeds a threshold:
vg scan --drift-budget 60
Follow it with the SBOM export to capture the inventory behind that score.
Sending both to Vibgrate Cloud
To track DriftScore trends across builds, push the scan to Vibgrate Cloud:
vg scan --push
The SBOM file remains a local artifact you attach to releases, while the dashboard tracks drift over time. See the Vibgrate Cloud Upload documentation for authentication.
Suggested ordering
- Install or resolve dependencies deterministically.
- Run the scan (with
--fail-onor--drift-budgetas your gate). - Export the SBOM.
- Upload the SBOM as a build artifact and, optionally, push the scan.
Tips
- Keep both steps in the same job so they see the same resolved dependencies.
- Use explicit
--formatand--outfor reproducible SBOMs. - Treat the gate as the scan's job and the evidence as the SBOM's job.
Related
- "Generate an SBOM in Your CI Pipeline" for CI specifics.
- "Verifying Your Supply-Chain Posture" for the bigger picture.
- See the DriftScore documentation for how the score is computed.