Skip to main content

Detecting Vulnerable Dependencies

How Vibgrate surfaces vulnerable dependencies through its security scanning and SBOM output, and how to feed CycloneDX SBOMs into vulnerability tooling and OpenVEX exploitability statements.

Vibgrate Docs

Vibgrate Help

Knowing your components is the first step; knowing which of them carry known vulnerabilities is the next. This article explains how Vibgrate helps you detect vulnerable dependencies — through its security posture scanning and through the SBOM you can feed into vulnerability tooling. It is written for developers and security-minded leaders.

Two complementary approaches

Vibgrate supports vulnerability awareness in two ways:

  1. Security posture scanning during a normal scan, which checks structural security hygiene such as lockfile presence, ignore-file coverage, and audit counts.
  2. SBOM-driven analysis, where you export a standards-based inventory and run it through dedicated vulnerability tooling that maps components to advisory databases.

Using both gives you a hygiene baseline plus a precise, component-level vulnerability view.

Producing the inputs

Run a scan to get security posture signals as part of the findings:

vg scan

Export a CycloneDX SBOM that downstream vulnerability scanners can consume:

vg sbom export --format cyclonedx --out sbom.cdx.json

Because CycloneDX is broadly supported, most vulnerability scanners can ingest sbom.cdx.json directly and match each component against known advisories.

Recording exploitability with OpenVEX

Not every reported vulnerability is actually exploitable in your context. Vibgrate can generate OpenVEX documents — Vulnerability Exploitability eXchange statements — so you can record, in a machine-readable way, whether a given vulnerability affects your product. This lets you communicate "not affected" with evidence instead of leaving consumers to guess.

Gating on security in CI

To stop a build when serious issues appear, combine the scan with a fail threshold:

vg scan --fail-on error

Pair this with the SBOM export step so the inventory and the gate are produced from the same build.

Triage tips

  • Prioritize vulnerabilities in direct dependencies you can upgrade quickly.
  • Use OpenVEX to suppress noise from vulnerabilities that do not apply, with a recorded justification.
  • Re-export the SBOM after each dependency change so your vulnerability view stays current.

Related

  • "Understanding Dependency Risk Findings" covers deprecated and risky packages.
  • "License Findings and License Compliance" covers the legal dimension.
  • See the Security Posture Scanner documentation for hygiene checks.

Related Commands