Overview
Vibgrate discovers Java projects by looking for pom.xml (Maven) and Gradle build files. It evaluates dependency version lag against Maven Central.
What Gets Scanned
- Java version from build tool configuration
- All dependencies from
pom.xmlor Gradle build files - Package version lag against the latest Maven Central releases
- Framework versions (Spring Boot, Quarkus, Micronaut, etc.)
- EOL risk for end-of-life Java versions
Quick Start
Vibgrate requires Node.js >= 20, installed alongside your Java toolchain.
npm install -g @vibgrate/cli
vibgrate scan /path/to/java-projectMaven Projects
For Maven projects, Vibgrate reads pom.xml files and resolves <dependency> and <parent> declarations. Multi-module Maven projects are fully supported — each module receives its own score.
Gradle Projects
Gradle projects are detected via build.gradle and build.gradle.kts files. Dependencies declared in implementation, api, compileOnly, and testImplementation configurations are all analyzed.
CI Integration: GitHub Actions
steps:
- name: Vibgrate Scan
run: npx @vibgrate/cli scan . --format sarif --out vibgrate.sarif --fail-on error
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: vibgrate.sarif
CI Integration: GitLab CI
vibgrate:
image: node:20
script:
- npx @vibgrate/cli scan . --format sarif --out vibgrate.sarif --fail-on error
artifacts:
reports:
sast: vibgrate.sarif
Next Steps
- Combine Java scanning with other ecosystems in polyglot repositories
- Set up drift baselines and fitness functions in CI
- Push results to the Vibgrate Dashboard for across-team visibility