Why Offline Scanning?
Some environments cannot make outbound network requests — air-gapped networks, restricted CI runners, or simply slow connections. Vibgrate supports fully offline operation.
How It Works
Normally, Vibgrate queries npm/NuGet registries to determine the latest versions of your dependencies. In offline mode, it uses a pre-downloaded manifest file instead.
Setup
Step 1: Download the manifest
On a machine with internet access:
curl -L -o latest-packages.zip https://github.com/vibgrate/manifests/latest-packages.zip
Step 2: Transfer to air-gapped environment
Copy latest-packages.zip to your target machine via USB, secure file transfer, or include it in your container image.
Step 3: Run offline scan
vibgrate scan . --offline --package-manifest ./latest-packages.zip
Flags
| Flag | Description |
|---|---|
--offline | Disable all network calls |
--package-manifest <file> | Path to a JSON or ZIP manifest for version lookups |
Combining with Other Options
# Offline scan with SARIF output and quality gate
vibgrate scan . \
--offline \
--package-manifest ./latest-packages.zip \
--format sarif \
--out vibgrate.sarif \
--fail-on error
Container-Based Workflow
Include the manifest in your Docker build:
FROM node:22-slim
COPY latest-packages.zip /opt/vibgrate/
RUN npx @vibgrate/cli scan /app \
--offline \
--package-manifest /opt/vibgrate/latest-packages.zip
Keeping Manifests Fresh
Schedule a recurring download of the manifest bundle (e.g. weekly cron job) on a machine with internet access, then distribute it to your air-gapped environments.
Limitations
- Offline drift scores are as current as the manifest file — older manifests may undercount drift
- Dashboard push (
vibgrate push) is not available in offline mode - Security scanner heuristics that depend on registry metadata will use cached data only