Skip to main content

Pushing Scan and Supply-Chain Results to Vibgrate Cloud

Send your scan results to Vibgrate Cloud for team visibility and trend tracking, and keep SBOM files as release artifacts — learn how the local SBOM and the hosted dashboard work together.

Vibgrate Docs

Vibgrate Help

Local SBOM files are perfect for release artifacts, but teams often want a shared, searchable view of their supply chain over time. This guide explains how to push scan results to Vibgrate Cloud and how the hosted dashboard works alongside your local SBOM exports. It is written for developers and engineering leaders adopting team-wide visibility.

Two complementary outputs

  • Local SBOM files — produced with vg sbom export, attached to releases, fed into tooling, retained as evidence.
  • Vibgrate Cloud — the hosted dashboard at dash.vibgrate.com, where pushed scan results provide team visibility and trend analysis.

The SBOM file is the portable artifact; the dashboard is the shared, longitudinal view.

Authenticating

Before pushing, sign the CLI into your workspace from the browser — no token to copy:

vg login

For non-interactive environments such as CI, generate an HMAC-signed DSN token instead and supply it to the push:

vg dsn create

See the vg dsn create and vg login command documentation for details.

Pushing results

The simplest path is to scan and push in one step:

vg scan --push

Or push previously produced scan results explicitly:

vg push

Once uploaded, the dashboard tracks DriftScore trends and findings across builds, giving your team a single place to watch supply-chain health move over time.

Keeping the SBOM with the release

Pushing scan results does not replace your SBOM file. Continue exporting it for each release:

vg sbom export --format cyclonedx --out sbom.cdx.json

Then attach sbom.cdx.json to the release. The combination gives you portable per-release evidence and a live team dashboard.

A combined CI step

npx @vibgrate/cli scan --push
npx @vibgrate/cli sbom export --format cyclonedx --out sbom.cdx.json

The scan feeds the dashboard; the export produces the artifact you upload to your release.

Tips

  • Use vg login locally and a DSN token in CI.
  • Push on every build so trends are continuous, not sporadic.
  • Treat the dashboard and the SBOM file as complementary, not interchangeable.

Related

  • "Combine Drift Scoring and SBOM in One Workflow" for the full pipeline.
  • "SBOM for Compliance and Audit Evidence" for the evidence trail.
  • See the Vibgrate Cloud Upload documentation.

Related Commands