Running the Vibgrate CLI in a container is a clean way to scan without installing anything on the host. It is especially useful in CI and on locked-down build machines. This guide is aimed at developers and platform engineers.
Overview
The container ships the vg binary. You mount your project as a working directory, then run a scan against it. A bare scan analyzes the mounted directory and reports a DriftScore from 0 to 100.
Scan a project
Mount the current directory and run a scan:
docker run --rm -v "$PWD":/src -w /src vibgrate/cli scan
-v "$PWD":/srcmounts your project into the container.-w /srcsets the working directory so the scan targets your code.--rmremoves the container after it exits.
Capture machine-readable output
For pipelines, choose a structured format and write it to a file inside the mounted directory:
docker run --rm -v "$PWD":/src -w /src vibgrate/cli scan --format sarif --out drift.sarif
Because the file is written into the mounted path, it appears in your project directory on the host.
Add a quality gate
Fail the run when errors are present so the container exits non-zero in CI:
docker run --rm -v "$PWD":/src -w /src vibgrate/cli scan --fail-on error
Troubleshooting
- Empty or partial results — confirm
-w /srcmatches your mount target so the scan runs against your code. - Permission issues on written files — file ownership inside the container may differ from the host user; adjust ownership after the run if needed.
- No network — the container runs offline-friendly for core scanning; first-run downloads of optional models require network access.
Related
See the output formats guide for SARIF, JSON, and Markdown details, and the first scan walkthrough to interpret what a scan reports.