Skip to main content

Security Posture Scanner: Structural Security Hygiene at a Glance

Learn how the Security Posture Scanner checks structural security hygiene — lockfile presence, .gitignore coverage, and audit counts — why these basics predict supply-chain risk, and how to close the gaps.

Vibgrate Docs

Vibgrate Help

The Security Posture Scanner evaluates structural security hygiene: the presence and health of lockfiles, the coverage of your .gitignore, and audit counts. It runs as part of a normal scan and contributes to your DriftScore. This article is for developers and security-minded leads who want a fast read on basic hygiene.

What it detects

  • Lockfiles — whether your project commits a lockfile, which is the foundation of reproducible, verifiable installs.
  • .gitignore coverage — whether sensitive or build-artifact paths are properly excluded so secrets and noise do not leak into the repository.
  • Audit counts — a count-level view of known issues, giving you a quick sense of exposure.

Findings describe gaps in these structural basics rather than performing deep vulnerability analysis.

Why it matters

Most real incidents start with a missed fundamental, not an exotic exploit. A missing lockfile means installs are not reproducible and a malicious version can slip in unnoticed. Weak .gitignore coverage is how secrets and credentials end up in git history. Audit counts give an at-a-glance signal of how much known risk you carry. These are the cheapest, highest-leverage controls, and the scanner makes their absence visible.

For executives, posture is a portfolio-wide hygiene metric. For developers, it is a short, actionable checklist.

How to act

Scan the repository:

vg

If a lockfile is missing, generate and commit one. If .gitignore coverage is incomplete, add the missing patterns and verify nothing sensitive is already tracked. Treat rising audit counts as a prompt to run your ecosystem's audit tooling and remediate.

Gate on findings in CI:

vg scan --fail-on error

Triage tips

  • Always commit a lockfile — it is the single highest-leverage fix here.
  • Audit git history for already-committed secrets if .gitignore coverage was weak.
  • Use audit counts as a trend signal, tracked over time in Vibgrate Cloud.

Related

For scanner orchestration and readiness, see the Security Scanners Scanner. To map findings into a triage framework, see the OWASP Category Mapping article. For exportable supply-chain evidence, see the SBOM workflow.

Related Commands