The Security Posture Scanner evaluates structural security hygiene: the presence and health of lockfiles, the coverage of your .gitignore, and audit counts. It runs as part of a normal scan and contributes to your DriftScore. This article is for developers and security-minded leads who want a fast read on basic hygiene.
What it detects
- Lockfiles — whether your project commits a lockfile, which is the foundation of reproducible, verifiable installs.
- .gitignore coverage — whether sensitive or build-artifact paths are properly excluded so secrets and noise do not leak into the repository.
- Audit counts — a count-level view of known issues, giving you a quick sense of exposure.
Findings describe gaps in these structural basics rather than performing deep vulnerability analysis.
Why it matters
Most real incidents start with a missed fundamental, not an exotic exploit. A missing lockfile means installs are not reproducible and a malicious version can slip in unnoticed. Weak .gitignore coverage is how secrets and credentials end up in git history. Audit counts give an at-a-glance signal of how much known risk you carry. These are the cheapest, highest-leverage controls, and the scanner makes their absence visible.
For executives, posture is a portfolio-wide hygiene metric. For developers, it is a short, actionable checklist.
How to act
Scan the repository:
vg
If a lockfile is missing, generate and commit one. If .gitignore coverage is incomplete, add the missing patterns and verify nothing sensitive is already tracked. Treat rising audit counts as a prompt to run your ecosystem's audit tooling and remediate.
Gate on findings in CI:
vg scan --fail-on error
Triage tips
- Always commit a lockfile — it is the single highest-leverage fix here.
- Audit git history for already-committed secrets if .gitignore coverage was weak.
- Use audit counts as a trend signal, tracked over time in Vibgrate Cloud.
Related
For scanner orchestration and readiness, see the Security Scanners Scanner. To map findings into a triage framework, see the OWASP Category Mapping article. For exportable supply-chain evidence, see the SBOM workflow.