Skip to main content
GuidesAdvanced2 min read

Verifying Your Supply-Chain Posture

Bring SBOMs, dependency-risk findings, security posture, and drift scoring together into a repeatable check that tells you whether your software supply chain is in good shape.

Vibgrate Docs

Vibgrate Help

"Supply-chain posture" is shorthand for a simple question: is the set of things you depend on safe, current, and well understood? This article shows how to combine Vibgrate's capabilities into a repeatable verification of that posture. It is written for engineering leaders and the developers who operationalize the checks.

The four pillars

A solid supply-chain posture rests on four things, all of which Vibgrate touches:

  1. Inventory — a current SBOM of every component.
  2. Known vulnerabilities — awareness of advisories affecting those components, with OpenVEX for exploitability statements.
  3. Dependency risk — deprecated, native, and platform-specific packages flagged.
  4. Drift — how far behind current your dependencies have fallen, expressed as a DriftScore.

Verifying posture means checking all four consistently, not just once.

A repeatable verification

Run a scan to produce drift, dependency-risk, and security-posture findings, then export the SBOM:

vg scan --fail-on error
vg sbom export --format cyclonedx --out sbom.cdx.json

The scan's exit code gives you a pass/fail signal for automation; the SBOM gives you the inventory to feed vulnerability and license tooling.

Setting an explicit drift gate

To make "how far behind is too far behind" explicit, set a drift budget:

vg scan --drift-budget 60

When drift exceeds the budget, the scan fails — a clear, enforceable posture rule.

Tracking posture over time

A single check is a snapshot; posture is a trend. Push scans to Vibgrate Cloud so you can watch DriftScore and findings move across builds:

vg scan --push

The dashboard surfaces trends and risk registers, while your per-release SBOMs document each point in time. See the Vibgrate Cloud Upload documentation.

Turning the check into a policy

  • Decide acceptable thresholds (drift budget, fail-on severity).
  • Run the verification in CI on every change so regressions are caught immediately.
  • Retain SBOMs as the evidence trail behind each verified build.

Tips

  • Keep inventory and analysis in sync by exporting the SBOM in the same job as the scan.
  • Use OpenVEX to record "not affected" decisions so your posture reflects reality, not raw advisory counts.
  • Revisit thresholds periodically as your risk tolerance changes.

Related

  • "Combine Drift Scoring and SBOM in One Workflow" for the mechanics.
  • "Detecting Vulnerable Dependencies" and "Understanding Dependency Risk Findings" for the analysis layers.
  • See the Supply Chain Inventory documentation.

Related Commands