Security5 min read

SBOM Export and Delta: Supply Chain Visibility from Your Drift Scan

Software Bill of Materials (SBOM) requirements are becoming standard — driven by regulation, customer contracts, and security best practices. Vibgrate can generate SBOMs in CycloneDX and SPDX formats directly from your drift scan, and compare two scans to show exactly what changed.

Peter Chapman

Peter Chapman

Vibgrate Blog

SBOMs Are No Longer Optional

The U.S. Executive Order 14028, the EU Cyber Resilience Act, and an increasing number of enterprise procurement requirements all demand one thing: a machine-readable inventory of every software component in your product.

A Software Bill of Materials (SBOM) is that inventory. It lists every package, its version, its license, and its relationship to other packages in your dependency graph.

Vibgrate's scan already collects all of this information — it needs it to calculate your drift score. The SBOM export feature simply reformats that data into the industry-standard CycloneDX or SPDX formats.

Generating an SBOM

# CycloneDX format
vibgrate sbom export --format cyclonedx --out sbom.cdx.json

# SPDX format
vibgrate sbom export --format spdx --out sbom.spdx.json

These commands read your latest scan artifact (.vibgrate/scan_result.json) and produce a standards-compliant SBOM file. No separate scan is needed — if you have already run vibgrate scan ., the data is ready.

You can also specify a different input artifact:

vibgrate sbom export --in path/to/scan_result.json --format cyclonedx --out sbom.cdx.json

SBOM Delta: What Changed Between Releases

Knowing what is in your software today is useful. Knowing what changed since the last release is even more useful — especially for security reviews, audit trails, and change management.

The sbom delta command compares two scan artifacts and produces a human-readable report:

vibgrate sbom delta \
  --from .vibgrate/baseline.json \
  --to .vibgrate/scan_result.json \
  --out sbom-delta.txt

The delta report shows:

  • Added dependencies: New packages that were not in the previous scan
  • Removed dependencies: Packages that have been dropped
  • Version changes: Packages that were upgraded or downgraded, with before/after versions
  • Drift delta: How the overall drift posture changed between the two scans

This is exactly what a security reviewer needs in a release checklist: "What third-party code changed in this release?"

Integrating SBOMs into Your Workflow

A practical CI integration might look like this:

- name: Vibgrate Scan
  run: npx @vibgrate/cli scan . --fail-on error

- name: Export SBOM
  run: npx @vibgrate/cli sbom export --format cyclonedx --out sbom.cdx.json

- name: Archive SBOM
  uses: actions/upload-artifact@v4
  with:
    name: sbom
    path: sbom.cdx.json

Every build now produces a versioned SBOM artifact alongside the binary — ready for compliance, audits, or customer delivery.

Beyond Compliance

Vibgrate's SBOM data goes beyond the minimum required by standards. Because the scan artifact includes duplicate-version hotspots, phantom dependencies (packages used but not declared), and lockfile-derived package graphs, the SBOM is not just a compliance document — it is operational intelligence for supply chain governance.

The Vibgrate Drift Intelligence Engine treats SBOMs as a natural output of drift analysis, not a separate workflow. If you are already scanning for drift, you already have the data for a high-quality SBOM.

Generate your SBOM today. Sign up at dash.vibgrate.com to scan your repo, export CycloneDX or SPDX SBOMs, and track supply chain changes across every release.

Topics

#sbom#cyclonedx#spdx#supply-chain#vibgrate-cli#compliance

Sources & References

Back to all articles