Assess Structural Security Posture with the Security Scanner
Run the Vibgrate Security Posture Scanner to check structural hygiene — lockfiles, .gitignore coverage, and audit counts — then export and gate on findings.
The Vibgrate Security Posture Scanner checks structural security hygiene — lockfile presence, .gitignore coverage, and audit counts — surfacing the basic controls that should be in place before deeper security work. It runs as part of a standard scan and contributes findings you can triage and gate on.
Prerequisites
- A project repository with dependency manifests
- Vibgrate CLI installed, or use the no-install form
Steps
1. Install the CLI
npm i -g @vibgrate/cli
Or try it without installing:
npx @vibgrate/cli scan
2. Run the scan
From the project root:
vg
The Security Posture Scanner runs as part of the scan and contributes structural hygiene findings.
3. Review hygiene findings
Look for findings about missing lockfiles, gaps in .gitignore coverage, and audit counts. These structural signals indicate where basic security controls are missing.
4. Export for triage
Emit machine-readable output to feed your triage process:
vg scan --format json --out vibgrate.json
For code-scanning dashboards, use SARIF:
vg scan --format sarif --out vibgrate.sarif
5. Gate on security findings
Fail the run when error-level findings are present:
vg scan --fail-on error
Verification
Confirm the scan reported security-posture findings and that your exported file exists. With --fail-on error, check the exit code to confirm the gate behaves as expected.
Next Steps
Map findings into OWASP categories with the OWASP scanner, and explore the Security Scanners scanner for local scanner orchestration and readiness.