Skip to main content

Combine a Drift Scan and SBOM Export in One CI Job

Run one CI job that gates the build on drift with vg scan --fail-on error and exports a CycloneDX SBOM, using if: always() so the inventory is captured even on failure.

Difficulty
Intermediate
Duration
18 minutes
Steps
5

Quality and inventory are two sides of supply-chain hygiene, and you can cover both in one CI job: gate the build on drift and emit an SBOM in the same run. This tutorial wires both together with --fail-on and an SBOM export.

Prerequisites

  • A GitHub repository
  • A project with a dependency manifest

Steps

1. Create the CI job

Add a workflow that checks out the repo and sets up Node.js.

2. Scan with a failing gate

Scan and fail the build if any error-level findings appear:

npx @vibgrate/cli scan --fail-on error

This exits non-zero when error-severity findings are present, blocking the build on drift quality.

3. Export the SBOM

Export the SBOM even if you want it on every run. Run it as a separate step:

vg sbom export --format cyclonedx --out sbom.cdx.json

With the no-install form, prefix with npx @vibgrate/cli.

4. Upload the SBOM

Upload the SBOM so it is available regardless of the gate. Putting the export and upload in steps with if: always() ensures the inventory is captured even on a failing gate:

      - run: npx @vibgrate/cli scan --fail-on error
      - if: always()
        run: npx @vibgrate/cli sbom export --format cyclonedx --out sbom.cdx.json
      - if: always()
        uses: actions/upload-artifact@v4
        with:
          name: sbom
          path: sbom.cdx.json

5. Confirm gate and artifact

The job fails when error findings exist; the SBOM artifact is still uploaded.

Verification

A clean run exits 0 with the SBOM uploaded. A run with error-level findings exits non-zero, and the if: always() steps still attach sbom.cdx.json.

Next Steps

Add a drift budget with --drift-budget for a softer gate, and push the scan to Vibgrate Cloud for trend tracking.

Prerequisites

  • A GitHub repository
  • A project with a dependency manifest

Steps

  • 1
    Create the CI job
  • 2
    Scan with a failing gate
  • 3
    Export the SBOM
  • 4
    Upload the SBOM
  • 5
    Confirm gate and artifact

Category

Vibgrate