Scan a Go Module for Upgrade Drift
Scan a Go module with Vibgrate CLI to get a DriftScore, review module findings, export SARIF, and add a fail-on gate for CI.
Go modules track dependencies in go.mod and go.sum, and those pinned versions drift behind upstream over time. Vibgrate CLI detects the Go ecosystem, analyzes the module graph, and reports a DriftScore so you can keep dependencies current without surprises.
Prerequisites
- A Go module with
go.modandgo.sum - Vibgrate CLI installed, or use the no-install form
Steps
1. Install the CLI
npm i -g @vibgrate/cli
Or run it without installing:
npx @vibgrate/cli scan
2. Scan the module
From the module root:
vg
Vibgrate detects Go from go.mod and reports drift findings grouped by severity.
3. Read the findings
The DriftScore (0-100) summarizes accumulated upgrade risk. Review the top findings to identify overdue or risky modules.
4. Export SARIF
Emit SARIF for code-scanning dashboards:
vg scan --format sarif --out vibgrate.sarif
5. Add a fail-on gate
Fail the run when error-level drift appears:
vg scan --fail-on error
Verification
Confirm a DriftScore and findings printed, and that vibgrate.sarif exists. With --fail-on error, check echo $? to confirm the gate exits non-zero on high-severity drift.
Next Steps
Create a baseline with vg baseline to compare deltas across commits, and explore the Dependency Graph scanner for duplicate and phantom dependencies.