Skip to main content

Scan a Go Module for Upgrade Drift

Scan a Go module with Vibgrate CLI to get a DriftScore, review module findings, export SARIF, and add a fail-on gate for CI.

Difficulty
Beginner
Duration
15 minutes
Steps
5

Go modules track dependencies in go.mod and go.sum, and those pinned versions drift behind upstream over time. Vibgrate CLI detects the Go ecosystem, analyzes the module graph, and reports a DriftScore so you can keep dependencies current without surprises.

Prerequisites

  • A Go module with go.mod and go.sum
  • Vibgrate CLI installed, or use the no-install form

Steps

1. Install the CLI

npm i -g @vibgrate/cli

Or run it without installing:

npx @vibgrate/cli scan

2. Scan the module

From the module root:

vg

Vibgrate detects Go from go.mod and reports drift findings grouped by severity.

3. Read the findings

The DriftScore (0-100) summarizes accumulated upgrade risk. Review the top findings to identify overdue or risky modules.

4. Export SARIF

Emit SARIF for code-scanning dashboards:

vg scan --format sarif --out vibgrate.sarif

5. Add a fail-on gate

Fail the run when error-level drift appears:

vg scan --fail-on error

Verification

Confirm a DriftScore and findings printed, and that vibgrate.sarif exists. With --fail-on error, check echo $? to confirm the gate exits non-zero on high-severity drift.

Next Steps

Create a baseline with vg baseline to compare deltas across commits, and explore the Dependency Graph scanner for duplicate and phantom dependencies.

Prerequisites

  • A Go module with go.mod and go.sum
  • Vibgrate CLI installed

Steps

  • 1
    Install the CLI
  • 2
    Scan the module
  • 3
    Read the findings
  • 4
    Export SARIF
  • 5
    Add a fail-on gate

Category

Vibgrate