Surface Known-Vulnerable Dependencies with Vibgrate CLI
Use Vibgrate's Security Posture Scanner to surface audit counts and security hygiene, export results to SARIF with vg scan --format sarif, and upload them to a code scanning dashboard.
Known-vulnerable dependencies are a primary supply-chain risk. Vibgrate's Security Posture Scanner surfaces structural security hygiene, including audit counts, and you can export the results to SARIF for ingestion by code scanning dashboards. This tutorial walks through that flow.
Prerequisites
- Node.js installed
- A project with a lockfile
Steps
1. Install the CLI
npm i -g @vibgrate/cli
2. Scan with security posture
From your project root:
vg
The scan runs the Security Posture Scanner among others, surfacing lockfile coverage, .gitignore hygiene, and audit counts that point at vulnerable dependencies.
3. Export findings to SARIF
SARIF is the standard interchange format for static analysis results:
vg scan --format sarif
This emits findings in SARIF so they can be ingested by a code scanning tool.
4. Review the SARIF output
The SARIF output groups findings as results with rule identifiers and locations. Look for security-related results that flag dependencies with outstanding audit issues.
5. Upload SARIF to code scanning
In GitHub Actions, upload the SARIF so findings appear in the Security tab:
- run: npx @vibgrate/cli scan --format sarif > results.sarif
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
Verification
vg scan --format sarif exits 0 and emits valid SARIF. After upload, the findings appear in your code scanning dashboard.
Next Steps
Combine this with the Dependency Risk Scanner to classify risky packages, and export an SBOM so your vulnerability findings sit alongside a full component inventory.