Skip to main content

Surface Known-Vulnerable Dependencies with Vibgrate CLI

Use Vibgrate's Security Posture Scanner to surface audit counts and security hygiene, export results to SARIF with vg scan --format sarif, and upload them to a code scanning dashboard.

Difficulty
Intermediate
Duration
16 minutes
Steps
5

Known-vulnerable dependencies are a primary supply-chain risk. Vibgrate's Security Posture Scanner surfaces structural security hygiene, including audit counts, and you can export the results to SARIF for ingestion by code scanning dashboards. This tutorial walks through that flow.

Prerequisites

  • Node.js installed
  • A project with a lockfile

Steps

1. Install the CLI

npm i -g @vibgrate/cli

2. Scan with security posture

From your project root:

vg

The scan runs the Security Posture Scanner among others, surfacing lockfile coverage, .gitignore hygiene, and audit counts that point at vulnerable dependencies.

3. Export findings to SARIF

SARIF is the standard interchange format for static analysis results:

vg scan --format sarif

This emits findings in SARIF so they can be ingested by a code scanning tool.

4. Review the SARIF output

The SARIF output groups findings as results with rule identifiers and locations. Look for security-related results that flag dependencies with outstanding audit issues.

5. Upload SARIF to code scanning

In GitHub Actions, upload the SARIF so findings appear in the Security tab:

      - run: npx @vibgrate/cli scan --format sarif > results.sarif
      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

Verification

vg scan --format sarif exits 0 and emits valid SARIF. After upload, the findings appear in your code scanning dashboard.

Next Steps

Combine this with the Dependency Risk Scanner to classify risky packages, and export an SBOM so your vulnerability findings sit alongside a full component inventory.

Prerequisites

  • Node.js installed
  • A project with a lockfile

Steps

  • 1
    Install the CLI
  • 2
    Scan with security posture
  • 3
    Export findings to SARIF
  • 4
    Review the SARIF output
  • 5
    Upload SARIF to code scanning

Category

Vibgrate