Verify Supply-Chain Posture Before Shipping
Run a pre-ship checklist with Vibgrate CLI: gate the release candidate with vg scan --fail-on error, review risk and security findings in a report, and export an SBOM as a ship-readiness artifact.
Before you ship a release, it pays to confirm your supply-chain posture: no regressions in drift, no unaddressed risk findings, and a fresh inventory. This tutorial is a pre-ship checklist using Vibgrate CLI.
Prerequisites
- Node.js installed
- A release candidate to verify
Steps
1. Install the CLI
npm i -g @vibgrate/cli
2. Gate the release candidate
Scan and fail on error-level findings so a problematic candidate stops here:
vg scan --fail-on error
A non-zero exit means the candidate has issues to resolve before shipping.
3. Review risk and security findings
Generate a readable report and review the dependency risk and security posture sections:
vg report
Confirm there are no deprecated packages or outstanding audit issues you are not willing to ship with.
4. Export the SBOM
Produce the inventory that accompanies the release:
vg sbom export --format cyclonedx --out sbom.cdx.json
5. Sign off on ship readiness
With a passing gate, reviewed findings, and a fresh SBOM, you have a defensible record that the release was checked. Archive the report and SBOM with the version.
Verification
vg scan --fail-on error exits 0 for a clean candidate, the report shows acceptable risk, and sbom.cdx.json exists with a populated inventory.
Next Steps
Automate this checklist by combining the gate and SBOM export in one CI job, and push the scan to Vibgrate Cloud so the sign-off is recorded in the dashboard.