Skip to main content

Verify Supply-Chain Posture Before Shipping

Run a pre-ship checklist with Vibgrate CLI: gate the release candidate with vg scan --fail-on error, review risk and security findings in a report, and export an SBOM as a ship-readiness artifact.

Difficulty
Intermediate
Duration
20 minutes
Steps
5

Before you ship a release, it pays to confirm your supply-chain posture: no regressions in drift, no unaddressed risk findings, and a fresh inventory. This tutorial is a pre-ship checklist using Vibgrate CLI.

Prerequisites

  • Node.js installed
  • A release candidate to verify

Steps

1. Install the CLI

npm i -g @vibgrate/cli

2. Gate the release candidate

Scan and fail on error-level findings so a problematic candidate stops here:

vg scan --fail-on error

A non-zero exit means the candidate has issues to resolve before shipping.

3. Review risk and security findings

Generate a readable report and review the dependency risk and security posture sections:

vg report

Confirm there are no deprecated packages or outstanding audit issues you are not willing to ship with.

4. Export the SBOM

Produce the inventory that accompanies the release:

vg sbom export --format cyclonedx --out sbom.cdx.json

5. Sign off on ship readiness

With a passing gate, reviewed findings, and a fresh SBOM, you have a defensible record that the release was checked. Archive the report and SBOM with the version.

Verification

vg scan --fail-on error exits 0 for a clean candidate, the report shows acceptable risk, and sbom.cdx.json exists with a populated inventory.

Next Steps

Automate this checklist by combining the gate and SBOM export in one CI job, and push the scan to Vibgrate Cloud so the sign-off is recorded in the dashboard.

Prerequisites

  • Node.js installed
  • A release candidate to verify

Steps

  • 1
    Install the CLI
  • 2
    Gate the release candidate
  • 3
    Review risk and security findings
  • 4
    Export the SBOM
  • 5
    Sign off on ship readiness

Category

Vibgrate