Scanning dependencies for vulnerabilities
xgrep scan combines SAST and SCA in one run — it builds an SBOM and matches your open-source dependencies against known CVEs via Mondoo Platform.
Scanning dependencies for vulnerabilities
xgrep scan finds both code issues (SAST) and known vulnerabilities in
your dependencies, in a single run. When a scan discovers dependency manifests or
lockfiles (go.mod, package-lock.json, …), xgrep builds an
SBOM for them, matches it against known CVEs via Mondoo
Platform, and renders the matching vulnerabilities inline as normal findings,
right alongside the code findings:
xgrep scan .Dependency findings flow through every output format (text, JSON, SARIF, GitLab),
count toward the exit code like code findings, and are
tagged dependency-vuln so you can tell them apart from SAST results. Each finding
names the affected package and version, the CVE, a summary, references, and a
remediation hint, and is located back to the lockfile/manifest the package came
from.
Credentials
Unlike SBOM generation and dependency queries — which are fully offline — matching
packages against the vulnerability database is the one networked step in the
dependency tooling. It needs a Mondoo service account, resolved the same way as
platform reporting — via
xgrep login,
--mondoo-config, MONDOO_CONFIG_PATH / MONDOO_CONFIG_BASE64, or
~/.config/mondoo/mondoo.yml.
The scan itself is ephemeral: packages are matched against the database scoped
to your space, and nothing is stored on the platform by the scan. The resulting
vulnerabilities are published only when reporting is
enabled — automatic on the default branch when a
service account is configured, unless --incognito.
It is best-effort, exactly like the rest of a scan:
- No credentials → xgrep logs a one-line warning only when there were
dependencies to scan and continues; your code findings are unaffected. A
credential-less, code-only repo stays quiet.
found 42 dependencies but skipped vulnerability scanning — no Mondoo service account (set --mondoo-config or MONDOO_CONFIG_PATH; --no-dep-scan to silence) - Scan error → logged as a warning; the code scan still completes and reports.
Opting out (--no-dep-scan)
To run the SAST code scan only — no dependency scan, no Mondoo call — pass
--no-dep-scan:
xgrep scan --no-dep-scan .This is the flag to use in fully-offline or credential-less environments where you
don't want the "no service account" warning. xgrep ci inherits both the
dependency scan and --no-dep-scan.
Scanning an existing SBOM (--sbom)
If you already have an SBOM — produced by xgrep sbom, another tool, or a build
pipeline — scan it for vulnerabilities directly, with no code walk:
xgrep scan --sbom sbom.cdx.jsonxgrep auto-detects the format (CycloneDX, SPDX, or Mondoo JSON) and renders the
matching vulnerabilities in the selected output format (text, --json, --sarif,
or --gitlab). --sbom cannot be combined with target paths — it scans the SBOM,
not a tree. This is useful for scanning an SBOM built in an earlier CI stage, or one
for an artifact you don't have the source tree for.
Publishing to Mondoo Platform
When reporting is enabled — automatic on the repository's default branch whenever a service account is configured — the dependency vulnerabilities are published to the platform alongside your code findings. They are uploaded as VEX (Vulnerability Exchange) documents, re-homed onto the same repository asset as the code findings, so a repo's SAST and SCA results land together:
xgrep scan . # reports automatically when logged in (default branch only)
xgrep scan --incognito . # render CVEs locally; upload nothingReporting is additive — local output is unchanged, and an upload failure never
fails the scan. Pass --incognito for a local-only run; the vulnerability scan
still runs and renders CVEs, only the upload is suppressed.
What this replaces
The dependency tooling now answers all three questions:
- What's in here? →
xgrep sbom - What does our code use? →
xgrep deps - Which dependencies are vulnerable? →
xgrep scan(this page)
Querying dependencies
List, group, and trace a project's dependencies with xgrep deps — flat inventory, per-manifest tree, and go-mod-why-style usage.
Overview
Run xgrep inside your editor for real-time security diagnostics, quickfixes, and workspace scans — zero-config in VS Code, and over LSP everywhere else.