Scan Results
Package search results and CycloneDX SBOMs generated by hooks during dependency scans.
The .vulnetix/scans/ directory stores two types of scan output: package search results from the pre-commit hook and CycloneDX SBOMs from the post-install hook.
Package Search Results
The Pre-Commit Scan hook extracts packages from staged manifests and runs background VDB package searches. Results are saved as JSON files.
Path
.vulnetix/scans/pre-commit.*.packages.json
Naming Convention
pre-commit.{timestamp}.packages.json
- timestamp – compact UTC timestamp (e.g.,
20250315T103000Z)
Contents
Each results file includes:
- timestamp – when the scan was initiated
- manifests – which manifest files were scanned
- packages_scanned – total number of packages queried
- risky_packages – packages with known vulnerabilities, including vulnerability count, max severity, Safe Harbour score, and latest version
- total_vulnerabilities – aggregate vulnerability count
Example
{
"timestamp": "2025-03-15T10:30:00Z",
"manifests": ["package.json", "go.mod"],
"packages_scanned": 42,
"risky_packages": [
{
"name": "express",
"version": "4.17.1",
"ecosystem": "npm",
"manifest": "package.json",
"vulnerability_count": 3,
"max_severity": "high",
"safe_harbour_score": "72",
"latest_version": "4.21.0"
}
],
"total_vulnerabilities": 5
}
CycloneDX SBOMs
The Post-Install Scan hook generates CycloneDX v1.7 SBOMs after dependency install commands. These files provide a complete inventory of every component in a manifest along with embedded vulnerability data.
Format
All SBOMs use the CycloneDX v1.7 specification in JSON format.
Path
.vulnetix/scans/*.cdx.json
Naming Convention
{sanitized-manifest}.{timestamp}.cdx.json
- sanitized-manifest – the manifest file path with directory separators replaced by
-- - timestamp – compact UTC timestamp at scan time
Examples
| Manifest Path | SBOM Filename |
|---|---|
package.json | package.json.20250315T103000Z.cdx.json |
packages/api/package.json | packages--api--package.json.20250315T103000Z.cdx.json |
requirements.txt | requirements.txt.20250315T103000Z.cdx.json |
Creation
The post-install hook runs:
vulnetix scan --file <manifest> -f cdx17
Contents
Each CycloneDX SBOM includes:
- Metadata – tool info, timestamp, component identity
- Components – full dependency tree with package names, versions, purls, and licenses
- Vulnerabilities – known vulnerabilities cross-referenced from the Vulnetix VDB, including CVE IDs, severity scores, and affected version ranges
Usage
SBOMs are referenced by the .vulnetix/memory.yaml file in two places:
manifests[].sbom_path– points to the latest SBOM for each manifest (post-install scans)vulnerabilities[].discovery.sbom– records which SBOM a vulnerability was first discovered in
You can inspect SBOMs directly for a full component inventory:
cat .vulnetix/scans/package.json.20250315T103000Z.cdx.json | jq '.components | length'