Scanners

11 scanners, one command

VibeGuard orchestrates the best open-source security tools and gives you one unified result. Each tool is good at catching specific things - together, they cover a lot of ground.

No config required. We detect your stack and run the right scanners automatically.

Basics

What is a scanner?

A scanner is a tool that looks at your code and reports potential problems. Different scanners look for different things:

Secret scanners
Files and git history for API keys, passwords, tokens
(Gitleaks, TruffleHog)
Dependency scanners
Your package manifests for libraries with known issues
(Trivy, npm-audit, pip-audit)
Code scanners
Your source code for dangerous patterns
(Semgrep, Bandit)
Config scanners
Infrastructure files for misconfigurations
(Checkov, Dockle)
Why 11?

Why multiple scanners?

No single tool catches everything. Each scanner has strengths and blind spots:

  • Gitleaks is excellent at finding secrets in your current code, but TruffleHog digs through git history to find secrets that were committed and then removed.
  • Trivy checks dependencies against vulnerability databases, but npm-audit has access to npm-specific security advisories that Trivy might miss.
  • Semgrep finds dangerous code patterns in any language, but Bandit has Python-specific rules that catch subtle issues Semgrep might not flag.

By running multiple scanners, we get defense in depth. The overlap is intentional - if two scanners find the same issue, that's confirmation it's real.

The tools

All 11 scanners

Each tool → what it catches → example finding.

Core

5 tools

Run on every scan, regardless of project type.

Semgrep

Dangerous code patterns

e.g., SQL injection, command injection, XSS

Gitleaks

Hardcoded secrets

e.g., API keys, tokens, passwords in code

Trivy

Vulnerable dependencies

e.g., Known CVEs in your packages

Bandit

Python security issues

e.g., Unsafe eval(), weak crypto, injection

TruffleHog

Secrets in git history

e.g., Keys committed then deleted

Ecosystem

3 tools

Run when we detect specific package managers.

npm-audit

Node.js vulnerabilities

e.g., Security advisories in node_modules

pip-audit

Python vulnerabilities

e.g., Security advisories in pip packages

cargo-audit

Rust vulnerabilities

e.g., Security advisories in Cargo crates

IaC & Containers

2 tools

Run when we detect infrastructure configuration.

Checkov

Cloud misconfigurations

e.g., Open S3 buckets, missing encryption

Dockle

Dockerfile issues

e.g., Running as root, missing healthcheck

Experimental

1 tool

Opt-in scanners for advanced use cases.

Nuclei

Runtime vulnerabilities

e.g., DAST scanning of running services

Smart detection

How we know which scanners to run

VibeGuard looks at your project structure and decides which scanners make sense. No config file required.

If we find...We run...
package.jsonnpm-audit
requirements.txt or pyproject.tomlpip-audit + Bandit
Cargo.tomlcargo-audit
DockerfileDockle
*.tf filesCheckov
.git directoryTruffleHog (history scan)

Always run: Gitleaks, Semgrep, and Trivy run on every scan regardless of project type - they work on any codebase.

Signal over noise

You don't need 500 warnings

You need 5 real problems.

Running 11 scanners produces a lot of raw output. VibeGuard's triage system turns that into something useful:

Deduplication
If Gitleaks and TruffleHog both find the same secret, you see it once - not twice.
Confidence filtering
Low-confidence findings (regex-based guesses, unlikely patterns) get suppressed.
Severity ranking
Critical issues (leaked production keys) surface above minor ones (informational).
Context awareness
A 'secret' in a test file with 'example' in the name? Probably not real.

The result: instead of scrolling through hundreds of scanner warnings, you get a short list of things that actually need attention.

Scoring

How the score works

Every scan produces a score from 0-100 and a grade from A-F. Here's what goes into it:

A
90-100
B
80-89
C
70-79
D
60-69
F
0-59

Severity weights: Critical findings (-20 points each), High (-10), Medium (-5), Low (-2). A repo with one critical secret leak will score significantly lower than one with several medium-severity issues.

Why grades? A number alone doesn't tell you if you should be worried. "78" means nothing. "C grade" tells you there's room for improvement but nothing catastrophic.

Formats

Output formats

Choose how you want to consume the results.

JSON

Machine-readable format for custom integrations, scripting, and pipelines.

--format json

HTML

Human-readable report you can share, archive, or open in a browser.

--format html

SARIF

Industry standard for uploading to GitHub Code Scanning.

--format sarif

About SARIF: SARIF (Static Analysis Results Interchange Format) is an OASIS standard. GitHub supports uploading SARIF from third-party tools to display findings in the Security tab.

Troubleshooting

What if a scanner isn't installed?

VibeGuard wraps existing tools - it doesn't bundle them. If a scanner isn't installed on your system, VibeGuard will skip it and tell you.

Check scanner availability

vibeguard doctor

Shows which scanners are installed and which are missing.

Missing scanners?

The doctor command gives you install instructions for each missing tool. Most are a single pip or brew install.

VibeGuard still works with fewer scanners - you just get less coverage. Install more when you're ready.

See what the scanners find

Run your first scan in under a minute. No account required.

pip install vibeguard-cli