One scanning tool. Comprehensive coverage.

35+ Ecosystems 55+ Manifest Formats 2995+ Static Rules

The category silo problem

Somewhere along the way, product security became eleven different procurement conversations. It was always one job: tell the developer what to fix before shipping. The Vulnetix Code Scanner collapses SCA, IaC, container, license, SBOM, VEX, secrets, SAST, quality linting, reporting, and coding-agent security into a single vulnetix scan command with one severity scale, one finding store, and one compliance report.

All scanner categories, one command

Malware detection & package trust

Dependency confusion, typosquatting, account takeovers, and malicious maintainers. The scanner provides layered supply-chain defenses you can tune to your risk appetite.

VDB Malware Intelligence Sources

The Vulnetix VDB aggregates four distinct malware intelligence feeds. Each brings a different method of discovery, together they catch what the others miss.

• OSSF Malicious Packages — active hunting via automated sandbox detonation in isolated gVisor containers. 15,000+ malware entries across npm, PyPI, Maven, RubyGems.
• opensourcemalware.com — researcher-curated submissions indexed by MD5/SHA-1/SHA-256 hash. STIX-native feeds across npm, PyPI, NuGet, and VS Code extensions.
• OSV.dev — aggregates 20 advisory databases across 40+ ecosystems under one standardised schema, anchoring every finding to an exact release.
• CERT · PSIRT · Researcher Advisories — 160+ sources across 140+ countries via FIRST, surfacing pre-CVE campaign detection and regional threat context.

Your rules. Your policy. Your code.

Vulnetix SAST, secrets, IaC, and container analysis are powered by Open Policy Agent — the CNCF-graduated policy engine. Every built-in rule is written in Rego, the same language used by Conftest, Gatekeeper, Styra, and Terraform Cloud. No proprietary DSL. No vendor lock-in.

• 2995+ built-in Rego rules covering 20+ languages and four detection kinds
• Human-readable policy — auditable by security, reviewable in pull requests
• Portable by design — your rules run anywhere OPA runs

Load your own security policy from any Git repository:

$ vulnetix scan --rule myorg/sast-rules --rule myorg/secrets-rules

• --rule org/repo — load custom rules from any Git repository, cached locally
• --rule-registry — override the default registry with GitLab, Bitbucket, or SSH
• --disable-default-rules — run only your custom rules
• --rule-id <ID> — run a single rule by ID to test or debug policy

2700+ ready-to-load Rego rules across community and official plugin packs. Browse the Rule Registry →

Automated SBOM & VEX evidence

Reachability analysis — beyond "is the package installed?"

Most SCA tools stop at the lockfile. Vulnetix goes further — it checks whether your code (or a transitive dependency's code) actually calls into the affected routine. The CLI evaluates per-CVE detection patterns on-device using language-aware grammars for 17 languages. Matches merge into each finding under x_reachability with file and line evidence. Only CVE identifiers leave the host; your source never does.

Typical reachability filtering removes 60–90% of "critical" findings on a mature codebase, while exporting defensible file-and-line evidence straight into VEX analysis.detail.

• --reachability=direct — AST queries against installed package source only. Fastest.
• --reachability=transitive — walk dependency source where available.
• --reachability=both — union of direct and transitive. Default for scans.
• --reachability=off — fall back to package-presence findings only.
• semantic (automatic fallback) — when tree-sitter has no compiled queries for a CVE, affected routine/file/module names are grep-matched against your source.

Quality gates & CI integration

Combine flags to match your team's risk appetite. Runs in every major CI platform with zero configuration.

vulnetix scan --severity high --block-malware --block-eol --exploits active

• --severity critical|high|medium|low — block at the chosen threshold
• --block-eol — block end-of-life dependencies with no security patches
• --exploits weaponized — block on weaponised, in-the-wild exploits
• --exploits active — block on actively exploited (includes CISA KEV)
• --exploits poc — block when any public exploit exists
• --disable-sast — opt out of SAST when not needed
• --rule <org/repo> — load additional rules from a Git repository

Works in GitHub Actions, GitLab CI, Jenkins, CircleCI, Azure DevOps, Bitbucket, Buildkite, Travis CI, Drone, Tekton, AWS CodeBuild, and Google Cloud Build. Zero-config manifest discovery, non-zero exit code on gate breach, SARIF output for SCA, SAST, and secrets findings.

Manifest & lock file intelligence

Lock file parsing means exact versions, not ranges. Scope detection means you know what runs in production vs. dev. When native tooling falls short, Vulnetix resolves the full dependency tree by scanning local files, querying registries, and cross-referencing deps.dev. Coverage spans JavaScript, Python, Go, Rust, Java/JVM, PHP, .NET/C#, Ruby, Swift, Dart/Flutter, Elixir, C/C++, infrastructure (Docker, Terraform, GitHub Actions, Bazel, Buck), and many more.

Why teams pick Vulnetix over the alternatives

The open vuln-coordinator capability matrix catalogues 132 distinguishing capabilities across 13 sections — SCA, SAST, IaC, secrets, container, license, VEX, SSVC, supply-chain detection, and reachability. Vulnetix wins 98 of 132 (74.2%). The next-best tool, Trivy, wins 26 of 132 (19.7%). Every other tool compared scores lower still.

• Vulnetix — 98 / 132 (74.2%)
• Trivy — 26 / 132 (19.7%)
• Prisma — 24 / 132 (18.2%)
• KICS — 20 / 132 (15.2%)
• Grype — 14 / 132 (10.6%)
• osv-scanner — 13 / 132 (9.8%)
• Dependency-Track — 13 / 132 (9.8%)

Supported output formats

SARIF 2.1.0 CycloneDX 1.2–1.7 SPDX 2.3 JSON VEX

Start scanning in 30 seconds

Install the CLI, get a free API key, and run your first scan. All manifest files are auto-discovered — no configuration required.

curl -fsSL https://cli.vulnetix.com/install.sh | sh

Get Free API Key →