One scanner. Every risk in your supply chain.

Software Composition Analysis

Identify every direct and transitive dependency across 35+ ecosystems. Match installed versions against known vulnerabilities with multi-source severity scoring.

• Direct & transitive detection
• Version-range matching
• CVE/GHSA correlation
• Scope-aware analysis

Infrastructure as Code

Scan Terraform configurations, Dockerfiles, GitHub Actions workflows, Bazel workspaces, and Buck build files for misconfigurations and vulnerable references.

• Terraform provider/module versions
• GitHub Actions pinning
• Bazel & Buck dependencies
• HCL & Starlark parsing

Container Scanning

Parse Dockerfile and Containerfile FROM directives to identify base image vulnerabilities. Track every layer of your container supply chain.

• Base image detection
• Multi-stage build support
• Containerfile parsing
• Registry-aware lookups

License Compliance

Automatically detect SPDX license identifiers across all dependencies. Flag restricted, copyleft, and proprietary licenses before they reach production.

• SPDX license detection
• GPL/AGPL flagging
• Inclusive compliance mode
• Per-package classification

SBOM Generation

Produce CycloneDX Software Bills of Materials in versions 1.2 through 1.7. Every scan outputs a complete, machine-readable inventory of your software supply chain.

• CycloneDX 1.2–1.7
• SPDX 2.3 import
• Package URL (purl)
• Lifecycle & tools metadata

Secrets Detection

Detect hardcoded credentials, API keys, tokens, and private keys. Built-in Rego rules cover AWS access keys, GitHub tokens, private keys, and more.

• AWS access key detection
• GitHub & GitLab tokens
• Private key scanning
• Configurable rule severity

Static Application Security Testing

2995+ built-in rules covering injection patterns, insecure deserialization, weak cryptography, unsafe DOM manipulation, prototype pollution, and more across nine languages.

• 2995+ built-in rules
• CWE / CAPEC / ATT&CK mapped
• SARIF 2.1.0 output
• Custom rule repos via --rule

Code Quality Linting

Surface supply-chain hygiene issues: missing lock files, unpinned Docker base images, missing USER directives, Spring actuator endpoints, and Django debug mode in production.

• Missing lock file detection
• Dockerfile best practices
• Framework misconfiguration
• Language-aware rule sets

AI Coding Agent Integration

Built from the ground up for AI coding agents. Runs as a tool call inside the agent loop — add a dependency, scan it, get structured feedback, pick a safe version.

• Single exit code for agent gating
• Token-efficient JSON output
• Incremental delta scanning
• Agentic-native design

--block-malware

Immediately fail the build when any dependency is a known malicious package. Sources include OSV.dev, Phylum, Socket, and Vulnetix VDB's malware corpus.

--block-unpinned

Block dependencies declared with version ranges (^, ~, >=, *). Unpinned dependencies can silently resolve to a compromised release between CI runs.

--version-lag <n>

Only allow versions that are at least N releases behind the latest. Gives the community time to catch malicious pushes.

--cooldown <days>

Block any package version published within the last N days. Catches fast-follow supply chain attacks.