The Security Scanners scanner detects installed security tools and their readiness status. Rather than duplicating existing scanners, it orchestrates and reports on your local security tool chain.
Supported Scanners
| Scanner | Purpose | Config Files |
|---|---|---|
| gitleaks | Secret scanning | .gitleaks.toml |
| trivy | Container & filesystem vulnerabilities | trivy.yaml |
| semgrep | Static analysis | .semgrep.yml, .semgrep/ |
| snyk | Dependency vulnerabilities | .snyk |
| checkov | IaC security | .checkov.yaml |
| trufflehog | Secret detection | N/A |
| grype | Vulnerability scanning | N/A |
Detection Status
For each scanner, Vibgrate reports:
| Status | Description |
|---|---|
| Installed | Found in PATH |
| Version | Current installed version |
| Config found | Local config file present |
| Version freshness | How old compared to latest release |
Use Cases
CI Security Readiness
Verify security tools are available before running scans:
- name: Check security tools
run: |
MISSING=$(npx @vibgrate/cli scan --format json | jq '[.securityScanners | to_entries[] | select(.value.installed == false) | .key] | length')
if [ "$MISSING" -gt 0 ]; then
echo "Missing security scanners detected — install them before scanning"
exit 1
fi
Security Onboarding
For new repositories, ensure standard security tools are configured:
vg scan --format json | jq '.securityScanners | to_entries[] | "(.key): (if .value.installed then "✅" else "❌" end)"'
Example Output
{
"securityScanners": {
"gitleaks": {
"installed": true,
"version": "8.18.1",
"latestVersion": "8.18.2",
"configFound": true,
"configPath": ".gitleaks.toml"
},
"trivy": {
"installed": true,
"version": "0.48.0",
"latestVersion": "0.49.1",
"configFound": false
},
"semgrep": {
"installed": false,
"installCommand": "brew install semgrep"
},
"snyk": {
"installed": true,
"version": "1.1260.0",
"configFound": true,
"configPath": ".snyk"
}
}
}
Limitations
This scanner reports tool availability, not scan results:
| What It Does | What It Does NOT Do |
|---|---|
| Detect installed tools | Run security scans |
| Check config files | Parse scan results |
| Suggest installations | Replace your security pipeline |
For actual security scanning, use the detected tools directly in your CI pipeline.