Beyond the core DriftScore, Vibgrate runs a suite of extended scanners that collect high-value migration intelligence. These scanners provide actionable insights for platform migrations, security audits, and technical debt assessments.
Design Principles
All extended scanners follow these guarantees:
| Principle | Guarantee |
|---|---|
| Read-only | Never write files or execute code |
| Parallel execution | Failures in one scanner never affect others |
| Individually configurable | Each scanner can be enabled/disabled |
| Privacy-first | No source code analysis, no secrets, no PII |
Note: Extended scanners only analyze manifest files, configuration, and filesystem metadata. Source code contents are never read.
Scanner Categories
Platform & Runtime
| Scanner | Purpose | Key Outputs |
|---|---|---|
| Platform Matrix | Runtime version compatibility | Node/Python/.NET versions, native modules, OS assumptions |
| TypeScript Modernity | TSConfig analysis | Strictness level, module system, ESM readiness |
Dependencies
| Scanner | Purpose | Key Outputs |
|---|---|---|
| Dependency Risk | Risk classification | Deprecated packages, native modules, platform-specific dependencies |
| Dependency Graph | Supply chain analysis | Duplicates, phantom dependencies, lockfile health |
| Breaking Changes | Upgrade friction prediction | Known painful migrations, polyfill candidates |
Architecture & Quality
| Scanner | Purpose | Key Outputs |
|---|---|---|
| Tooling Inventory | Full tech stack mapping | Frameworks, bundlers, testing tools, observability |
| Build & Deploy | CI/CD detection | Pipeline configs, Docker, IaC presence |
| Architecture Layers | Project structure | Archetype detection, layer classification |
| Code Quality | Complexity metrics | Cyclomatic complexity, "god files", circular dependencies |
| File Hotspots | Directory analysis | File distribution, depth, largest files |
Security
| Scanner | Purpose | Key Outputs |
|---|---|---|
| Security Posture | Structural hygiene | Lockfile presence, .gitignore coverage, audit results |
| Security Scanners | Tool orchestration | Installed scanners, version freshness, config discovery |
| Service Dependencies | External integrations | Payment, auth, cloud SDKs, databases |
| OWASP Mapping | Finding categorization | OWASP Top 10 classification |
Configuration
Enable/Disable Individual Scanners
// vibgrate.config.ts
const config: VibgrateConfig = {
scanners: {
platformMatrix: { enabled: true },
dependencyRisk: { enabled: true },
dependencyGraph: { enabled: true },
breakingChangeExposure: { enabled: true },
// Disable specific scanners
codeQuality: { enabled: false },
securityScanners: { enabled: false },
},
};
Disable All Extended Scanners
For minimal scans focusing only on core drift score:
// vibgrate.config.ts
const config: VibgrateConfig = {
scanners: false, // Run core analysis only
};
Performance
Extended scanners add minimal overhead:
| Scenario | Typical Time |
|---|---|
| Core scan only | 2–5 seconds |
| Core + all extended | 5–15 seconds |
| Large monorepo (500+ packages) | 15–45 seconds |
Scanners run in parallel, so disabling individual scanners may not significantly reduce total scan time.