Skip to main content
Scanners

Extended Scanners Overview

Beyond core drift scoring — platform matrix, dependency graph, security posture, and more.

Beyond the core DriftScore, Vibgrate runs a suite of extended scanners that collect high-value migration intelligence. These scanners provide actionable insights for platform migrations, security audits, and technical debt assessments.


Design Principles

All extended scanners follow these guarantees:

PrincipleGuarantee
Read-onlyNever write files or execute code
Parallel executionFailures in one scanner never affect others
Individually configurableEach scanner can be enabled/disabled
Privacy-firstNo source code analysis, no secrets, no PII

Note: Extended scanners only analyze manifest files, configuration, and filesystem metadata. Source code contents are never read.


Scanner Categories

Platform & Runtime

ScannerPurposeKey Outputs
Platform MatrixRuntime version compatibilityNode/Python/.NET versions, native modules, OS assumptions
TypeScript ModernityTSConfig analysisStrictness level, module system, ESM readiness

Dependencies

ScannerPurposeKey Outputs
Dependency RiskRisk classificationDeprecated packages, native modules, platform-specific dependencies
Dependency GraphSupply chain analysisDuplicates, phantom dependencies, lockfile health
Breaking ChangesUpgrade friction predictionKnown painful migrations, polyfill candidates

Architecture & Quality

ScannerPurposeKey Outputs
Tooling InventoryFull tech stack mappingFrameworks, bundlers, testing tools, observability
Build & DeployCI/CD detectionPipeline configs, Docker, IaC presence
Architecture LayersProject structureArchetype detection, layer classification
Code QualityComplexity metricsCyclomatic complexity, "god files", circular dependencies
File HotspotsDirectory analysisFile distribution, depth, largest files

Security

ScannerPurposeKey Outputs
Security PostureStructural hygieneLockfile presence, .gitignore coverage, audit results
Security ScannersTool orchestrationInstalled scanners, version freshness, config discovery
Service DependenciesExternal integrationsPayment, auth, cloud SDKs, databases
OWASP MappingFinding categorizationOWASP Top 10 classification

Configuration

Enable/Disable Individual Scanners

// vibgrate.config.ts
const config: VibgrateConfig = {
  scanners: {
    platformMatrix: { enabled: true },
    dependencyRisk: { enabled: true },
    dependencyGraph: { enabled: true },
    breakingChangeExposure: { enabled: true },
    // Disable specific scanners
    codeQuality: { enabled: false },
    securityScanners: { enabled: false },
  },
};

Disable All Extended Scanners

For minimal scans focusing only on core drift score:

// vibgrate.config.ts
const config: VibgrateConfig = {
  scanners: false, // Run core analysis only
};

Performance

Extended scanners add minimal overhead:

ScenarioTypical Time
Core scan only2–5 seconds
Core + all extended5–15 seconds
Large monorepo (500+ packages)15–45 seconds

Scanners run in parallel, so disabling individual scanners may not significantly reduce total scan time.

Related Documentation