Extended Scanners: Full Reference

Overview

Beyond the core drift score, Vibgrate runs a suite of extended scanners that collect high-value migration intelligence. All scanners:

• Are read-only — they never write files or execute project code
• Run in parallel — failures in one scanner never affect the others
• Can be individually toggled in the config
• Collect zero sensitive data — no source code, no secrets, no PII

Platform Matrix

Collects platform and architecture signals that predict where builds will break when moving CI runners, containers, or CPU architectures.

Detects:

• engines.node and engines.npm/engines.pnpm ranges
• .nvmrc / .node-version files
• .NET TargetFramework and SDK versions
• Native module risk packages (sharp, bcrypt, node-gyp, etc.)
• OS-assumption scripts in package.json
• Dockerfile base images (FROM lines only)

Dependency Risk

Extends dependency analysis with risk classification signals:

• Deprecated packages (npm deprecated field)
• Native module detection
• Platform-specific package flags

Dependency Graph & Duplication

Parses lockfiles to build a workspace-wide dependency graph:

• Total unique vs. installed dependency counts
• Duplicated packages (multiple versions of the same package)
• Phantom dependencies (used but not declared)

Supports pnpm, npm, yarn, and .NET lockfiles.

SBOM-Ready Supply Chain Inventory

Artifacts include dependency graph and package inventory data for supply-chain governance:

• Lockfile-derived package counts
• Duplicate-version hotspots
• Phantom dependency evidence

Use vibgrate sbom export for standards-based output.

Tooling Inventory

Maps the full technology stack across your workspace:

Build & Deploy Surface Area

Detects CI/CD, containerisation, and infrastructure-as-code:

• CI systems (GitHub Actions, GitLab CI, Azure DevOps, Jenkins, CircleCI)
• Docker and Docker Compose
• IaC (Terraform, Bicep, CloudFormation, Pulumi)
• Release tooling (Changesets, semantic-release, GitVersion)
• Package managers and monorepo tools

TypeScript Modernity

Reads tsconfig.json to assess strictness and modernity:

• TypeScript version
• Strict mode flags
• Module system classification (ESM vs CJS)
• exports field presence

Breaking Change Exposure

Flags packages and patterns known to cause upgrade pain:

• Deprecated packages (e.g. request, node-sass, tslint, moment)
• Legacy Node API polyfills no longer needed on Node 18+
• Peer dependency conflicts
• Exposure score (0–100)

File Hotspots

Lightweight complexity analysis using filesystem metadata only:

• File counts by extension
• Largest files by size
• Directory depth distribution
• Most-used packages across the workspace

Security Posture

Structural security hygiene indicators:

• Lockfile presence and consistency
• .gitignore coverage for .env files and node_modules
• .env files tracked outside .gitignore
• Audit severity counts

Security Scanners

Orchestration and readiness analysis:

• Scanner engine discovery (installed vs missing)
• Version freshness checks
• Local config discovery for scanner policy files
• Cache-backed heuristic secret signals

Service Dependencies

Maps external service and platform dependencies:

Architecture Layers

Classifies source files into architectural layers:

• Archetype detection (Next.js, NestJS, Express, serverless, monorepo, CLI)
• Layer-level file counts and confidence scoring
• Per-layer package drift scores
• Layer-specific tech stack attribution

Code Quality Metrics

Fast AST-based quality checks:

• Cyclomatic complexity averages
• Function length and nesting depth signals
• Circular dependencies and dead-code estimate
• "God file" detection for oversized high-complexity modules

OWASP Category Mapping

Maps security findings into OWASP Top 10 categories:

• Supports fast and cache-input modes
• Categorizes findings with severity and CWE metadata
• Emits per-category counts in JSON output