The Security Scanners Scanner focuses on local security scanner orchestration and readiness analysis. It detects which security tools are present and assesses how ready they are to run, as part of a normal scan that contributes to your DriftScore. This article is for teams building a layered security pipeline.
What it detects
The scanner identifies local security scanning tools in your project and analyzes their readiness — whether they are configured and positioned to run effectively. Rather than performing the deep scan itself, it reports on the security tooling you already have, so you can see coverage and gaps across your toolchain.
Why it matters
Many teams install a security tool, run it once, and never wire it into the pipeline. The tool exists but provides no ongoing protection. Orchestration readiness is the difference between security theater and a working control. By surfacing which tools are present and whether they are ready, the scanner tells you where your defensive layers are real and where they are aspirational.
For leaders, this is a coverage map of security tooling across projects. For developers, it is a prompt to finish wiring the tools you already chose.
How to act
Scan the project:
vg
Review which security tools are detected and their readiness. For any tool that is present but not ready, finish its configuration and connect it to CI so it runs on every change. For categories with no tool at all, decide whether a control is warranted and add one. Treat a tool that exists but never runs as a gap, not coverage.
Triage tips
- Wire every present-but-idle tool into CI so it actually gates changes.
- Prefer fewer, well-orchestrated tools over many that never run.
- Re-scan after changes to confirm readiness improved.
Related
This scanner complements the Security Posture Scanner (structural hygiene) and the OWASP Category Mapping (triage framework). For pipeline wiring, see the CI Integration guides. Findings can be exported alongside scan artifacts via vg report.