Scanner guides

Scanner guides

Translate scanner output into a CycloneDX VEX or OpenVEX statement, one tool at a time.

Each scanner has its own dialect. Snyk’s JSON looks nothing like Grype’s, CodeQL’s SARIF is its own thing, and Dependabot is a UI rather than a file you can grep. These guides cover what each scanner actually produces, which fields drive a triage decision, and how to translate the output into a VEX statement that records what you decided.

Pick the scanner that matches your pipeline. Every guide ends in the same place — either a CycloneDX VEX entry, when the finding ties back to an SBOM component, or an OpenVEX statement, for everything else.

For terminology used on these pages, see the Glossary. If you’d rather not invoke vulnetix vdb and write jq pipelines by hand, the AI Coding Agent plugin wraps every CLI call on this site into slash commands across Claude Code, Cursor, Windsurf, Copilot, Gemini, and a dozen other editors.

Capability matrix

A side-by-side qualitative comparison of every scanner on this site, using Vulnetix as the baseline. The matrix is exhaustive — every distinguishing capability gets a row, even ones only one tool has, because the gap is the comparison.

Reading the cells: cells carry short prose rather than ticks. “Native — x_kev.knownRansomwareCampaignUse + x_kev.dueDate” tells you how a capability is implemented; “String label only (Mature/PoC)” tells you what’s missing. Where a fallback exists, the cell names it (e.g. “Not native — cross-reference vulnetix:eol-check or endoflife.date”). N/A means the capability doesn’t apply (a SAST tool has no vulnerability-DB row).

Vulnetix’s drawbacks (called out so the baseline is honest, not a sales pitch):

  • Reachability is semantic / intent-to-use (Tier 3), not call-graph. CodeQL and Snyk SAST (Tier 2 call-graph + taint) are more precise on traditional call-edge questions. Vulnetix’s strength is catching reflection / DI / framework-wiring patterns Tier 2 misses; Vulnetix’s weakness is precision on traditional code paths. The Reachability table below puts both sides of this contrast in one place.
  • Container scanning reads the OCI manifest’s package list or an unpacked filesystemnot the binary image, not a runtime probe. Grype, Trivy, and Prisma Cloud’s twistcli read the image-binary directly via the OCI layers. Snyk Container (commercial) does likewise. The Container scanning depth table shows where each model wins and loses.

Column header pattern is identical across every section so you can pick a tool’s column and read straight down:

| Capability | Dependabot | CodeQL | GH Secrets | GL Deps | GL SAST | GL Secrets | GL DAST | Snyk OSS | Snyk SAST | gosec | Semgrep | KICS | osv-scanner | Grype | Trivy | Prisma | Ruff | Dep-Track | Vulnetix |

1. Coverage

What scope each scanner covers — the broad question of “can this tool see findings of class X at all?”

CapabilityDependabotCodeQLGH SecretsGL DepsGL SASTGL SecretsGL DASTSnyk OSSSnyk SASTgosecSemgrepKICSosv-scannerGrypeTrivyPrismaRuffDep-TrackVulnetix
SCA (deps)Native — lockfile + GHSA matchingN/AN/ANative — gemnasium analyserN/AN/AN/ANative — flagship productN/AN/AN/AN/ANative — lockfile + OSV APINative — SBOM + container OS packagesNative — lockfile + container OS pkgs (combined report)Native — image / repo / serverless modesN/ANative — strictly SBOM-consuming; ingests CycloneDX SBOMs from any upstream toolNative — every ecosystem + VDB enrichment
SCA manifest formats supported~15 — npm, pip, Maven, Gradle, NuGet, RubyGems, Composer, Go modules, Cargo, Pub, Mix, Bundler, pip-compile, pipenv, DockerN/AN/A~12 — npm, pip, Maven, Gradle, NuGet, Composer, RubyGems, Go modules, Cargo, Conan, sbt, yarnN/AN/AN/A~14 — npm, pip, Maven, Gradle, NuGet, RubyGems, Composer, Go modules, Cargo, sbt, pipenv, Poetry, yarn, CocoaPodsN/AN/AN/AN/A~16 — npm, pip, Maven, Gradle, NuGet, RubyGems, Composer, Go modules, Cargo, Pub, Hex/Mix, CocoaPods, Conan, Bun, pnpm, Poetry + Buildroot / Docker images~12 — npm / yarn, pip, Maven / Gradle, NuGet, RubyGems, Composer, Go modules, Cargo, sbt, Hex, OS-pkgs (deb / apk / rpm)~13 — npm, pip, Maven, Gradle, NuGet, RubyGems, Composer, Go modules, Cargo, Pub, Conan, Mix, Swift / CocoaPods + OS-pkgs~14 — npm / yarn, pip, Maven, Gradle, NuGet, RubyGems, Composer, Go modules, Cargo, sbt, Conan, pipenv, Poetry, Mix + OS-pkgsN/ASource-agnostic — ingests any CycloneDX SBOM; effective coverage = whatever the upstream SBOM producer enumeratesNative — every CycloneDX-covered ecosystem: npm, pip, Maven, Gradle, NuGet, RubyGems, Composer, Go modules, Cargo, Pub, Mix / Hex, Conan, CocoaPods, sbt, Bun, pnpm, Poetry, pipenv, Swift PM + OS-pkgs
SAST (code)N/ANative — flagship; call-graph + taintN/AN/ANative — per-language analysers (Semgrep + bandit + gosec)N/AN/AN/ANative — Snyk Code; taint flowNative — Go-only; AST + SSA; intra-procedural taint (G7xx)Native — pattern-match (OSS) / taint (Pro)Not native — IaC-focusedN/AN/AN/ANot nativeNative — Python only; 800+ built-in Rust rules. Vulnetix opa-py-ruff ports 956 of them to OPA/Rego (478 pattern + 478 AST-only stubs)N/ANative — pattern-match + semantic
SAST languages supportedN/A~10 — C/C++, C#, Go, Java/Kotlin, JS/TS, Python, Ruby, Swift, GitHub ActionsN/AN/A~25 — multi-analyser combined (bandit Python + gosec Go + brakeman Ruby + spotbugs Java + Semgrep packs)N/AN/AN/A~11 — C/C++, C#, Go, Java/Kotlin, JS/TS, Python, PHP, Ruby, Scala, Swift, Apex1 — Go~30+ via rule packs — C/C++, C#, Go, Java/Kotlin, JS/TS, Python, PHP, Ruby, Scala, Rust, Bash, Solidity, Terraform/HCL, …N/A — IaC, not code-SASTN/AN/AN/AN/A1 — PythonN/ANative — 7 first-party (Java, Python, Go, Node.js, PHP, Ruby, .NET); OPA/Rego rule-pack-extensible via opa-py-ruff (Python depth) and opa-gosec (Go depth)
Container scanningNot nativeNot nativeNot nativeAdjacent product (GitLab Container Scanning, Trivy-backed)Not nativeNot nativeNot nativeCommercial tier — Snyk ContainerNot nativeNot nativeNot nativeNot native (Dockerfile static rules only — see row below)Native — osv-scanner --image <image> since 2024Native — image-binary via syftNative — image-binary (OCI layer walk)Native — image-binary (OCI layer extraction)Not nativeNot native — consumes container SBOMs (syft / Trivy); optionally delegates to an external Trivy server analyzerNative — OCI-manifest packages OR unpacked filesystem; not image-binary, not runtime
Container scan modelImage-binaryImage-binaryImage-binary via --image (extracts OCI layers, walks the filesystem)Image-binary (OCI layer extraction, then filesystem walk)Image-binary (OCI layer extraction, then filesystem walk)Image-binary (OCI layer extraction, then filesystem walk)SBOM-only (consumes upstream syft / Trivy output)Unpacked-layer / OCI-manifest (reads the manifest’s package list, or operates on a pre-extracted filesystem; cannot scan a binary OCI image directly)
IaC scanningNot nativeCustom queries possibleNot nativeAdjacent product (GitLab SAST-IaC)Not nativeNot nativeNot nativeCommercial tier — Snyk IaCNot nativeNot nativeVia community rule packsNative — flagship; Terraform / OpenTofu / Kubernetes / Helm / CloudFormation / ARM / Bicep / Ansible / Pulumi / Crossplane / OpenAPI / GitHub Workflows / Serverless / SAM / CDK / Knative / Docker Compose / Buildah / Databricks / NIFCloud / TencentCloud (20+)Not nativeNot nativeNative — Terraform / CloudFormation / Dockerfile / Kubernetes / Helm / Azure ARM via trivy configNative — Terraform / CloudFormation / k8s / HelmNot nativeNot nativeNative — Terraform / OpenTofu / Nix / k8s / Helm rules
Secrets scanningNot nativeNot nativeNative — GitHub Secret ScanningNot nativeNot nativeNative — gitleaks analyserNot nativeNot nativeNot nativeLimited — G101 hardcoded-credentials + G117 marshalling exposureVia community rule packsNative — regex-based queries (on by default; --disable-secrets to opt out)Not nativeFile-pattern matcher (CPE-style)Native — gitleaks-equivalent ruleset (~100 patterns), in-image and in-fsNative — narrow regex set (AWS / GitHub / generic, ~30 patterns)Partial — S105/S106/S107 flag hard-coded password constants; no entropy or provider-pattern scanningNot nativeNative — AWS / GitHub / Slack / Stripe / generic entropy
License complianceNot nativeNot nativeNot nativeNative — SPDX licence per depNot nativeNot nativeNot nativeNative — license advisorNot nativeNot nativeNot nativeNot nativeNative — --licenses flag (license-classification + allowlist)Indirect — via syft SBOMNative — license-classification per pkg (--scanners license)Indirect — via twistcli sbom (CycloneDX 1.4)Not nativeNative — flagship; LICENSE / LICENSE_GROUP policy subjects, copyleft / permissive groups out-of-box, SPDX list 3.27.0Native — copyleft conflict + allowlist + 6-step pipeline
DASTNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNative — ZAP-basedNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot native — DAST is out of scope for the platform
Dockerfile static analysisNot nativeCustom queriesNot nativeVia GitLab Container ScanningNot nativeNot nativeNot nativeCommercialNot nativeNot nativeVia community rule packs (hadolint-style)Native — Dockerfile + Compose + Buildah queriesNot nativeNot nativeNative — via trivy config (hundreds of Dockerfile rules)Native — ~200 CIS / NIST 800-190 compliance rules (closed catalogue)Not nativeNot nativeNative — 8 Dockerfile rules (VNX-DOCKER-001..008)
Mobile (APK / IPA)Not nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeCommercial — Snyk Mobile (limited)Not nativeNot nativeVia Mobile rule packsNot nativeNot nativeIndirect — APK/IPA file-walkNot nativeNot nativeNot nativeIndirect — via SBOM if upstream tool produced oneNot native (out of scope)
API security (live)Not nativeNot nativeNot nativeNot nativeNot nativeNot nativePartial — via DASTNot nativeNot nativeNot nativeNot nativeNot native (static OpenAPI rules only)Not nativeNot nativeNot nativeNot native — Defender runtime is orthogonalNot nativeNot nativeNot native (out of scope)
Kubernetes / cloud-configNot nativeCustom queriesNot nativeVia GitLab IaCNot nativeNot nativeNot nativeCommercial — Snyk CloudNot nativeNot nativeVia Kubernetes rule packsNative — Kubernetes + Helm + Knative + ARM + Bicep queriesNot nativeNot nativeNative — trivy k8s + trivy aws (live cluster / account scan)Native — k8s manifests + admission control via ConsoleNot nativeNot nativeNative — k8s manifests + Nix flakes via IaC

2. Database & feed quality

The breadth of vulnerability data the scanner consumes shapes everything downstream — see the database quality tiers section for the five-tier scale.

CapabilityDependabotCodeQLGH SecretsGL DepsGL SASTGL SecretsGL DASTSnyk OSSSnyk SASTgosecSemgrepKICSosv-scannerGrypeTrivyPrismaRuffDep-TrackVulnetix
Primary feedGHSA + curated GitHub Advisory DBN/A (first-party query packs)N/A (signatures)GitLab Advisory DB (GHSA + curated entries)N/A (rule packs)N/A (signatures)N/A (runtime probes)Snyk Vulnerability DB (curated, augments GHSA)N/A (first-party rules)N/A (first-party rules)N/A (rule packs)N/A (Rego query library)OSV.dev aggregatorNVD + GHSA + GitLab DB + distro feeds (USN/Alpine/RedHat/ALAS/Wolfi)NVD + GHSA + GitLab Advisory DB + RedHat OVAL + Debian Security Tracker + Ubuntu USN + Alpine secdb + Amazon ALAS + Wolfi + Chainguard + OSVPrisma Intelligence Stream (commercial — NVD + GHSA + distro feeds + first-party exploit intel)N/A (rule-pack-driven; built-in linter packs)NVD 2.0 REST + GHSA + OSV + VulnDB (commercial) + Sonatype OSS Index + optional Snyk + optional Trivy serverVulnetix VDB — every above feed + first-party enrichment
Database quality tierCVE + GHSA (minimal)N/AN/ACVE + GitLab DB (minimal-to-sufficient)N/AN/AN/ACVE + GHSA + Snyk DB (minimal-plus)N/AN/AN/AN/ACVE + OSV (sufficient — nearly comprehensive feed coverage)CVE + GHSA + distro feeds (sufficient for OS, minimal for ecosystem)CVE + OSV-equivalent (sufficient — broad distro + ecosystem)Prisma Intelligence Stream (commercial-curated — sufficient + exploit-intel via riskFactors; no AI / sightings)N/ACVE + GHSA + OSV + VulnDB (sufficient — broad aggregation, no first-party enrichment)Vulnetix VDB (full coverage — only tier with first-party enrichment)
OS-distro feeds coveredVia container-scanning analyserCommercial containerBroad — Alpine SecDB, Debian Security Tracker, Ubuntu, RHEL, RockyLinux, AlmaLinux, SUSE, Fedora, Mageia, Chainguard, Wolfi, Bitnami, Curl, Android, Linux kernel via OSV aggregatorUbuntu USN, Alpine secdb, RedHat, Amazon ALAS, Wolfi, Debian, SUSEBroad — Debian, Ubuntu, RHEL, Alpine, Amazon ALAS, SUSE, Photon, Oracle, Wolfi, ChainguardBroad — Debian, Ubuntu, RHEL, CentOS, Alpine, Amazon Linux, SUSE, Photon, Wolfi, ChainguardIndirect — via delegated Trivy analyzer onlyEvery above + Debian LTS / ELTS, RHEL ELS, Ubuntu ESM
Cross-feed aliasesGHSA + CVECVE + GHSA + Snyk + OSVDBCVE + CWE + GHSA + OSV + SnykOSV aliases[] (every cross-reference)NVD relatedVulnerabilities[]Cross-feed aliases via feed (CVE + GHSA + vendor advisory IDs)CVE + GHSA + vendor advisory IDsCVE + GHSA + OSV + VulnDB IDsVulnetix aliases[] — 78+ ID formats incl. RHSA, MSCVE, EUVD, ZDI, KEV
Update cadenceReal-time (GHSA push)Standard query pack releaseReal-timeDailyWeekly rule-packReal-timeN/ADailyWeeklyPer release (gosec versioned)WeeklyPer-release query-library updatesDaily (OSV API)DailyHourly DB updates (Trivy DB OCI artefact)Real-time (Intelligence Stream push)Per Astral release (weekly-to-fortnightly)Daily NVD mirror; incremental OSV (v4.14.0); on-demand external analyzersHourly enrichment cycles + real-time KEV / honeypot ingestion
First-party enrichmentNone — passthrough of GHSAQuery-pack metadataNoneMinimal — severity blendRule-pack metadataNoneNoneSnyk-curated severity / priorityScore / upgradePath[]Snyk-curated rule propertiesRule metadata (CWE per rule)Rule-pack metadataQuery metadata (platform, category, cwe, description_id)None — verbatim OSVNone — verbatim feedNone — verbatim feedriskFactors (composite heuristic flag bag), fixDate, layerTime, complianceIDRule metadata only — ruff_code / ruff_linter / help_uri; opa-py-ruff adds cwe[] on bandit S-rulesNone — passthrough; EPSS surfaced; Risk Score weighted-severity aggregation onlyx_threatExposure, x_attackSurface, x_ssvc, x_kev, x_epss, x_exploitationMaturity, x_remediationTimeline, x_affectedRoutines, x_attackPaths, x_purls

3. Vulnerability intelligence — risk signals

How rich is the data attached to each finding? Most of the SSVC Priority input comes from the rows below — a string label gives you less than an integrated multi-source signal.

CapabilityDependabotCodeQLGH SecretsGL DepsGL SASTGL SecretsGL DASTSnyk OSSSnyk SASTgosecSemgrepKICSosv-scannerGrypeTrivyPrismaRuffDep-TrackVulnetix
CVSS v3.1 vectorSeverity label (no vector)N/AN/AVector when availableN/AN/AN/AVector + scoreSeverity labelSeverity label (HIGH/MEDIUM/LOW) — no vectorN/AN/AVia OSV severity[]Via NVD cvss[]Per-feed vector + scoreNative — cvss + vecStrN/ANative — vector + score stored on FindingVector + score + version-specific re-scoring
CVSS v4.0 vectorNot surfacedN/AN/ANot surfacedN/AN/AN/APartial (rolling out)Not surfacedNot surfacedN/AN/AWhen OSV carries itWhen NVD carries itWhen feed carries itNot surfacedN/ANative — added v4.14.0Native — v3.1 + v4.0 in parallel
EPSS percentileNot surfacedN/AN/ANot surfacedN/AN/AN/ACommercial tierN/AN/AN/AN/APer-feed when availablePer-feed when availableNot surfacedNot surfaced — cross-reference VDBN/ANative — surfaced on Finding; available as policy condition since v4.12.0; on GHSA since v4.14.0Native — x_epss.score + x_epss.percentile + x_epss.date
CISA KEVSurfaced in some advisoriesN/AN/APartial — via cross-referenceN/AN/AN/ACommercial tierN/AN/AN/AN/AVia OSV aliasesVia NVD aliasesNot surfacedNot native — cross-reference VDBN/ANot surfaced as first-class — indirect via Trivy / NVD passthrough onlyNative — x_kev.knownRansomwareCampaignUse, x_kev.dueDate, x_kev.requiredAction, x_kev.vendorProject
EU-KEVNot surfacedN/AN/ANot surfacedN/AN/AN/ANot surfacedN/AN/AN/AN/ANot surfacedNot surfacedNot surfacedNot surfacedN/ANot surfacedNative — EUVD + ENISA KEV ingestion
SSVC Coordinator decisionNot surfacedN/AN/ANot surfacedN/AN/AN/ANot surfacedN/AN/AN/AN/ANot surfacedNot surfacedNot surfacedNot surfacedN/ANot surfacedNative — x_ssvc.decision ∈ {Act, Attend, Track*, Track} + x_ssvc.priority + x_ssvc.inputs + x_ssvc.methodology
SSVC Engineer Triage inputsNot surfacedN/AN/ANot surfacedN/AN/AN/ANot surfacedN/AN/AN/AN/ANot surfacedNot surfacedNot surfacedNot surfacedN/ANot surfaced — uses CycloneDX VEX-shaped AnalysisState / AnalysisJustification / AnalysisResponse triad insteadNative — Reachability/Remediation/Mitigation/Priority auto-surfaced; written to .vulnetix/memory.yaml
Exploit maturity depthBoolean — GHSA flag onlyN/AN/AGitLab DB severity bucketN/AN/AN/AString label (Mature/Proof of Concept/No Known Exploit)N/AN/AN/AN/AOSV database_specific.severity bucketSeverity bucketSeverity bucket only (CRITICAL / HIGH / MEDIUM / LOW / UNKNOWN)riskFactors heuristic flag bag (Exploit exists / Recent vulnerability / Remote execution) — composite, not categoricalN/ANot categorical — EPSS numeric onlyNative categorical — x_exploitationMaturity.level ∈ {ACTIVE, POC, WEAPONISED, NONE} + sub-factors (EPSS, KEV, CESS, sightings)
Weaponisation indicatorNot surfacedN/AN/ANot surfacedN/AN/AN/ANot surfacedN/AN/AN/AN/ANot surfacedNot surfacedNot surfacedIndirect — riskFactors["Exploit exists"] boolean onlyN/ANot surfacedNative — Metasploit module presence + Nuclei template + autonomous-attack-tool detection
Honeypot sightingsNot surfacedN/AN/ANot surfacedN/AN/AN/ANot surfacedN/AN/AN/AN/ANot surfacedNot surfacedNot surfacedNot surfacedN/ANot surfacedNative — x_sightings per CVE (1d / 7d / 30d / 90d averages)
CrowdSec community sightingsNot surfacedN/AN/ANot surfacedN/AN/AN/ANot surfacedN/AN/AN/AN/ANot surfacedNot surfacedNot surfacedNot surfacedN/ANot surfacedNative — CrowdSec partner feed
Shadowserver scan countsNot surfacedN/AN/ANot surfacedN/AN/AN/ANot surfacedN/AN/AN/AN/ANot surfacedNot surfacedNot surfacedNot surfacedN/ANot surfacedNative — global-scan-volume signal
IOC pivots (IPs / ASNs / geo)Not surfacedN/AN/ANot surfacedN/AN/AN/ANot surfacedN/AN/AN/AN/ANot surfacedNot surfacedNot surfacedDefender-side runtime IOCs (proprietary), not pre-deployN/ANot surfacedNative — vulnetix:ioc-pivot skill returns top IPs, ASNs, geo distribution, STIX 2.1 bundle export
ATT&CK technique mapping (per-CVE)Not surfacedN/AN/ANot surfacedN/AN/AN/ANot surfacedN/AN/AN/AN/ANot surfacedNot surfacedNot surfacedPartial — Defender attackType at runtime, not per-CVE pre-deployN/ANot surfacedNative — x_attackPaths[] carries tactic → technique chain per CVE
x_affectedRoutines (function-level affected list)Not surfacedIndirect — codeFlow locationN/ANot surfacedIndirect — codeFlow locationN/AN/Afunctions[] (commercial Deep Test)Indirect — codeFlow locationIndirect — file/line/column per finding (no codeFlow trace)Metavar capture in ruleN/ANot surfacedNot surfacedNot surfacedNot surfacedIndirect — start_line + matched snippet per finding; no function-level extractionNot surfacedNative — deduplicated programRoutines + programFiles + x_affectedFunctions
x_attackPaths (tactic → technique)Not surfacedN/AN/ANot surfacedN/AN/AN/ANot surfacedN/AN/AN/AN/ANot surfacedNot surfacedNot surfacedDefender supplies runtime tactic chains; no pre-deploy mappingN/ANot surfacedNative — drives detection-rule selection (Snort / Nuclei / YARA / Sigma)
Multi-axis (CWSS-shaped) scoringSeverity label onlyN/AN/ASeverity label onlyN/AN/AN/ApriorityScore (single composite, 0–1000)priorityScore (single composite)Two-axis — severity × confidence (each LOW/MEDIUM/HIGH)Severity + likelihood + impact stringsSeverity label only (CRITICAL / HIGH / MEDIUM / LOW / INFO / TRACE)Severity labelSeverity labelSeverity label onlyriskFactorsScore (single composite, derived from flag bag)Rule-defined severity / level (error/warning/info) only; opa-py-ruff carries Vulnetix severity per ruleRisk Score — weighted-severity ((crit*10)+(high*5)+(med*3)+(low*1)+(unassigned*5)); not multi-axisCWSS composite — technical-impact + exploitability + exposure + complexity + repo-relevance, each 0–100, weighted blend
AI-discovered vulnerabilities (researcher leaderboard)Not surfacedN/AN/ANot surfacedN/AN/AN/ANot surfacedN/AN/AN/AN/ANot surfacedNot surfacedNot surfacedNot surfacedN/ANot surfacedNative — AI-researcher discovery feed, leaderboard, novel-CVE tracking
AI-in-the-wild exploitation observationsNot surfacedN/AN/ANot surfacedN/AN/AN/ANot surfacedN/AN/AN/AN/ANot surfacedNot surfacedNot surfacedNot surfacedN/ANot surfacedNative — vdb ai-in-wild, AI-authored exploit observations
Vendor-trend month-over-month deltasNot surfacedN/AN/ANot surfacedN/AN/AN/ALimited dashboardsN/AN/AN/AN/ANot surfacedNot surfacedNot surfacedLimited Console dashboardsN/ALimited — portfolio dashboardsNative — vdb vendor-trends per vendor MoM
Exploit-trend rollupNot surfacedN/AN/ANot surfacedN/AN/AN/ALimited dashboardsN/AN/AN/AN/ANot surfacedNot surfacedNot surfacedLimited Console dashboardsN/ALimited — dashboardsNative — vdb exploit-trends
CWE classificationSurfaced when in GHSANative — external/cwe/... tagsN/ASurfaced when in feedNative — metadata.cwe[]N/ANative — ZAP CWE mappingNative — identifiers.CWE[]Native — properties.tagsNative — cwe.id + cwe.url per findingNative — metadata.cweNative — cwe field per queryIndirect — via OSVSurfaced when in feedSurfaced when in feedNative — via Intelligence StreamPartial — upstream Ruff has no CWE field; opa-py-ruff populates metadata.cwe[] on bandit S-rules (e.g. CWE-78 on S602)Native — CWE is a policy subject + surfaced per findingNative — x_kev.cwes[] + per-finding CWE + D3FEND countermeasure mapping

4. Reachability — tier and mechanism

The three-tier model from the reachability deep-dive. The “Tier achieved” row is the headline; the rows below decompose how the tool gets there.

CapabilityDependabotCodeQLGH SecretsGL DepsGL SASTGL SecretsGL DASTSnyk OSSSnyk SASTgosecSemgrepKICSosv-scannerGrypeTrivyPrismaRuffDep-TrackVulnetix
Tier achievedTier 1 — package-levelTier 2 — call-graph + taintN/ATier 1 — package-levelTier 1–2 — depends on analyserN/ARuntime (orthogonal)Tier 1 default / Tier 2 partial via Deep Test (commercial)Tier 2 — taint codeFlowTier 2 intra-procedural (G7xx SSA taint) / Tier 1 (G1xx–G6xx AST pattern)Tier 1 pattern-match (OSS) / Tier 2 taint (Pro)Tier 1 — pattern-match against IaC resource shapesTier 1 default; Tier 2 experimental for Go via --experimental-call-analysisTier 1 — package-level (linkage check is Tier-1.5 manual)Tier 1 — package-level (linkage check is Tier-1.5 manual, same recipe as Grype)Tier 1 — package-level. Defender adds Tier-1.5 runtime evidence (orthogonal axis)Tier 1 — single-file pattern / AST matchTier 1 — package / component-level onlyTier 3 — semantic / intent-to-use; not Tier 2 call-graph
Static call-graph (CHA / RTA / VTA / pointer)Not nativeNative — CodeQL’s data-flow library builds the graphN/ANot nativePer-analyser (some use Semgrep flat)N/AN/Afunctions[] (commercial)Native — Snyk Code’s interprocedural graphNot native — SSA-only, no whole-program graphPro mode onlyNot nativeExperimental — Go call-graph (--experimental-call-analysis)Not nativeNot nativeNot nativeNot native — single-file AST onlyNot native — pair with CodeQL / Snyk SAST and ingest the resulting VEXNot native — pair with CodeQL or Snyk SAST for precise call-edge questions
Taint / dataflow (codeFlow)Not nativeNative — codeFlows[] in SARIFN/ANot nativePro / Semgrep-based analysersN/AN/ALimited via functions[]Native — codeFlow in SARIFNative for G7xx — SSA intra-procedural; no codeFlow trace in SARIF outputPro mode — codeFlows[]Not nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeInferred from x_affectedRoutines + framework heuristics; no codeFlow-style trace
Semantic / intent-to-use (reflection / DI / ServiceLoader / framework auto-config)Not nativeMisses by default; needs hand-written queries per frameworkN/ANot nativeNot nativeN/AN/ANot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNative — captures Spring auto-config, Java SPI, .NET DI, Rails autoload, plugin-system wiring that call-graph tools miss (via CLI’s --reachability=direct|transitive|both flag fetching per-CVE patterns from the VDB and evaluating them locally across 17 languages — no source upload)
Runtime coverage integrationNot nativeNot nativeN/ANot nativeNot nativeN/ADAST is itself runtime evidenceNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNative via Prisma Defender — runtime events feed back to Console; closes the loop on build-time VEX assumptionsNot nativeNot native — but consumes CycloneDX VEX from runtime tools that produce it (CODE_NOT_REACHABLE auto-applies)Indirect — pair with JaCoCo / coverage.py / c8 + memory.yaml

5. Supply-chain threat detection

Most scanners are reactive (MAL- records arrive after the advisory publishes). Vulnetix is the only tool below with proactive detection. See supply-chain threats appendix for the full taxonomy.

CapabilityDependabotCodeQLGH SecretsGL DepsGL SASTGL SecretsGL DASTSnyk OSSSnyk SASTgosecSemgrepKICSosv-scannerGrypeTrivyPrismaRuffDep-TrackVulnetix
Typosquat similarity scoringNot nativeN/AN/ANot nativeN/AN/AN/ACommercial — limitedN/AN/ANot nativeNot nativeNot nativeNot nativeNot nativeNot nativeN/ANot nativeNative — vulnetix:typosquat-check + edit-distance + maintainer-health blend
Dependency-confusion detectionNot nativeN/AN/ANot nativeN/AN/AN/ACommercial — limitedN/AN/ANot nativeNot nativeNot nativeNot nativeNot nativeNot nativeN/ANot nativeNative — dep-add-guard flags dual-registry presence
Namespace squatting / brandjackingNot nativeN/AN/ANot nativeN/AN/AN/ANot nativeN/AN/ANot nativeNot nativeNot nativeNot nativeNot nativeNot nativeN/ANot nativeNative — brand-prefix detection + low-maintainer-health combination
Maintainer-takeover (MAL- records)Reactive — GHSA-MAL- after publicationN/AN/AReactive — via feedN/AN/AN/AReactive — Snyk Malicious Packages (commercial)N/AN/ANot nativeNot nativeNative — OSV MAL- records first-classVia OSV / NVD aliasesReactive — via OSV MAL- recordsReactive — via Intelligence Stream feedN/AReactive — via OSV / GHSA MAL- recordsNative + proactive — AI-malware family signatures + maintainer-health drop detection
ProtestwareReactive — MAL- after publicationN/AN/AReactiveN/AN/AN/AReactive — commercialN/AN/ANot nativeNot nativeReactive — via MAL-Via feedReactive — via feedReactive — via feedN/AReactive — via feedsNative — AI-malware family detection (node-ipc-pattern, geo-targeted behaviour signals)
Post-install / build-script abuseNot nativeN/AN/ANot nativeN/AN/AN/ANot nativeN/AN/AVia custom rule packsNot nativeNot nativeNot nativeNot nativeNot native at scan time; Defender catches at runtimeN/ANot nativeNative — IaC rule on RUN npm install without --ignore-scripts; dep-add-guard flags suspect scripts
AI-malware family signaturesNot nativeN/AN/ANot nativeN/AN/AN/ANot nativeN/AN/ANot nativeNot nativeNot nativeNot nativeNot nativeNot nativeN/ANot nativeNative — vdb ai-malware — multi-family classifier on package contents
AI-authored malware detectionNot nativeN/AN/ANot nativeN/AN/AN/ANot nativeN/AN/ANot nativeNot nativeNot nativeNot nativeNot nativeNot nativeN/ANot nativeNative — vdb ai-discoveries and ai-in-wild ingestion
Subresource hijack / build-asset poisoningNot nativeCustom queries possibleN/ANot nativeN/AN/AN/ANot nativeN/AN/AVia custom rule packsIndirect — Dockerfile queries on floating tags / latestNot nativeNot nativeNot nativeNot nativeN/ANot nativeNative — IaC rules on floating-tag FROM + mutable Action SHAs

6. Maintainer health & provenance

Per-package signals about who maintains it. Most scanners surface zero of these; Vulnetix surfaces them as inputs to dep-add-guard’s composite ALLOW/WARN/BLOCK verdict.

CapabilityDependabotCodeQLGH SecretsGL DepsGL SASTGL SecretsGL DASTSnyk OSSSnyk SASTgosecSemgrepKICSosv-scannerGrypeTrivyPrismaRuffDep-TrackVulnetix
OpenSSF Scorecard scoreNot surfacedN/AN/ANot surfacedN/AN/AN/ACommercial — limitedN/AN/AN/ANot nativeNot surfacedNot surfacedNot surfacedNot surfacedN/ANot surfacedNative — vdb scorecard per dep
Account age (maintainer’s registry account)Not surfacedN/AN/ANot surfacedN/AN/AN/ANot surfacedN/AN/AN/ANot nativeNot surfacedNot surfacedNot surfacedNot surfacedN/ANot surfacedNative — sub-input to package-search + dep-add-guard
2FA enrolment checkNot surfacedN/AN/ANot surfacedN/AN/AN/ANot surfacedN/AN/AN/ANot nativeNot surfacedNot surfacedNot surfacedNot surfacedN/ANot surfacedNative — registry-2FA verification per maintainer
Prior-commits / publish-history signalNot surfacedN/AN/ANot surfacedN/AN/AN/ANot surfacedN/AN/AN/ANot nativeNot surfacedNot surfacedNot surfacedNot surfacedN/ANot surfacedNative — abandonment / cadence-anomaly detection
Cosign verification of upstream artefactNot surfacedN/AN/ANot surfacedN/AN/AN/ANot surfacedN/AN/AN/ANot nativeNot surfacedNot surfacedNot surfacedNot surfacedN/ANot surfacedNative — verifies registry-signed packages where signing exists
Pre-add risk gate (composite ALLOW / WARN / BLOCK)Auto-MR is a post-add gateN/AN/ANot nativeN/AN/AN/ANot nativeN/AN/AN/ANot nativeNot nativeNot nativeNot nativeNot nativeN/ANot native — runs on SBOMs already produced (post-add); Policy violations (FAIL state) can gate CI after the factNative — vulnetix:dep-add-guard composes vuln history + AI-malware + license + EOL + maintainer-health + version-lag into one verdict

7. Lifecycle / EOL

See the EOL appendix for the SSVC mapping (EOL → NO_PATCHSPIKE_EFFORT migration).

CapabilityDependabotCodeQLGH SecretsGL DepsGL SASTGL SecretsGL DASTSnyk OSSSnyk SASTgosecSemgrepKICSosv-scannerGrypeTrivyPrismaRuffDep-TrackVulnetix
Per-dep EOLNot native — cross-reference endoflife.dateN/AN/ANot nativeN/AN/AN/ACommercial tier signalN/AN/AN/ANot nativeNot nativeInferred — “no fix in feed” is a weak signalNot native — cross-reference endoflife.dateIndirect — Intelligence Stream surfaces deferred status for EOL vendor patchesN/AIndirect — AGE and VERSION_DISTANCE policy conditions (v4.14.0) flag outdated components; no advisory EOL dataNative — lifecycleStage per dep in VDB; vulnetix:eol-check skill
Per-runtime EOL (Python / Node / Java / Go / .NET)Not nativeN/AN/ANot nativeN/AN/AN/ACommercialN/AN/AN/ANot nativeNot nativeNot nativeNot nativeNot nativeIndirect — UP (pyupgrade) rules flag legacy-Python idioms but do not surface runtime EOL datesNot nativeNative — runtime EOL data + --block-eol CI gate
Per-container-base-image EOLNot nativeN/AN/AIndirect — via container scannerN/AN/AN/ACommercial — Snyk ContainerN/AN/AN/AIndirect — Dockerfile query on outdated FROM images (no advisory data)Not nativeInferred — distro feed signals when patches stopInferred — distro feed signals when patches stopNative — base-image lifecycle in Intelligence StreamN/ANot nativeNative — base-image lifecycle + migration recommendation (UBI / Chainguard / distroless)
Safe-harbour recommended versionImplicit in auto-MR targetN/AN/AImplicit in solutionN/AN/AN/AupgradePath[]N/AN/AN/ANot nativeNot nativeNot nativeImplicit in FixedVersion fieldImplicit in status: "fixed in N.N.N"N/ANot native — VERSION_DISTANCE flags outdated but does not propose a targetNative — vulnetix:safe-version returns CVE-free newest version honouring --max-major-bump
--max-major-bump policyNot nativeN/AN/ANot nativeN/AN/AN/ANot nativeN/AN/AN/ANot nativeNot nativeNot nativeNot nativeNot nativeN/ANot nativeNative — bump-budget enforcement

8. Patching & remediation depth

Auto-MR generation is table-stakes for SCA tools; everything below is the depth beyond it.

CapabilityDependabotCodeQLGH SecretsGL DepsGL SASTGL SecretsGL DASTSnyk OSSSnyk SASTgosecSemgrepKICSosv-scannerGrypeTrivyPrismaRuffDep-TrackVulnetix
Auto-MR / Auto-PRNative — flagship featureNot native (SAST findings don’t auto-PR)Push-protection (blocks the secret)GitLab Auto-Merge MRsNot nativeNot nativeNot nativeCommercial — Snyk Fix PRsNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot native — emit JSON for CI to consumeCommercial — Prisma Cloud integrations (Jira / ticket creation, not direct PR)Not native — autofix rewrites source locally (ruff check --fix); no PR generation. opa-py-ruff preserves the ruff_fix metadata but Vulnetix CLI does not auto-applyNot native — Jira ticket creation + webhook notifications onlyNative — /vulnetix:fix + sub-agent dep-upgrade-orchestrator
Upgrade-path datafirstPatchedVersion.identifierN/AN/Asolution free-textN/AN/AN/AupgradePath[] with index alignment to from[]N/AN/AN/ANot nativeOSV affected.ranges.events.fixedvulnerability.fix.versions[]FixedVersion field per findingstatus field — "fixed in N.N.N" / "not fixed" / "deferred"N/ALimited — surfaces latest known version via repository metadataNative — vdb fixes + vdb remediation plan with per-registry / upstream / distro / workaround tracks
Conflict-resolution multi-strategyNot native (single-bump attempt)N/AN/ANot nativeN/AN/AN/ALimitedN/AN/AN/ANot nativeNot nativeNot nativeNot nativeNot nativeN/ANot nativeNative — sub-agent safe-harbor-resolver: single bump → override → safe-harbour inline → workaround + detection
Inline-as-first-party-code (safe-harbour inline)Not nativeN/AN/ANot nativeN/AN/AN/ANot nativeN/AN/AN/AN/ANot nativeNot nativeNot nativeNot nativeN/ANot nativeNative — inline-source option in vulnetix:fix
Workaround / mitigation recommendationNot surfacedN/AN/ANot surfacedN/AN/AN/ACommercial — partialN/AInline #nosec suppression with optional -- justificationN/Aexpected_value vs actual_value strings per findingNot surfacedNot surfacedMisconfigurations[].Resolution field carries the fix recipe; vuln workarounds not surfacedCommercial — Console suggests Defender runtime rulesPer-rule help_uri to docs.astral.sh — narrative-onlyAnalysisResponse enum records the recommendation (CAN_NOT_FIX / WILL_NOT_FIX / UPDATE / ROLLBACK / WORKAROUND_AVAILABLE / NOT_SET); platform does not author the workaroundNative — vdb workarounds + vdb remediation returns CWE-specific defensive strategies
Per-package-manager verification commandsNot nativeN/AN/ANot nativeN/AN/AN/ANot nativeN/AN/AN/AN/ANot nativeNot nativeNot nativeNot nativeN/ANot nativeNative — vulnetix:remediation emits per-ecosystem verify commands
Patch path data (registry / upstream commit / distro patch)Registry onlyN/AN/ARegistry onlyN/AN/AN/ARegistry + commercial upstreamN/AN/AN/AN/ARegistry + distroDistro (OS layer) + registryRegistry + distroRegistry + distro (via Intelligence Stream)N/ARegistry only (latest-version metadata from repository providers)All three — registry + upstream commit URLs + distro patch metadata

9. Container scanning depth

Where the two scanning models matter most. Vulnetix’s drawback is explicit on the “Image-binary scanning” row.

CapabilityDependabotCodeQLGH SecretsGL DepsGL SASTGL SecretsGL DASTSnyk OSSSnyk SASTgosecSemgrepKICSosv-scannerGrypeTrivyPrismaRuffDep-TrackVulnetix
Image-binary scanning (extract OCI layers, walk filesystem)Not nativeNot nativeNot nativeVia separate GitLab Container Scanning analyserNot nativeNot nativeNot nativeCommercial — Snyk ContainerNot nativeN/ANot nativeNot nativeNative — osv-scanner --image since 2024Native — flagship via syftNative — flagship; OCI layer extract + filesystem walkNative — flagshipNot nativeNot native — delegates to external Trivy server (since v4.12.0)Not native — reads OCI manifest’s package list, or operates on a pre-extracted filesystem; pair with Grype, Trivy, or Prisma for image-binary scans
Unpacked-layer scanning (filesystem walk on extracted image)Not nativeNot nativeNot nativeIndirectNot nativeNot nativeNot nativeCommercial — partialNot nativeN/ANot nativeNot nativeNative — dir: modeNative — dir: modeNative — trivy fs on an extracted imageNative — via filesystem walkNot nativeNot nativeNative — primary container model
Runtime scanning (live container monitoring)Not nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeCommercial — Snyk RuntimeNot nativeN/ANot nativeNot nativeNot nativeNot nativeNot nativeNative via Prisma Defender (DaemonSet / host agent / serverless extension)Not nativeNot nativeNot native — orthogonal domain (Falco / Tetragon territory)
OCI-manifest package list (read manifest’s content list, not its layers)Not nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeN/ANot nativeNot nativeNot nativeNot nativeNot native — extracts layersNot native — extracts layersNot nativeIndirect — only if upstream tool emitted one in the SBOMNative — Vulnetix’s primary container ingest path
Multi-stage build awarenessNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeCommercial — partialNot nativeN/ANot nativeNative — Dockerfile multi-stage queriesNot nativeNative — runtime-image distinction, --target=runtime recommendationInferred — surfaces artefacts in any stage scanned; recommend scanning the runtime stagePartial — depends on which image is scannedNot nativeNot nativeNative — Class-C leakage detection + pivot to SCA workflow
Class A (OS-package) identificationNot nativeNot nativeNot nativeVia container analyserNot nativeNot nativeNot nativeCommercialNot nativeN/ANot nativeNot nativeNative via image-scan — broad distro coverageNative — dpkg-matcher/apk-matcher/rpm-matcherNative — os-pkgs Class with deb / apk / rpm Type discriminationNative — broad distro coverageNot nativeIndirect — via ingested Trivy / syft SBOMsNative — distro-feed cross-reference
Class B (language-ecosystem) identificationN/ANot nativeNot nativeVia container analyserN/ANot nativeNot nativeCommercialN/AN/AN/ANot nativeNative via image-scan — lockfile inside the imageNative — javascript-matcher/python-matcher/java-matcherNative — lang-pkgs Class with npm / pip / gomod / maven Type discriminationNative — language ecosystem matching via pkgsTypeNot nativeIndirect — via ingested SBOMsNative — pivots to SCA workflow with the manifest path
Class C (multi-stage leakage) detectionNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeCommercial — partialNot nativeN/ANot nativeIndirect — Dockerfile static rules adjacent to leakageInferred — surfaces artefacts in any stage scannedNative — recommends --target=runtime buildsInferred — surfaces artefacts in any stage scannedNot native — recommend scanning the runtime targetNot nativeNot nativeNative — pivots to SCA on the source manifest
Class D (vendored OS-package) detectionNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeN/ANot nativeNot nativeIndirect — package surfaces if installedNative — via docker history archaeologyIndirect — package surfaces if installed via dpkg -iIndirect — via image historyNot nativeNot nativeNative — IaC + Dockerfile rule on COPY *.deb
Dockerfile static rules countNot nativeCustom queriesNot nativeVia container analyserNot nativeNot nativeNot nativeCommercial — partialNot nativeN/AVia hadolint-style rule packsNative — large built-in Dockerfile query setNot nativeNot nativeNative — trivy config Dockerfile rule set (DS001..DS031) + optional Vulnetix opa-aquasecurity-trivy Rego port~200 CIS / NIST 800-190 rules (closed catalogue)Not nativeNot nativeNative — 8 first-party rules (VNX-DOCKER-001..008)
Multi-architecture (amd64 / arm64) handlingNot nativeNot nativeNot nativePer-platform scanNot nativeNot nativeNot nativeCommercial — per-platformNot nativeN/ANot nativeNot nativeNative — per-architecture image scansNative — per-architecture index entryNative — per-architecture image scansNative — per-architecture image scansNot nativeInferred — per-SBOM uploadNative — manifest list awareness
Distroless / scratch handlingNot nativeNot nativeNot nativeLimited — no OS feedNot nativeNot nativeNot nativeCommercial — distroless catalogueNot nativeN/ANot nativeNot nativeNative — file-walk works on distrolessNative — file-walk works on distrolessNative — file-walk works on distrolessNative — filesystem walk works on distrolessNot nativeIndirect — if upstream tool produced an SBOMNative — VDB has Google distroless / Chainguard Wolfi / RH UBI catalogues

10. SAST / IaC / Secrets depth

CapabilityDependabotCodeQLGH SecretsGL DepsGL SASTGL SecretsGL DASTSnyk OSSSnyk SASTgosecSemgrepKICSosv-scannerGrypeTrivyPrismaRuffDep-TrackVulnetix
SAST engine typeN/ACall-graph + taint (data-flow library)N/AN/AMulti-analyser (Semgrep + bandit + gosec + brakeman + spotbugs)N/AN/AN/ATaint (Snyk Code intermediate representation)AST pattern-match + SSA + intra-procedural taint (G7xx)Pattern-match (OSS) / Taint (Pro)N/A (not a code-SAST)N/AN/AN/A (not a code-SAST)N/APattern + AST (Rust, Ruff) / regex on file content (opa-py-ruff Rego port for Vulnetix CLI)N/APattern-match + semantic enrichment
SAST language coverageN/AC/C++, C#, Go, Java/Kotlin, JS/TS, Python, Ruby, Swift, GitHub ActionsN/AN/APer-analyser breadth; ~25 languages combinedN/AN/AN/AC/C++, C#, Go, Java/Kotlin, JS/TS, Python, PHP, Ruby, Scala, Swift, ApexGo only~30+ languages via rule packsN/AN/AN/AN/AN/APython only (.py, .pyw)N/AJava, Python, Go, Node.js, PHP, Ruby, .NET (representative rules)
SAST custom-rule authoringN/ACodeQL query language (Datalog-derived)N/AN/AVia Semgrep rulesN/AN/AN/ALimited — closed engineNot native — rule additions require Go contributions upstream (or Vulnetix opa-gosec Rego port)YAML pattern rulesNative — Rego queries (Open Policy Agent)N/AN/AN/AN/AUpstream Ruff rules are Rust-only (closed authoring); opa-py-ruff exposes the ported rules as editable Rego files under rules/N/ALimited — rule additions via VDB
IaC formats coveredN/ALimited — via custom queriesN/AN/ALimited — Semgrep IaC packsN/AN/ACommercial — Terraform, CloudFormation, Kubernetes, Helm, PulumiN/AN/ATerraform, Kubernetes, Dockerfile via rule packsNative — 20+ platforms (Terraform / OpenTofu / Kubernetes / Helm / CloudFormation / ARM / Bicep / Ansible / Pulumi / Crossplane / OpenAPI / GitHub Workflows / Serverless / SAM / CDK / Knative / Docker / Compose / Buildah / Databricks / NIFCloud / TencentCloud)N/AN/ANative — Terraform / CloudFormation / Kubernetes / Helm / Dockerfile / Azure ARM (via trivy config)Terraform / CloudFormation / Kubernetes / Helm / Docker ComposeN/AN/ANative — Terraform / OpenTofu / Nix / k8s / Helm / Dockerfile
IaC rules countN/ACustomN/AN/APer-packN/AN/ACommercial — hundredsN/AN/A1000s via Semgrep registryNative — large built-in query library (hundreds of Rego queries across all platforms)N/AN/AHundreds — built-in policies (Defsec / Misconfig DB) + optional opa-aquasecurity-trivy (Rego bundle re-implementing intent inside Vulnetix CLI)~hundreds (CIS Benchmark + commercial pack)N/AN/A8 first-party Terraform rules (VNX-TF-001..008) + Nix flake handling + optional opa-checkmarx-kics pack (~205 KICS-shaped rules: 48 Dockerfile, 14 Ansible-AWS, 16 Terraform-AWS, 127 Terraform Azure/GCP) via --rule Vulnetix/opa-checkmarx-kics
Secrets signature breadthN/AN/ANative — GitHub Secret Scanning catalogue (300+ providers)N/AN/Agitleaks ruleset (~100 providers)N/AN/AN/ALimited — G101 hardcoded-credentials heuristic + G117 marshalling exposureCustom rule packsNative — regex-based secrets queries (on by default; --disable-secrets to opt out)N/AFile-pattern matcher only~100 providers — gitleaks-style rulesetNarrow — AWS / GitHub / generic regex (~30 patterns)Partial — flake8-bandit S1xx hard-coded credential rules only; no token-provider patternsN/ANative — AWS / GitHub PAT / Slack / Stripe / GCP / Azure / Twilio / SendGrid / JWT / generic entropy
Secrets git-history scanningN/AN/ANative — scans entire repo history on enrolmentN/AN/ANative — gitleaks scans historyN/AN/AN/ANot nativeCustomNot native (current tree only)N/ANot nativeNot native — current-tree onlyNot native — current tree onlyNot nativeN/ANative — vulnetix:secret-scan --staged-only for pre-commit, full repo otherwise
Secrets validation (live token check)N/AN/ANative — validity: active/inactive/unknown for major providersN/AN/ANot nativeN/AN/AN/ANot nativeNot nativeNot nativeN/ANot nativeNot nativeNot nativeNot nativeN/ANative — token-validity probe
Secrets custom-rule supportN/AN/ALimited — partner-program providersN/AN/AVia custom gitleaks configN/AN/AN/AVia opa-gosec Rego rulesNative — rule packsNative — --secrets-regexes-path for custom regex configN/ANot nativeVia custom --secret-config (regex rule pack)Native — Console rule editorVia custom Ruff rules (not supported upstream) / via custom Rego in opa-py-ruffN/ANative — VDB pattern registry

11. Output formats

CapabilityDependabotCodeQLGH SecretsGL DepsGL SASTGL SecretsGL DASTSnyk OSSSnyk SASTgosecSemgrepKICSosv-scannerGrypeTrivyPrismaRuffDep-TrackVulnetix
JSONREST / GraphQL via gh apiSARIF (JSON encoding)RESTgemnasium Security Report JSONPer-analyser JSON + SARIFgitleaks JSONZAP JSONNativeNativeNative — flagshipNativeNative — flagship formatNativeNative — richNative — rich (-f json)Native — richNative — --output-format json / json-linesNative — REST API JSON + Finding Packaging Format (FPF) round-tripNative — rich, multi-tool aggregation
SARIF dialectVia Code Scanning API (flat)Rich — codeFlows[] + partialFingerprints + security-severity numericVia Code Scanning API (limited)Native — via analyserNative — varies per analyserLimitedLimitedFlat (SCA)codeFlow + properties.snykNative (-fmt sarif) — flat (no codeFlows)OSS flat / Pro codeFlowNative — --report-formats sarif (flat)FlatFlat (-o sarif)Native — -f sarif (flat; no codeFlows[])Native (--output-format sarif)Native — --output-format sarif (flat; no codeFlows[])Not native — emits CycloneDX VEX / VDR insteadRich — properties.security-severity numeric + Vulnetix rule metadata
CycloneDX SBOMNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNative — --report-formats cyclonedx (--bom enrichment)Not nativeVia syft companion (1.4 / 1.5 / 1.6)Native — -f cyclonedx (1.4 / 1.5 / 1.6)Native — 1.4 via twistcli sbomNot nativeNative — emits v1.5; ingests up to v1.6 (v4.11.4+)Native — 1.4 / 1.5 / 1.6 / 1.7
SPDX SBOMNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeVia syft companion (2.2 / 2.3)Native — -f spdx / -f spdx-json (2.2 / 2.3)Not nativeNot nativeNot native (convert SPDX to CycloneDX before upload)Native — 2.2 / 2.3 / 3.0
CycloneDX VEX emitNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot native (consumes only via --vex)Not nativeNot nativeNative — flagship VEX emitter; per-project + portfolioNative — vulnetix:vex-publish (auto-picks for PURL-backed findings)
OpenVEX emitNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot native (consumes only via --vex)Not nativeNot nativeNot nativeNative — vulnetix:vex-publish (auto-picks for non-PURL findings)
HTML / Markdown / PDF reportVia UI onlyVia UI onlyVia UI onlyVia UI / pipeline artefactVia UIVia UIVia UIVia UI + CLI HTMLVia UI + CLI HTMLHTML via -fmt html; text/golint / sonarqubeMarkdown / SARIFNative — html / pdf (plus CSV / SonarQube / CodeClimate / ASFF formats)Table / MarkdownTable / MarkdownNative — template-driven (-f template --template ...) for HTML / Markdown / tableConsole UINot native — concise / full / grouped text formatsVia SPA UI onlyNative — Markdown summaries + compliance bundle
GitLab gemnasium JSONNot nativeNot nativeNot nativeNative — flagship formatNative — per analyserNative — per analyserNative — per analyserNot nativeNot nativeNot nativeNot nativeNative — --report-formats glsastNot nativeNot nativeNative — -f gitlab codeclimate-shaped JSON for GitLab Container Scanning ingestionNot nativeNative — --output-format gitlabNot nativeNot native — emit via SARIF pivot
GitHub Code Scanning ingestNative — primary surfaceNative — primary surfaceNative — secret-scanning surfaceNot native (GitHub-only)Not nativeNot nativeNot nativeVia SARIF uploadVia SARIF uploadVia SARIF uploadVia SARIF uploadVia SARIF uploadVia SARIF uploadVia SARIF uploadVia SARIF uploadVia SARIF uploadVia SARIF upload (--output-format sarif); native --output-format github for Actions annotationsNot native — official GH Action uploads SBOM to D-Track, not findings to Code ScanningVia SARIF upload
JUnit XML (CI ingestion)Not nativeNot nativeNot nativeNative — per analyserNative — per analyserNativeNativeCLI optionCLI optionNative (-fmt junit-xml)NativeNative — --report-formats junitNot nativeNot nativeNative — -f junitNativeNative — --output-format junitNot nativeNative — for --exit-code gating
STIX 2.1 IOC exportNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot native — Defender IOCs are proprietaryNot nativeNot nativeNative — vulnetix:ioc-pivot --format=stix
Mermaid threat-model graphsNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNative — vulnetix:exploits flowcharts

12. VEX, triage memory & detection-rule generation

Where the triage decision lives once you’ve made it, plus what non-code mitigation the tool can synthesise.

CapabilityDependabotCodeQLGH SecretsGL DepsGL SASTGL SecretsGL DASTSnyk OSSSnyk SASTgosecSemgrepKICSosv-scannerGrypeTrivyPrismaRuffDep-TrackVulnetix
VEX consumption (suppression loop)Not nativeVia dismissal API (orthogonal)Via resolution statusVia dashboard dismissalVia dashboard dismissalVia dashboard dismissalVia dashboard dismissalNot nativeNot nativeInline #nosec only — per-rule, not file-basedInline nosemgrep: suppressionNative — -x / --exclude-results by similarity_idNative — osv-scanner.toml ignore rulesNative — --vex flagNative — --vex flag (consumes CycloneDX VEX and OpenVEX); legacy .trivyignore flat-file alternativeNot file-based — Console exception UI / policy API (proprietary)Inline # noqa: <rule-code> suppression + [tool.ruff.lint.per-file-ignores] in pyproject.tomlNative — CycloneDX VEX ingest auto-applies to AnalysisState / Justification / Response; round-trips cleanlyNative — .vulnetix/memory.yaml + re-scan suppression
VEX consumption formatProprietary (dashboard state)ProprietaryProprietaryProprietaryInline #nosec comments with optional -- justificationInline commentsSimilarity-ID list (proprietary; not OpenVEX)Proprietary TOML (ignore-rule shape, not strict OpenVEX)OpenVEX onlyCycloneDX VEX + OpenVEX (auto-detected)Proprietary (Console policy / exception)Inline source comments / TOML config (not OpenVEX)CycloneDX VEX only (no OpenVEX, no CSAF)OpenVEX + CycloneDX VEX + memory.yaml
Triage memory mechanismGitHub alert state (per-repo)GitHub alert stateGitHub alert stateGitLab Vulnerability Dashboard (per-project)GitLab dashboardGitLab dashboardGitLab dashboardSnyk Monitor SaaS dashboardSnyk Monitor SaaS dashboardInline source comments (#nosec annotations)Inline source commentsNone — re-scan suppression via similarity_id onlyosv-scanner.toml — file-based ignore rules with reason / expiry / vulnerability-id / ecosystem filtersNone.trivyignore flat-file (legacy) or external VEX file — no built-in audit historyPrisma Console SaaS dashboard (per-tenant)Inline # noqa + pyproject.toml per-file-ignores — committed to repo, no audit trailPostgreSQL — AnalysisState + AnalysisJustification + AnalysisResponse + comments + suppression per (project, component, vulnerability); full audit trail in DB.vulnetix/memory.yaml — file-based, committed to repo, append-only history[]
Cross-scan deduplicationAlert number stabilitySARIF partialFingerprintsAlert numberDashboard finding-ID UUIDPer-analyser fingerprintsFingerprintsFingerprintsSnyk finding fingerprintSnyk finding fingerprintNot nativeextra.fingerprintsimilarity_id per findingPer-vuln IDPer-match purl+idVulnerabilityID + PkgIdentifier.PURLConsole finding-IDStable Ruff rule code + path:line:col(project, component PURL, vulnerability ID) tripleStable aliases[] + memory.yaml row identity
Engineer Triage outcome recordingNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNative — AnalysisState ∈ {EXPLOITABLE, IN_TRIAGE, FALSE_POSITIVE, NOT_AFFECTED, RESOLVED, NOT_SET}; CycloneDX VEX-shaped justificationsNative — decision.choice ∈ {fix-applied, risk-accepted, deferred, mitigated, inlined, risk-avoided, not-affected, risk-transferred}
Coordinator decision recordingNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot native (no SSVC field)Native — surfaced from VDB into memory.yaml
Snort / Suricata signature generationNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot native — Defender uses closed runtime formatNot nativeNot nativeNative — vdb snort-rules get <CVE> + vulnetix:detection-rules
YARA rule generationNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNative — vdb yara-rules
Nuclei template generationNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNative — vdb nuclei get <CVE>
Sigma rule generationNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNative — see Sigma rules guide
ModSecurity / WAF rule generationNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot native — Prisma WAAS is a separate productNot nativeNot nativeNative — see ModSecurity rules guide
Traffic-filtersNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeDefender runtime ruleset (closed format)Not nativeNot nativeNative — vdb traffic-filters <CVE>
IOC export (STIX 2.1 / SIEM-ready)Not nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeConsole webhook → SIEM (proprietary)Not nativeNot native — Webhook → SIEM payloads carry finding JSON onlyNative — for Splunk / Sentinel / Cortex / Tines ingestion

13. Compliance, integration & licensing

CapabilityDependabotCodeQLGH SecretsGL DepsGL SASTGL SecretsGL DASTSnyk OSSSnyk SASTgosecSemgrepKICSosv-scannerGrypeTrivyPrismaRuffDep-TrackVulnetix
Cosign signing of outputsNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot native — external post-processing step requiredNative — compliance-bundler sub-agent signs SBOM + SARIF + VEX bundles
in-toto attestationsNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNative — SLSA-style provenance metadata in bundles
SLSA provenanceNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNative — bundle level satisfies SLSA Level 2/3 evidence shape
Compliance bundle (SBOM + SPDX + SARIF + VEX + cosign + manifest)Not nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot native — Console dashboards insteadNot nativePartial — emits CycloneDX VDR (Vulnerability Disclosure Report — SBOM + vulns + analysis state in one CycloneDX document); not signed, no manifest.jsonNative — compliance-bundler agent emits ZIP with manifest.json + SHA-256 sums + Markdown index
GitHub Actions / GitLab CI / Jenkins integrationNative (GitHub)Native (GitHub Actions; CI elsewhere via CLI)Native (GitHub)Native (GitLab CI)Native (GitLab CI)Native (GitLab CI)Native (GitLab CI)Native — all major CIsNative — all major CIsNative — GitHub Actions (securego/gosec@v2), GitLab CI, Bazel nogo analyzerNative — all major CIsNative — GitHub Actions / GitLab CI / Jenkins / CircleCI / Azure Pipelines / Bitbucket Pipelines (documented)Native — all major CIsNative — all major CIsNative — all major CIs (official aquasecurity/trivy-action)Native — all major CIsNative — official astral-sh/ruff-action; standard CI invocation everywhere elseNative — official Jenkins plugin + official dependency-track/gh-upload-sbom-action; GitLab CI via REST curlNative — all major CIs + per-step hook gates
Pre-commit / git hooksNot nativeNot nativePush-protection blocks the commitNot nativeNot nativePush-protection (commercial)Not nativeCLI hook recipe (manual)CLI hook recipe (manual)Community hook (not first-party)Native — semgrep --pre-commitRecipe (manual; Docker image)CLI hook recipe (manual)CLI hook recipe (manual)Native — official aquasecurity/trivy pre-commit hookCLI hook recipe (manual)Native — official astral-sh/ruff-pre-commit repoNot native — server-side platform; no client-side hooksNative — pre-commit-scan.sh, manifest-edit-scan.sh, dockerfile-edit-gate.sh, dep-install-gate.sh, git-push-gate.sh
IDE extensionsGitHub IDE plugins (limited)Via GitHub IDE plugins + CodeQL CLIVia GitHub IDE pluginsVia GitLab Workflow extensionSameSameSameNative — Snyk plugins for VS Code / IntelliJ / Eclipse / Eclipse Theia / Visual StudioSame as Snyk OSSNot nativeNative — Semgrep extension for VS Code / IntelliJ / VimCommunity VS Code extensionNone — CLI onlyNone — CLI onlyNative — first-party VS Code / IntelliJ extensionsPrisma IDE plugin (limited — VS Code / IntelliJ)Native — first-party LSP (ruff server) wired into VS Code / Cursor / Zed / PyCharm / Neovim / Helix / SublimeNot nativeVia AI Coding Agent — Claude Code / Cursor / Windsurf / Copilot / Gemini / Codex / Augment / Cline / Amazon Q / OpenHands / Codebuddy / Cortex / Qoder / Qwen / Kiro / iFlow
AI Coding Agent slash-commandsNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeVia Vulnetix opa-gosec Rego port + vulnetix sast skillNot nativeNot nativeNot nativeNot nativeNot nativeNot nativeIndirect — opa-py-ruff rule pack is consumed by vulnetix:sast-scan; otherwise CLI-onlyNot nativeNative — 33+ skills + 7 sub-agents + 30+ hooks; see AI Coding Agent
REST / GraphQL APIREST + GraphQL via gh apiREST via gh apiREST via gh apiGitLab RESTGitLab RESTGitLab RESTGitLab RESTREST + Snyk APIREST + Snyk APINot native — CLI onlyREST (commercial) + Semgrep app APINot native (CLI only)Not native (CLI only)Not native (CLI only)Not native (CLI only)Native — Console REST APINot native (CLI / LSP only)Native — OpenAPI REST API is the canonical interface; all UI features routed through itREST API + CLI + AI Coding Agent skill wrappers
Tool licenseClosed (free for repos)Free public / GHAS commercial privateClosed (free)GitLab tiers (Free / Premium / Ultimate)SameSameSameCommercial — free tier with test capsCommercialApache-2.0 OSSLGPL-2.1 OSS / commercial Pro tierApache-2.0 OSSApache-2.0 OSSApache-2.0 OSSApache-2.0 OSSCommercial — Prisma Cloud licence requiredMIT (Ruff) / Apache-2.0 (opa-py-ruff Vulnetix rule pack)Apache-2.0 OSS — OWASP Flagship ProjectCommercial — free / Vulnetix Pro / Enterprise tiers; AI Coding Agent plugin Apache-2.0 OSS
Free-tier feature setFull SCA + auto-MRs (public + private)Full on public repos; private requires GHASFull on public; partner program for org-wideGitLab Free has dep scanning; SAST + DAST in higher tiersSameSamePremium+ onlyMonthly test caps + open-source projectsSameFully OSSFull OSS engine; cloud features behind loginFully OSSFully OSSFully OSSFully OSSTrial only — no permanent free tierFully OSS — all rules + all output formatsFully OSS — every feature free; only VulnDB / Snyk external analyzer subscriptions cost extraAI Coding Agent + CLI + most VDB queries free; advanced enrichment and bulk-triage in paid tier
Self-host vs SaaSSaaS only (GitHub.com / GHE)SaaS — runs in Actions / GHESaaS onlyBoth — GitLab.com or self-hostBothBothBothBoth — Snyk SaaS or on-prem (commercial)BothSelf-host (CLI binary)Both — local CLI or Semgrep CloudSelf-host (CLI binary / Docker image)Self-host (CLI binary)Self-host (CLI binary)Self-host (CLI binary); Aqua Platform SaaS for the commercial tierBoth — Console SaaS or on-premSelf-host only (CLI binary + LSP)Self-host only — Docker / Compose / Swarm / Helm / JAR (PostgreSQL or MSSQL backend)Both — local CLI / hosted VDB / on-prem deployment

Database quality tiers

The matrix’s “Database quality tier” row uses a five-tier scale. Tiers below shape what your scanner can detect — a scanner reading CVE/NVD only is missing half the ecosystem advisories.

TierCoverageVerdictTools
CVE/NVD onlyNIST-curated CVE records, often weeks behind ecosystem advisoriesInsufficient(Tools at this tier are increasingly rare; most modern scanners aggregate at least GHSA.)
CVE + GHSA+ npm, pip, Maven, NuGet, RubyGems, Composer, Go via GitHub Advisory DBMinimalDependabot
CVE + OSV+ RUSTSEC, PYSEC, GO, MAL/Malicious-Packages, plus broad distro coverage (Alpine, Debian, Ubuntu, RHEL, Rocky, Alma, SUSE, Fedora, Mageia, Chainguard, Wolfi, Bitnami, Curl, Android, Linux kernel) and ecosystem aggregation via the OSV aggregatorSufficient — nearly comprehensive at the source levelosv-scanner
Commercial-curated + exploit-intelCommercial feed blending NVD + GHSA + distro feeds + first-party exploit-intel via heuristic flags (riskFactors); no AI / sightings / weaponisation enrichmentSufficient + exploit-intel heuristicPrisma Cloud (twistcli)
CVE + OSV + GCVE+ Community-curated GCVE entriesGood coverageNo scanner currently ships this tier.
Vulnetix VDBEvery feed above plus first-party enrichment: x_affectedFunctions, sightings (honeypot + CrowdSec), weaponisation indicators, x_attackPaths, maintainer-health (OpenSSF Scorecard + account age + 2FA), AI-malware families, traffic-filters (Snort/Suricata/Nuclei)Full coverageVulnetix

OSV’s feed coverage is nearly comprehensive at the source level — the “Sufficient” label reflects the absence of first-party AI enrichment (sightings, weaponisation, x_affectedRoutines, attack-paths), not gaps in advisory feeds. For raw “is this CVE in any feed” lookups, osv-scanner ties Vulnetix.

Snyk’s commercial database is a curated catalogue that augments GHSA — broader than CVE+GHSA-only, narrower than OSV. GitLab’s Advisory Database is a similar shape. Both sit between “Minimal” and “Sufficient” depending on advisory. Prisma’s Intelligence Stream sits one tier higher: comparable feed coverage to OSV plus first-party exploit-intel surfaced as riskFactors, but without the enrichment that distinguishes Vulnetix VDB.

How to use the matrix

  • Pick a single scanner for a single feature: read its column straight down; the cells tell you how it covers the row (not just whether).
  • Stack two scanners for breadth: a typical OSS stack is osv-scanner or Grype (container image-binary + OS-package SCA — osv-scanner has the broader OSV-aggregator feed coverage, Grype has tighter integration with syft for SBOMs) + Semgrep (SAST) + KICS (IaC across 20+ platforms) + Vulnetix (enrichment + reachability + VEX + supply-chain detection rules + maintainer-health). A typical commercial stack is Prisma Cloud (twistcli + Defender) (image-binary + runtime feedback loop) + Snyk SAST (call-graph + taint) + Vulnetix (enrichment + VEX). Each covers the others’ gaps.
  • Identify gaps your current stack leaves uncovered: any row where your stack has no native cell is a triage decision being made on partial information. The usual fallback is Vulnetix VDB — which is why most pages on this site reference vulnetix vdb even when a different scanner originated the finding.
  • Vulnetix isn’t best at everything. The two drawback rows are explicit: Vulnetix’s reachability is semantic (not call-graph) — pair with CodeQL or Snyk SAST for precise call-edge questions. Vulnetix’s container scanning is unpacked-layer / OCI-manifest (not image-binary) — pair with Grype, Trivy, or Prisma (twistcli) when the question is “what’s in the binary OCI layers.”

See also

  • VEX overview — the format every scanner page’s worked example produces.
  • SSVC Engineer Triage — the decision framework that consumes the scanner’s data depth.
  • Reachability deep-dive — the three-tier model the Reachability section is graded against.
  • SARIF appendix — the format the SARIF row’s dialects are compared against.
  • Supply-chain threats — what the supply-chain detection table’s tools can and can’t detect.
  • EOL appendix — what the lifecycle table’s tools can and can’t detect.
  • AI Coding Agent — the slash-command layer that wraps the Vulnetix CLI invocations across every IDE.
  • Glossary — definitions for every term used in the matrix.
Vulnetix Code Scanner
Unified SCA / SAST / secrets / containers / IaC scanner — emits CycloneDX 1.7 and SARIF 2.1 natively.
Snyk OSS
Snyk's dependency vulnerability scanner — JSON or SARIF output, SNYK-* identifiers cross-referenced to CVE / GHSA.
Snyk Code (SAST)
Snyk's taint-flow static analysis — SARIF 2.1.0 output with code-flow traces source-to-sink.
gosec (Go Security Checker)
Securego's Go SAST scanner — AST + SSA pattern matching with intra-procedural taint, JSON / SARIF output, CWE-tagged.
GitLab Dependency Scanning
GitLab's first-party dep scanner — runs on every pipeline, JSON artefact with CVE / GHSA cross-references.
GitLab Secret Detection
GitLab's Gitleaks-driven secret scanner — JSON report, fires on token shapes, surfaces in the MR widget.
GitLab DAST
OWASP ZAP under the hood, probes a deployed environment, JSON report with reproducible request/response evidence.
GitHub Dependabot
GitHub's first-party dep scanner — Security tab alerts + auto-upgrade MRs, accessed via GraphQL / REST.
GitHub Secret Scanning
GitHub's first-party secret scanner — partner-token verification, Push Protection, REST + GraphQL access.
GitHub CodeQL
Semantic query-based SAST — extracts a relational model of your code and runs security queries against it.
Grype
Anchore's vulnerability scanner — JSON / SARIF output, native OpenVEX consumption via `--vex`.
Prisma Cloud (twistcli)
Palo Alto Networks Prisma Cloud Compute — twistcli CLI for build-time image / repo / serverless / IaC scans; Prisma Defender for runtime.
Trivy
Aqua Security's polyscanner — SCA + secrets + IaC + SBOM + license in one binary; native VEX consumption (CycloneDX + OpenVEX).
osv-scanner
Google's OSV-database scanner — fast, account-free, native OSV-schema records with cross-feed aliases.
Semgrep / Opengrep
Pattern-matching SAST that reads like the language it scans — and a community fork that drops the cloud licence.
Ruff
Astral's Rust-powered Python linter — 800+ built-in rules plus the Vulnetix opa-py-ruff Rego port that the Vulnetix CLI consumes.
KICS
Checkmarx's open-source IaC scanner — Rego-based queries across 20+ platforms, SARIF + CycloneDX + JSON output.
OWASP Dependency-Track
OWASP Flagship Component Analysis platform — SBOM-consuming, policy-driven, CycloneDX VEX round-tripping.