Translate scanner output into a CycloneDX VEX or OpenVEX statement, one tool at a time.
Each scanner has its own dialect. Snyk’s JSON looks nothing like Grype’s, CodeQL’s SARIF is its own thing, and Dependabot is a UI rather than a file you can grep. These guides cover what each scanner actually produces, which fields drive a triage decision, and how to translate the output into a VEX statement that records what you decided.
Pick the scanner that matches your pipeline. Every guide ends in the same place — either a CycloneDX VEX entry, when the finding ties back to an SBOM component, or an OpenVEX statement, for everything else.
For terminology used on these pages, see the Glossary. If you’d rather not invoke vulnetix vdb and write jq pipelines by hand, the AI Coding Agent plugin wraps every CLI call on this site into slash commands across Claude Code, Cursor, Windsurf, Copilot, Gemini, and a dozen other editors.
A side-by-side qualitative comparison of every scanner on this site, using Vulnetix as the baseline. The matrix is exhaustive — every distinguishing capability gets a row, even ones only one tool has, because the gap is the comparison.
Reading the cells: cells carry short prose rather than ticks. “Native — x_kev.knownRansomwareCampaignUse + x_kev.dueDate” tells you how a capability is implemented; “String label only (Mature/PoC)” tells you what’s missing. Where a fallback exists, the cell names it (e.g. “Not native — cross-reference vulnetix:eol-check or endoflife.date”). N/A means the capability doesn’t apply (a SAST tool has no vulnerability-DB row).
Vulnetix’s drawbacks (called out so the baseline is honest, not a sales pitch):
Column header pattern is identical across every section so you can pick a tool’s column and read straight down:
| Capability | Dependabot | CodeQL | GH Secrets | GL Deps | GL SAST | GL Secrets | GL DAST | Snyk OSS | Snyk SAST | gosec | Semgrep | KICS | osv-scanner | Grype | Trivy | Prisma | Ruff | Dep-Track | Vulnetix |
What scope each scanner covers — the broad question of “can this tool see findings of class X at all?”
| Capability | Dependabot | CodeQL | GH Secrets | GL Deps | GL SAST | GL Secrets | GL DAST | Snyk OSS | Snyk SAST | gosec | Semgrep | KICS | osv-scanner | Grype | Trivy | Prisma | Ruff | Dep-Track | Vulnetix |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| SCA (deps) | Native — lockfile + GHSA matching | N/A | N/A | Native — gemnasium analyser | N/A | N/A | N/A | Native — flagship product | N/A | N/A | N/A | N/A | Native — lockfile + OSV API | Native — SBOM + container OS packages | Native — lockfile + container OS pkgs (combined report) | Native — image / repo / serverless modes | N/A | Native — strictly SBOM-consuming; ingests CycloneDX SBOMs from any upstream tool | Native — every ecosystem + VDB enrichment |
| SCA manifest formats supported | ~15 — npm, pip, Maven, Gradle, NuGet, RubyGems, Composer, Go modules, Cargo, Pub, Mix, Bundler, pip-compile, pipenv, Docker | N/A | N/A | ~12 — npm, pip, Maven, Gradle, NuGet, Composer, RubyGems, Go modules, Cargo, Conan, sbt, yarn | N/A | N/A | N/A | ~14 — npm, pip, Maven, Gradle, NuGet, RubyGems, Composer, Go modules, Cargo, sbt, pipenv, Poetry, yarn, CocoaPods | N/A | N/A | N/A | N/A | ~16 — npm, pip, Maven, Gradle, NuGet, RubyGems, Composer, Go modules, Cargo, Pub, Hex/Mix, CocoaPods, Conan, Bun, pnpm, Poetry + Buildroot / Docker images | ~12 — npm / yarn, pip, Maven / Gradle, NuGet, RubyGems, Composer, Go modules, Cargo, sbt, Hex, OS-pkgs (deb / apk / rpm) | ~13 — npm, pip, Maven, Gradle, NuGet, RubyGems, Composer, Go modules, Cargo, Pub, Conan, Mix, Swift / CocoaPods + OS-pkgs | ~14 — npm / yarn, pip, Maven, Gradle, NuGet, RubyGems, Composer, Go modules, Cargo, sbt, Conan, pipenv, Poetry, Mix + OS-pkgs | N/A | Source-agnostic — ingests any CycloneDX SBOM; effective coverage = whatever the upstream SBOM producer enumerates | Native — every CycloneDX-covered ecosystem: npm, pip, Maven, Gradle, NuGet, RubyGems, Composer, Go modules, Cargo, Pub, Mix / Hex, Conan, CocoaPods, sbt, Bun, pnpm, Poetry, pipenv, Swift PM + OS-pkgs |
| SAST (code) | N/A | Native — flagship; call-graph + taint | N/A | N/A | Native — per-language analysers (Semgrep + bandit + gosec) | N/A | N/A | N/A | Native — Snyk Code; taint flow | Native — Go-only; AST + SSA; intra-procedural taint (G7xx) | Native — pattern-match (OSS) / taint (Pro) | Not native — IaC-focused | N/A | N/A | N/A | Not native | Native — Python only; 800+ built-in Rust rules. Vulnetix opa-py-ruff ports 956 of them to OPA/Rego (478 pattern + 478 AST-only stubs) | N/A | Native — pattern-match + semantic |
| SAST languages supported | N/A | ~10 — C/C++, C#, Go, Java/Kotlin, JS/TS, Python, Ruby, Swift, GitHub Actions | N/A | N/A | ~25 — multi-analyser combined (bandit Python + gosec Go + brakeman Ruby + spotbugs Java + Semgrep packs) | N/A | N/A | N/A | ~11 — C/C++, C#, Go, Java/Kotlin, JS/TS, Python, PHP, Ruby, Scala, Swift, Apex | 1 — Go | ~30+ via rule packs — C/C++, C#, Go, Java/Kotlin, JS/TS, Python, PHP, Ruby, Scala, Rust, Bash, Solidity, Terraform/HCL, … | N/A — IaC, not code-SAST | N/A | N/A | N/A | N/A | 1 — Python | N/A | Native — 7 first-party (Java, Python, Go, Node.js, PHP, Ruby, .NET); OPA/Rego rule-pack-extensible via opa-py-ruff (Python depth) and opa-gosec (Go depth) |
| Container scanning | Not native | Not native | Not native | Adjacent product (GitLab Container Scanning, Trivy-backed) | Not native | Not native | Not native | Commercial tier — Snyk Container | Not native | Not native | Not native | Not native (Dockerfile static rules only — see row below) | Native — osv-scanner --image <image> since 2024 | Native — image-binary via syft | Native — image-binary (OCI layer walk) | Native — image-binary (OCI layer extraction) | Not native | Not native — consumes container SBOMs (syft / Trivy); optionally delegates to an external Trivy server analyzer | Native — OCI-manifest packages OR unpacked filesystem; not image-binary, not runtime |
| Container scan model | — | — | — | Image-binary | — | — | — | Image-binary | — | — | — | — | Image-binary via --image (extracts OCI layers, walks the filesystem) | Image-binary (OCI layer extraction, then filesystem walk) | Image-binary (OCI layer extraction, then filesystem walk) | Image-binary (OCI layer extraction, then filesystem walk) | — | SBOM-only (consumes upstream syft / Trivy output) | Unpacked-layer / OCI-manifest (reads the manifest’s package list, or operates on a pre-extracted filesystem; cannot scan a binary OCI image directly) |
| IaC scanning | Not native | Custom queries possible | Not native | Adjacent product (GitLab SAST-IaC) | Not native | Not native | Not native | Commercial tier — Snyk IaC | Not native | Not native | Via community rule packs | Native — flagship; Terraform / OpenTofu / Kubernetes / Helm / CloudFormation / ARM / Bicep / Ansible / Pulumi / Crossplane / OpenAPI / GitHub Workflows / Serverless / SAM / CDK / Knative / Docker Compose / Buildah / Databricks / NIFCloud / TencentCloud (20+) | Not native | Not native | Native — Terraform / CloudFormation / Dockerfile / Kubernetes / Helm / Azure ARM via trivy config | Native — Terraform / CloudFormation / k8s / Helm | Not native | Not native | Native — Terraform / OpenTofu / Nix / k8s / Helm rules |
| Secrets scanning | Not native | Not native | Native — GitHub Secret Scanning | Not native | Not native | Native — gitleaks analyser | Not native | Not native | Not native | Limited — G101 hardcoded-credentials + G117 marshalling exposure | Via community rule packs | Native — regex-based queries (on by default; --disable-secrets to opt out) | Not native | File-pattern matcher (CPE-style) | Native — gitleaks-equivalent ruleset (~100 patterns), in-image and in-fs | Native — narrow regex set (AWS / GitHub / generic, ~30 patterns) | Partial — S105/S106/S107 flag hard-coded password constants; no entropy or provider-pattern scanning | Not native | Native — AWS / GitHub / Slack / Stripe / generic entropy |
| License compliance | Not native | Not native | Not native | Native — SPDX licence per dep | Not native | Not native | Not native | Native — license advisor | Not native | Not native | Not native | Not native | Native — --licenses flag (license-classification + allowlist) | Indirect — via syft SBOM | Native — license-classification per pkg (--scanners license) | Indirect — via twistcli sbom (CycloneDX 1.4) | Not native | Native — flagship; LICENSE / LICENSE_GROUP policy subjects, copyleft / permissive groups out-of-box, SPDX list 3.27.0 | Native — copyleft conflict + allowlist + 6-step pipeline |
| DAST | Not native | Not native | Not native | Not native | Not native | Not native | Native — ZAP-based | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native — DAST is out of scope for the platform |
| Dockerfile static analysis | Not native | Custom queries | Not native | Via GitLab Container Scanning | Not native | Not native | Not native | Commercial | Not native | Not native | Via community rule packs (hadolint-style) | Native — Dockerfile + Compose + Buildah queries | Not native | Not native | Native — via trivy config (hundreds of Dockerfile rules) | Native — ~200 CIS / NIST 800-190 compliance rules (closed catalogue) | Not native | Not native | Native — 8 Dockerfile rules (VNX-DOCKER-001..008) |
| Mobile (APK / IPA) | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Commercial — Snyk Mobile (limited) | Not native | Not native | Via Mobile rule packs | Not native | Not native | Indirect — APK/IPA file-walk | Not native | Not native | Not native | Indirect — via SBOM if upstream tool produced one | Not native (out of scope) |
| API security (live) | Not native | Not native | Not native | Not native | Not native | Not native | Partial — via DAST | Not native | Not native | Not native | Not native | Not native (static OpenAPI rules only) | Not native | Not native | Not native | Not native — Defender runtime is orthogonal | Not native | Not native | Not native (out of scope) |
| Kubernetes / cloud-config | Not native | Custom queries | Not native | Via GitLab IaC | Not native | Not native | Not native | Commercial — Snyk Cloud | Not native | Not native | Via Kubernetes rule packs | Native — Kubernetes + Helm + Knative + ARM + Bicep queries | Not native | Not native | Native — trivy k8s + trivy aws (live cluster / account scan) | Native — k8s manifests + admission control via Console | Not native | Not native | Native — k8s manifests + Nix flakes via IaC |
The breadth of vulnerability data the scanner consumes shapes everything downstream — see the database quality tiers section for the five-tier scale.
| Capability | Dependabot | CodeQL | GH Secrets | GL Deps | GL SAST | GL Secrets | GL DAST | Snyk OSS | Snyk SAST | gosec | Semgrep | KICS | osv-scanner | Grype | Trivy | Prisma | Ruff | Dep-Track | Vulnetix |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Primary feed | GHSA + curated GitHub Advisory DB | N/A (first-party query packs) | N/A (signatures) | GitLab Advisory DB (GHSA + curated entries) | N/A (rule packs) | N/A (signatures) | N/A (runtime probes) | Snyk Vulnerability DB (curated, augments GHSA) | N/A (first-party rules) | N/A (first-party rules) | N/A (rule packs) | N/A (Rego query library) | OSV.dev aggregator | NVD + GHSA + GitLab DB + distro feeds (USN/Alpine/RedHat/ALAS/Wolfi) | NVD + GHSA + GitLab Advisory DB + RedHat OVAL + Debian Security Tracker + Ubuntu USN + Alpine secdb + Amazon ALAS + Wolfi + Chainguard + OSV | Prisma Intelligence Stream (commercial — NVD + GHSA + distro feeds + first-party exploit intel) | N/A (rule-pack-driven; built-in linter packs) | NVD 2.0 REST + GHSA + OSV + VulnDB (commercial) + Sonatype OSS Index + optional Snyk + optional Trivy server | Vulnetix VDB — every above feed + first-party enrichment |
| Database quality tier | CVE + GHSA (minimal) | N/A | N/A | CVE + GitLab DB (minimal-to-sufficient) | N/A | N/A | N/A | CVE + GHSA + Snyk DB (minimal-plus) | N/A | N/A | N/A | N/A | CVE + OSV (sufficient — nearly comprehensive feed coverage) | CVE + GHSA + distro feeds (sufficient for OS, minimal for ecosystem) | CVE + OSV-equivalent (sufficient — broad distro + ecosystem) | Prisma Intelligence Stream (commercial-curated — sufficient + exploit-intel via riskFactors; no AI / sightings) | N/A | CVE + GHSA + OSV + VulnDB (sufficient — broad aggregation, no first-party enrichment) | Vulnetix VDB (full coverage — only tier with first-party enrichment) |
| OS-distro feeds covered | — | — | — | Via container-scanning analyser | — | — | — | Commercial container | — | — | — | — | Broad — Alpine SecDB, Debian Security Tracker, Ubuntu, RHEL, RockyLinux, AlmaLinux, SUSE, Fedora, Mageia, Chainguard, Wolfi, Bitnami, Curl, Android, Linux kernel via OSV aggregator | Ubuntu USN, Alpine secdb, RedHat, Amazon ALAS, Wolfi, Debian, SUSE | Broad — Debian, Ubuntu, RHEL, Alpine, Amazon ALAS, SUSE, Photon, Oracle, Wolfi, Chainguard | Broad — Debian, Ubuntu, RHEL, CentOS, Alpine, Amazon Linux, SUSE, Photon, Wolfi, Chainguard | — | Indirect — via delegated Trivy analyzer only | Every above + Debian LTS / ELTS, RHEL ELS, Ubuntu ESM |
| Cross-feed aliases | GHSA + CVE | — | — | CVE + GHSA + Snyk + OSVDB | — | — | — | CVE + CWE + GHSA + OSV + Snyk | — | — | — | — | OSV aliases[] (every cross-reference) | NVD relatedVulnerabilities[] | Cross-feed aliases via feed (CVE + GHSA + vendor advisory IDs) | CVE + GHSA + vendor advisory IDs | — | CVE + GHSA + OSV + VulnDB IDs | Vulnetix aliases[] — 78+ ID formats incl. RHSA, MSCVE, EUVD, ZDI, KEV |
| Update cadence | Real-time (GHSA push) | Standard query pack release | Real-time | Daily | Weekly rule-pack | Real-time | N/A | Daily | Weekly | Per release (gosec versioned) | Weekly | Per-release query-library updates | Daily (OSV API) | Daily | Hourly DB updates (Trivy DB OCI artefact) | Real-time (Intelligence Stream push) | Per Astral release (weekly-to-fortnightly) | Daily NVD mirror; incremental OSV (v4.14.0); on-demand external analyzers | Hourly enrichment cycles + real-time KEV / honeypot ingestion |
| First-party enrichment | None — passthrough of GHSA | Query-pack metadata | None | Minimal — severity blend | Rule-pack metadata | None | None | Snyk-curated severity / priorityScore / upgradePath[] | Snyk-curated rule properties | Rule metadata (CWE per rule) | Rule-pack metadata | Query metadata (platform, category, cwe, description_id) | None — verbatim OSV | None — verbatim feed | None — verbatim feed | riskFactors (composite heuristic flag bag), fixDate, layerTime, complianceID | Rule metadata only — ruff_code / ruff_linter / help_uri; opa-py-ruff adds cwe[] on bandit S-rules | None — passthrough; EPSS surfaced; Risk Score weighted-severity aggregation only | x_threatExposure, x_attackSurface, x_ssvc, x_kev, x_epss, x_exploitationMaturity, x_remediationTimeline, x_affectedRoutines, x_attackPaths, x_purls |
How rich is the data attached to each finding? Most of the SSVC Priority input comes from the rows below — a string label gives you less than an integrated multi-source signal.
| Capability | Dependabot | CodeQL | GH Secrets | GL Deps | GL SAST | GL Secrets | GL DAST | Snyk OSS | Snyk SAST | gosec | Semgrep | KICS | osv-scanner | Grype | Trivy | Prisma | Ruff | Dep-Track | Vulnetix |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| CVSS v3.1 vector | Severity label (no vector) | N/A | N/A | Vector when available | N/A | N/A | N/A | Vector + score | Severity label | Severity label (HIGH/MEDIUM/LOW) — no vector | N/A | N/A | Via OSV severity[] | Via NVD cvss[] | Per-feed vector + score | Native — cvss + vecStr | N/A | Native — vector + score stored on Finding | Vector + score + version-specific re-scoring |
| CVSS v4.0 vector | Not surfaced | N/A | N/A | Not surfaced | N/A | N/A | N/A | Partial (rolling out) | Not surfaced | Not surfaced | N/A | N/A | When OSV carries it | When NVD carries it | When feed carries it | Not surfaced | N/A | Native — added v4.14.0 | Native — v3.1 + v4.0 in parallel |
| EPSS percentile | Not surfaced | N/A | N/A | Not surfaced | N/A | N/A | N/A | Commercial tier | N/A | N/A | N/A | N/A | Per-feed when available | Per-feed when available | Not surfaced | Not surfaced — cross-reference VDB | N/A | Native — surfaced on Finding; available as policy condition since v4.12.0; on GHSA since v4.14.0 | Native — x_epss.score + x_epss.percentile + x_epss.date |
| CISA KEV | Surfaced in some advisories | N/A | N/A | Partial — via cross-reference | N/A | N/A | N/A | Commercial tier | N/A | N/A | N/A | N/A | Via OSV aliases | Via NVD aliases | Not surfaced | Not native — cross-reference VDB | N/A | Not surfaced as first-class — indirect via Trivy / NVD passthrough only | Native — x_kev.knownRansomwareCampaignUse, x_kev.dueDate, x_kev.requiredAction, x_kev.vendorProject |
| EU-KEV | Not surfaced | N/A | N/A | Not surfaced | N/A | N/A | N/A | Not surfaced | N/A | N/A | N/A | N/A | Not surfaced | Not surfaced | Not surfaced | Not surfaced | N/A | Not surfaced | Native — EUVD + ENISA KEV ingestion |
| SSVC Coordinator decision | Not surfaced | N/A | N/A | Not surfaced | N/A | N/A | N/A | Not surfaced | N/A | N/A | N/A | N/A | Not surfaced | Not surfaced | Not surfaced | Not surfaced | N/A | Not surfaced | Native — x_ssvc.decision ∈ {Act, Attend, Track*, Track} + x_ssvc.priority + x_ssvc.inputs + x_ssvc.methodology |
| SSVC Engineer Triage inputs | Not surfaced | N/A | N/A | Not surfaced | N/A | N/A | N/A | Not surfaced | N/A | N/A | N/A | N/A | Not surfaced | Not surfaced | Not surfaced | Not surfaced | N/A | Not surfaced — uses CycloneDX VEX-shaped AnalysisState / AnalysisJustification / AnalysisResponse triad instead | Native — Reachability/Remediation/Mitigation/Priority auto-surfaced; written to .vulnetix/memory.yaml |
| Exploit maturity depth | Boolean — GHSA flag only | N/A | N/A | GitLab DB severity bucket | N/A | N/A | N/A | String label (Mature/Proof of Concept/No Known Exploit) | N/A | N/A | N/A | N/A | OSV database_specific.severity bucket | Severity bucket | Severity bucket only (CRITICAL / HIGH / MEDIUM / LOW / UNKNOWN) | riskFactors heuristic flag bag (Exploit exists / Recent vulnerability / Remote execution) — composite, not categorical | N/A | Not categorical — EPSS numeric only | Native categorical — x_exploitationMaturity.level ∈ {ACTIVE, POC, WEAPONISED, NONE} + sub-factors (EPSS, KEV, CESS, sightings) |
| Weaponisation indicator | Not surfaced | N/A | N/A | Not surfaced | N/A | N/A | N/A | Not surfaced | N/A | N/A | N/A | N/A | Not surfaced | Not surfaced | Not surfaced | Indirect — riskFactors["Exploit exists"] boolean only | N/A | Not surfaced | Native — Metasploit module presence + Nuclei template + autonomous-attack-tool detection |
| Honeypot sightings | Not surfaced | N/A | N/A | Not surfaced | N/A | N/A | N/A | Not surfaced | N/A | N/A | N/A | N/A | Not surfaced | Not surfaced | Not surfaced | Not surfaced | N/A | Not surfaced | Native — x_sightings per CVE (1d / 7d / 30d / 90d averages) |
| CrowdSec community sightings | Not surfaced | N/A | N/A | Not surfaced | N/A | N/A | N/A | Not surfaced | N/A | N/A | N/A | N/A | Not surfaced | Not surfaced | Not surfaced | Not surfaced | N/A | Not surfaced | Native — CrowdSec partner feed |
| Shadowserver scan counts | Not surfaced | N/A | N/A | Not surfaced | N/A | N/A | N/A | Not surfaced | N/A | N/A | N/A | N/A | Not surfaced | Not surfaced | Not surfaced | Not surfaced | N/A | Not surfaced | Native — global-scan-volume signal |
| IOC pivots (IPs / ASNs / geo) | Not surfaced | N/A | N/A | Not surfaced | N/A | N/A | N/A | Not surfaced | N/A | N/A | N/A | N/A | Not surfaced | Not surfaced | Not surfaced | Defender-side runtime IOCs (proprietary), not pre-deploy | N/A | Not surfaced | Native — vulnetix:ioc-pivot skill returns top IPs, ASNs, geo distribution, STIX 2.1 bundle export |
| ATT&CK technique mapping (per-CVE) | Not surfaced | N/A | N/A | Not surfaced | N/A | N/A | N/A | Not surfaced | N/A | N/A | N/A | N/A | Not surfaced | Not surfaced | Not surfaced | Partial — Defender attackType at runtime, not per-CVE pre-deploy | N/A | Not surfaced | Native — x_attackPaths[] carries tactic → technique chain per CVE |
x_affectedRoutines (function-level affected list) | Not surfaced | Indirect — codeFlow location | N/A | Not surfaced | Indirect — codeFlow location | N/A | N/A | functions[] (commercial Deep Test) | Indirect — codeFlow location | Indirect — file/line/column per finding (no codeFlow trace) | Metavar capture in rule | N/A | Not surfaced | Not surfaced | Not surfaced | Not surfaced | Indirect — start_line + matched snippet per finding; no function-level extraction | Not surfaced | Native — deduplicated programRoutines + programFiles + x_affectedFunctions |
x_attackPaths (tactic → technique) | Not surfaced | N/A | N/A | Not surfaced | N/A | N/A | N/A | Not surfaced | N/A | N/A | N/A | N/A | Not surfaced | Not surfaced | Not surfaced | Defender supplies runtime tactic chains; no pre-deploy mapping | N/A | Not surfaced | Native — drives detection-rule selection (Snort / Nuclei / YARA / Sigma) |
| Multi-axis (CWSS-shaped) scoring | Severity label only | N/A | N/A | Severity label only | N/A | N/A | N/A | priorityScore (single composite, 0–1000) | priorityScore (single composite) | Two-axis — severity × confidence (each LOW/MEDIUM/HIGH) | Severity + likelihood + impact strings | Severity label only (CRITICAL / HIGH / MEDIUM / LOW / INFO / TRACE) | Severity label | Severity label | Severity label only | riskFactorsScore (single composite, derived from flag bag) | Rule-defined severity / level (error/warning/info) only; opa-py-ruff carries Vulnetix severity per rule | Risk Score — weighted-severity ((crit*10)+(high*5)+(med*3)+(low*1)+(unassigned*5)); not multi-axis | CWSS composite — technical-impact + exploitability + exposure + complexity + repo-relevance, each 0–100, weighted blend |
| AI-discovered vulnerabilities (researcher leaderboard) | Not surfaced | N/A | N/A | Not surfaced | N/A | N/A | N/A | Not surfaced | N/A | N/A | N/A | N/A | Not surfaced | Not surfaced | Not surfaced | Not surfaced | N/A | Not surfaced | Native — AI-researcher discovery feed, leaderboard, novel-CVE tracking |
| AI-in-the-wild exploitation observations | Not surfaced | N/A | N/A | Not surfaced | N/A | N/A | N/A | Not surfaced | N/A | N/A | N/A | N/A | Not surfaced | Not surfaced | Not surfaced | Not surfaced | N/A | Not surfaced | Native — vdb ai-in-wild, AI-authored exploit observations |
| Vendor-trend month-over-month deltas | Not surfaced | N/A | N/A | Not surfaced | N/A | N/A | N/A | Limited dashboards | N/A | N/A | N/A | N/A | Not surfaced | Not surfaced | Not surfaced | Limited Console dashboards | N/A | Limited — portfolio dashboards | Native — vdb vendor-trends per vendor MoM |
| Exploit-trend rollup | Not surfaced | N/A | N/A | Not surfaced | N/A | N/A | N/A | Limited dashboards | N/A | N/A | N/A | N/A | Not surfaced | Not surfaced | Not surfaced | Limited Console dashboards | N/A | Limited — dashboards | Native — vdb exploit-trends |
| CWE classification | Surfaced when in GHSA | Native — external/cwe/... tags | N/A | Surfaced when in feed | Native — metadata.cwe[] | N/A | Native — ZAP CWE mapping | Native — identifiers.CWE[] | Native — properties.tags | Native — cwe.id + cwe.url per finding | Native — metadata.cwe | Native — cwe field per query | Indirect — via OSV | Surfaced when in feed | Surfaced when in feed | Native — via Intelligence Stream | Partial — upstream Ruff has no CWE field; opa-py-ruff populates metadata.cwe[] on bandit S-rules (e.g. CWE-78 on S602) | Native — CWE is a policy subject + surfaced per finding | Native — x_kev.cwes[] + per-finding CWE + D3FEND countermeasure mapping |
The three-tier model from the reachability deep-dive. The “Tier achieved” row is the headline; the rows below decompose how the tool gets there.
| Capability | Dependabot | CodeQL | GH Secrets | GL Deps | GL SAST | GL Secrets | GL DAST | Snyk OSS | Snyk SAST | gosec | Semgrep | KICS | osv-scanner | Grype | Trivy | Prisma | Ruff | Dep-Track | Vulnetix |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Tier achieved | Tier 1 — package-level | Tier 2 — call-graph + taint | N/A | Tier 1 — package-level | Tier 1–2 — depends on analyser | N/A | Runtime (orthogonal) | Tier 1 default / Tier 2 partial via Deep Test (commercial) | Tier 2 — taint codeFlow | Tier 2 intra-procedural (G7xx SSA taint) / Tier 1 (G1xx–G6xx AST pattern) | Tier 1 pattern-match (OSS) / Tier 2 taint (Pro) | Tier 1 — pattern-match against IaC resource shapes | Tier 1 default; Tier 2 experimental for Go via --experimental-call-analysis | Tier 1 — package-level (linkage check is Tier-1.5 manual) | Tier 1 — package-level (linkage check is Tier-1.5 manual, same recipe as Grype) | Tier 1 — package-level. Defender adds Tier-1.5 runtime evidence (orthogonal axis) | Tier 1 — single-file pattern / AST match | Tier 1 — package / component-level only | Tier 3 — semantic / intent-to-use; not Tier 2 call-graph |
| Static call-graph (CHA / RTA / VTA / pointer) | Not native | Native — CodeQL’s data-flow library builds the graph | N/A | Not native | Per-analyser (some use Semgrep flat) | N/A | N/A | functions[] (commercial) | Native — Snyk Code’s interprocedural graph | Not native — SSA-only, no whole-program graph | Pro mode only | Not native | Experimental — Go call-graph (--experimental-call-analysis) | Not native | Not native | Not native | Not native — single-file AST only | Not native — pair with CodeQL / Snyk SAST and ingest the resulting VEX | Not native — pair with CodeQL or Snyk SAST for precise call-edge questions |
| Taint / dataflow (codeFlow) | Not native | Native — codeFlows[] in SARIF | N/A | Not native | Pro / Semgrep-based analysers | N/A | N/A | Limited via functions[] | Native — codeFlow in SARIF | Native for G7xx — SSA intra-procedural; no codeFlow trace in SARIF output | Pro mode — codeFlows[] | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Inferred from x_affectedRoutines + framework heuristics; no codeFlow-style trace |
| Semantic / intent-to-use (reflection / DI / ServiceLoader / framework auto-config) | Not native | Misses by default; needs hand-written queries per framework | N/A | Not native | Not native | N/A | N/A | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Native — captures Spring auto-config, Java SPI, .NET DI, Rails autoload, plugin-system wiring that call-graph tools miss (via CLI’s --reachability=direct|transitive|both flag fetching per-CVE patterns from the VDB and evaluating them locally across 17 languages — no source upload) |
| Runtime coverage integration | Not native | Not native | N/A | Not native | Not native | N/A | DAST is itself runtime evidence | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Native via Prisma Defender — runtime events feed back to Console; closes the loop on build-time VEX assumptions | Not native | Not native — but consumes CycloneDX VEX from runtime tools that produce it (CODE_NOT_REACHABLE auto-applies) | Indirect — pair with JaCoCo / coverage.py / c8 + memory.yaml |
Most scanners are reactive (MAL- records arrive after the advisory publishes). Vulnetix is the only tool below with proactive detection. See supply-chain threats appendix for the full taxonomy.
| Capability | Dependabot | CodeQL | GH Secrets | GL Deps | GL SAST | GL Secrets | GL DAST | Snyk OSS | Snyk SAST | gosec | Semgrep | KICS | osv-scanner | Grype | Trivy | Prisma | Ruff | Dep-Track | Vulnetix |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Typosquat similarity scoring | Not native | N/A | N/A | Not native | N/A | N/A | N/A | Commercial — limited | N/A | N/A | Not native | Not native | Not native | Not native | Not native | Not native | N/A | Not native | Native — vulnetix:typosquat-check + edit-distance + maintainer-health blend |
| Dependency-confusion detection | Not native | N/A | N/A | Not native | N/A | N/A | N/A | Commercial — limited | N/A | N/A | Not native | Not native | Not native | Not native | Not native | Not native | N/A | Not native | Native — dep-add-guard flags dual-registry presence |
| Namespace squatting / brandjacking | Not native | N/A | N/A | Not native | N/A | N/A | N/A | Not native | N/A | N/A | Not native | Not native | Not native | Not native | Not native | Not native | N/A | Not native | Native — brand-prefix detection + low-maintainer-health combination |
Maintainer-takeover (MAL- records) | Reactive — GHSA-MAL- after publication | N/A | N/A | Reactive — via feed | N/A | N/A | N/A | Reactive — Snyk Malicious Packages (commercial) | N/A | N/A | Not native | Not native | Native — OSV MAL- records first-class | Via OSV / NVD aliases | Reactive — via OSV MAL- records | Reactive — via Intelligence Stream feed | N/A | Reactive — via OSV / GHSA MAL- records | Native + proactive — AI-malware family signatures + maintainer-health drop detection |
| Protestware | Reactive — MAL- after publication | N/A | N/A | Reactive | N/A | N/A | N/A | Reactive — commercial | N/A | N/A | Not native | Not native | Reactive — via MAL- | Via feed | Reactive — via feed | Reactive — via feed | N/A | Reactive — via feeds | Native — AI-malware family detection (node-ipc-pattern, geo-targeted behaviour signals) |
| Post-install / build-script abuse | Not native | N/A | N/A | Not native | N/A | N/A | N/A | Not native | N/A | N/A | Via custom rule packs | Not native | Not native | Not native | Not native | Not native at scan time; Defender catches at runtime | N/A | Not native | Native — IaC rule on RUN npm install without --ignore-scripts; dep-add-guard flags suspect scripts |
| AI-malware family signatures | Not native | N/A | N/A | Not native | N/A | N/A | N/A | Not native | N/A | N/A | Not native | Not native | Not native | Not native | Not native | Not native | N/A | Not native | Native — vdb ai-malware — multi-family classifier on package contents |
| AI-authored malware detection | Not native | N/A | N/A | Not native | N/A | N/A | N/A | Not native | N/A | N/A | Not native | Not native | Not native | Not native | Not native | Not native | N/A | Not native | Native — vdb ai-discoveries and ai-in-wild ingestion |
| Subresource hijack / build-asset poisoning | Not native | Custom queries possible | N/A | Not native | N/A | N/A | N/A | Not native | N/A | N/A | Via custom rule packs | Indirect — Dockerfile queries on floating tags / latest | Not native | Not native | Not native | Not native | N/A | Not native | Native — IaC rules on floating-tag FROM + mutable Action SHAs |
Per-package signals about who maintains it. Most scanners surface zero of these; Vulnetix surfaces them as inputs to dep-add-guard’s composite ALLOW/WARN/BLOCK verdict.
| Capability | Dependabot | CodeQL | GH Secrets | GL Deps | GL SAST | GL Secrets | GL DAST | Snyk OSS | Snyk SAST | gosec | Semgrep | KICS | osv-scanner | Grype | Trivy | Prisma | Ruff | Dep-Track | Vulnetix |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| OpenSSF Scorecard score | Not surfaced | N/A | N/A | Not surfaced | N/A | N/A | N/A | Commercial — limited | N/A | N/A | N/A | Not native | Not surfaced | Not surfaced | Not surfaced | Not surfaced | N/A | Not surfaced | Native — vdb scorecard per dep |
| Account age (maintainer’s registry account) | Not surfaced | N/A | N/A | Not surfaced | N/A | N/A | N/A | Not surfaced | N/A | N/A | N/A | Not native | Not surfaced | Not surfaced | Not surfaced | Not surfaced | N/A | Not surfaced | Native — sub-input to package-search + dep-add-guard |
| 2FA enrolment check | Not surfaced | N/A | N/A | Not surfaced | N/A | N/A | N/A | Not surfaced | N/A | N/A | N/A | Not native | Not surfaced | Not surfaced | Not surfaced | Not surfaced | N/A | Not surfaced | Native — registry-2FA verification per maintainer |
| Prior-commits / publish-history signal | Not surfaced | N/A | N/A | Not surfaced | N/A | N/A | N/A | Not surfaced | N/A | N/A | N/A | Not native | Not surfaced | Not surfaced | Not surfaced | Not surfaced | N/A | Not surfaced | Native — abandonment / cadence-anomaly detection |
| Cosign verification of upstream artefact | Not surfaced | N/A | N/A | Not surfaced | N/A | N/A | N/A | Not surfaced | N/A | N/A | N/A | Not native | Not surfaced | Not surfaced | Not surfaced | Not surfaced | N/A | Not surfaced | Native — verifies registry-signed packages where signing exists |
| Pre-add risk gate (composite ALLOW / WARN / BLOCK) | Auto-MR is a post-add gate | N/A | N/A | Not native | N/A | N/A | N/A | Not native | N/A | N/A | N/A | Not native | Not native | Not native | Not native | Not native | N/A | Not native — runs on SBOMs already produced (post-add); Policy violations (FAIL state) can gate CI after the fact | Native — vulnetix:dep-add-guard composes vuln history + AI-malware + license + EOL + maintainer-health + version-lag into one verdict |
See the EOL appendix for the SSVC mapping (EOL → NO_PATCH → SPIKE_EFFORT migration).
| Capability | Dependabot | CodeQL | GH Secrets | GL Deps | GL SAST | GL Secrets | GL DAST | Snyk OSS | Snyk SAST | gosec | Semgrep | KICS | osv-scanner | Grype | Trivy | Prisma | Ruff | Dep-Track | Vulnetix |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Per-dep EOL | Not native — cross-reference endoflife.date | N/A | N/A | Not native | N/A | N/A | N/A | Commercial tier signal | N/A | N/A | N/A | Not native | Not native | Inferred — “no fix in feed” is a weak signal | Not native — cross-reference endoflife.date | Indirect — Intelligence Stream surfaces deferred status for EOL vendor patches | N/A | Indirect — AGE and VERSION_DISTANCE policy conditions (v4.14.0) flag outdated components; no advisory EOL data | Native — lifecycleStage per dep in VDB; vulnetix:eol-check skill |
| Per-runtime EOL (Python / Node / Java / Go / .NET) | Not native | N/A | N/A | Not native | N/A | N/A | N/A | Commercial | N/A | N/A | N/A | Not native | Not native | Not native | Not native | Not native | Indirect — UP (pyupgrade) rules flag legacy-Python idioms but do not surface runtime EOL dates | Not native | Native — runtime EOL data + --block-eol CI gate |
| Per-container-base-image EOL | Not native | N/A | N/A | Indirect — via container scanner | N/A | N/A | N/A | Commercial — Snyk Container | N/A | N/A | N/A | Indirect — Dockerfile query on outdated FROM images (no advisory data) | Not native | Inferred — distro feed signals when patches stop | Inferred — distro feed signals when patches stop | Native — base-image lifecycle in Intelligence Stream | N/A | Not native | Native — base-image lifecycle + migration recommendation (UBI / Chainguard / distroless) |
| Safe-harbour recommended version | Implicit in auto-MR target | N/A | N/A | Implicit in solution | N/A | N/A | N/A | upgradePath[] | N/A | N/A | N/A | Not native | Not native | Not native | Implicit in FixedVersion field | Implicit in status: "fixed in N.N.N" | N/A | Not native — VERSION_DISTANCE flags outdated but does not propose a target | Native — vulnetix:safe-version returns CVE-free newest version honouring --max-major-bump |
--max-major-bump policy | Not native | N/A | N/A | Not native | N/A | N/A | N/A | Not native | N/A | N/A | N/A | Not native | Not native | Not native | Not native | Not native | N/A | Not native | Native — bump-budget enforcement |
Auto-MR generation is table-stakes for SCA tools; everything below is the depth beyond it.
| Capability | Dependabot | CodeQL | GH Secrets | GL Deps | GL SAST | GL Secrets | GL DAST | Snyk OSS | Snyk SAST | gosec | Semgrep | KICS | osv-scanner | Grype | Trivy | Prisma | Ruff | Dep-Track | Vulnetix |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Auto-MR / Auto-PR | Native — flagship feature | Not native (SAST findings don’t auto-PR) | Push-protection (blocks the secret) | GitLab Auto-Merge MRs | Not native | Not native | Not native | Commercial — Snyk Fix PRs | Not native | Not native | Not native | Not native | Not native | Not native | Not native — emit JSON for CI to consume | Commercial — Prisma Cloud integrations (Jira / ticket creation, not direct PR) | Not native — autofix rewrites source locally (ruff check --fix); no PR generation. opa-py-ruff preserves the ruff_fix metadata but Vulnetix CLI does not auto-apply | Not native — Jira ticket creation + webhook notifications only | Native — /vulnetix:fix + sub-agent dep-upgrade-orchestrator |
| Upgrade-path data | firstPatchedVersion.identifier | N/A | N/A | solution free-text | N/A | N/A | N/A | upgradePath[] with index alignment to from[] | N/A | N/A | N/A | Not native | OSV affected.ranges.events.fixed | vulnerability.fix.versions[] | FixedVersion field per finding | status field — "fixed in N.N.N" / "not fixed" / "deferred" | N/A | Limited — surfaces latest known version via repository metadata | Native — vdb fixes + vdb remediation plan with per-registry / upstream / distro / workaround tracks |
| Conflict-resolution multi-strategy | Not native (single-bump attempt) | N/A | N/A | Not native | N/A | N/A | N/A | Limited | N/A | N/A | N/A | Not native | Not native | Not native | Not native | Not native | N/A | Not native | Native — sub-agent safe-harbor-resolver: single bump → override → safe-harbour inline → workaround + detection |
| Inline-as-first-party-code (safe-harbour inline) | Not native | N/A | N/A | Not native | N/A | N/A | N/A | Not native | N/A | N/A | N/A | N/A | Not native | Not native | Not native | Not native | N/A | Not native | Native — inline-source option in vulnetix:fix |
| Workaround / mitigation recommendation | Not surfaced | N/A | N/A | Not surfaced | N/A | N/A | N/A | Commercial — partial | N/A | Inline #nosec suppression with optional -- justification | N/A | expected_value vs actual_value strings per finding | Not surfaced | Not surfaced | Misconfigurations[].Resolution field carries the fix recipe; vuln workarounds not surfaced | Commercial — Console suggests Defender runtime rules | Per-rule help_uri to docs.astral.sh — narrative-only | AnalysisResponse enum records the recommendation (CAN_NOT_FIX / WILL_NOT_FIX / UPDATE / ROLLBACK / WORKAROUND_AVAILABLE / NOT_SET); platform does not author the workaround | Native — vdb workarounds + vdb remediation returns CWE-specific defensive strategies |
| Per-package-manager verification commands | Not native | N/A | N/A | Not native | N/A | N/A | N/A | Not native | N/A | N/A | N/A | N/A | Not native | Not native | Not native | Not native | N/A | Not native | Native — vulnetix:remediation emits per-ecosystem verify commands |
| Patch path data (registry / upstream commit / distro patch) | Registry only | N/A | N/A | Registry only | N/A | N/A | N/A | Registry + commercial upstream | N/A | N/A | N/A | N/A | Registry + distro | Distro (OS layer) + registry | Registry + distro | Registry + distro (via Intelligence Stream) | N/A | Registry only (latest-version metadata from repository providers) | All three — registry + upstream commit URLs + distro patch metadata |
Where the two scanning models matter most. Vulnetix’s drawback is explicit on the “Image-binary scanning” row.
| Capability | Dependabot | CodeQL | GH Secrets | GL Deps | GL SAST | GL Secrets | GL DAST | Snyk OSS | Snyk SAST | gosec | Semgrep | KICS | osv-scanner | Grype | Trivy | Prisma | Ruff | Dep-Track | Vulnetix |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Image-binary scanning (extract OCI layers, walk filesystem) | Not native | Not native | Not native | Via separate GitLab Container Scanning analyser | Not native | Not native | Not native | Commercial — Snyk Container | Not native | N/A | Not native | Not native | Native — osv-scanner --image since 2024 | Native — flagship via syft | Native — flagship; OCI layer extract + filesystem walk | Native — flagship | Not native | Not native — delegates to external Trivy server (since v4.12.0) | Not native — reads OCI manifest’s package list, or operates on a pre-extracted filesystem; pair with Grype, Trivy, or Prisma for image-binary scans |
| Unpacked-layer scanning (filesystem walk on extracted image) | Not native | Not native | Not native | Indirect | Not native | Not native | Not native | Commercial — partial | Not native | N/A | Not native | Not native | Native — dir: mode | Native — dir: mode | Native — trivy fs on an extracted image | Native — via filesystem walk | Not native | Not native | Native — primary container model |
| Runtime scanning (live container monitoring) | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Commercial — Snyk Runtime | Not native | N/A | Not native | Not native | Not native | Not native | Not native | Native via Prisma Defender (DaemonSet / host agent / serverless extension) | Not native | Not native | Not native — orthogonal domain (Falco / Tetragon territory) |
| OCI-manifest package list (read manifest’s content list, not its layers) | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | N/A | Not native | Not native | Not native | Not native | Not native — extracts layers | Not native — extracts layers | Not native | Indirect — only if upstream tool emitted one in the SBOM | Native — Vulnetix’s primary container ingest path |
| Multi-stage build awareness | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Commercial — partial | Not native | N/A | Not native | Native — Dockerfile multi-stage queries | Not native | Native — runtime-image distinction, --target=runtime recommendation | Inferred — surfaces artefacts in any stage scanned; recommend scanning the runtime stage | Partial — depends on which image is scanned | Not native | Not native | Native — Class-C leakage detection + pivot to SCA workflow |
| Class A (OS-package) identification | Not native | Not native | Not native | Via container analyser | Not native | Not native | Not native | Commercial | Not native | N/A | Not native | Not native | Native via image-scan — broad distro coverage | Native — dpkg-matcher/apk-matcher/rpm-matcher | Native — os-pkgs Class with deb / apk / rpm Type discrimination | Native — broad distro coverage | Not native | Indirect — via ingested Trivy / syft SBOMs | Native — distro-feed cross-reference |
| Class B (language-ecosystem) identification | N/A | Not native | Not native | Via container analyser | N/A | Not native | Not native | Commercial | N/A | N/A | N/A | Not native | Native via image-scan — lockfile inside the image | Native — javascript-matcher/python-matcher/java-matcher | Native — lang-pkgs Class with npm / pip / gomod / maven Type discrimination | Native — language ecosystem matching via pkgsType | Not native | Indirect — via ingested SBOMs | Native — pivots to SCA workflow with the manifest path |
| Class C (multi-stage leakage) detection | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Commercial — partial | Not native | N/A | Not native | Indirect — Dockerfile static rules adjacent to leakage | Inferred — surfaces artefacts in any stage scanned | Native — recommends --target=runtime builds | Inferred — surfaces artefacts in any stage scanned | Not native — recommend scanning the runtime target | Not native | Not native | Native — pivots to SCA on the source manifest |
| Class D (vendored OS-package) detection | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | N/A | Not native | Not native | Indirect — package surfaces if installed | Native — via docker history archaeology | Indirect — package surfaces if installed via dpkg -i | Indirect — via image history | Not native | Not native | Native — IaC + Dockerfile rule on COPY *.deb |
| Dockerfile static rules count | Not native | Custom queries | Not native | Via container analyser | Not native | Not native | Not native | Commercial — partial | Not native | N/A | Via hadolint-style rule packs | Native — large built-in Dockerfile query set | Not native | Not native | Native — trivy config Dockerfile rule set (DS001..DS031) + optional Vulnetix opa-aquasecurity-trivy Rego port | ~200 CIS / NIST 800-190 rules (closed catalogue) | Not native | Not native | Native — 8 first-party rules (VNX-DOCKER-001..008) |
| Multi-architecture (amd64 / arm64) handling | Not native | Not native | Not native | Per-platform scan | Not native | Not native | Not native | Commercial — per-platform | Not native | N/A | Not native | Not native | Native — per-architecture image scans | Native — per-architecture index entry | Native — per-architecture image scans | Native — per-architecture image scans | Not native | Inferred — per-SBOM upload | Native — manifest list awareness |
| Distroless / scratch handling | Not native | Not native | Not native | Limited — no OS feed | Not native | Not native | Not native | Commercial — distroless catalogue | Not native | N/A | Not native | Not native | Native — file-walk works on distroless | Native — file-walk works on distroless | Native — file-walk works on distroless | Native — filesystem walk works on distroless | Not native | Indirect — if upstream tool produced an SBOM | Native — VDB has Google distroless / Chainguard Wolfi / RH UBI catalogues |
| Capability | Dependabot | CodeQL | GH Secrets | GL Deps | GL SAST | GL Secrets | GL DAST | Snyk OSS | Snyk SAST | gosec | Semgrep | KICS | osv-scanner | Grype | Trivy | Prisma | Ruff | Dep-Track | Vulnetix |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| SAST engine type | N/A | Call-graph + taint (data-flow library) | N/A | N/A | Multi-analyser (Semgrep + bandit + gosec + brakeman + spotbugs) | N/A | N/A | N/A | Taint (Snyk Code intermediate representation) | AST pattern-match + SSA + intra-procedural taint (G7xx) | Pattern-match (OSS) / Taint (Pro) | N/A (not a code-SAST) | N/A | N/A | N/A (not a code-SAST) | N/A | Pattern + AST (Rust, Ruff) / regex on file content (opa-py-ruff Rego port for Vulnetix CLI) | N/A | Pattern-match + semantic enrichment |
| SAST language coverage | N/A | C/C++, C#, Go, Java/Kotlin, JS/TS, Python, Ruby, Swift, GitHub Actions | N/A | N/A | Per-analyser breadth; ~25 languages combined | N/A | N/A | N/A | C/C++, C#, Go, Java/Kotlin, JS/TS, Python, PHP, Ruby, Scala, Swift, Apex | Go only | ~30+ languages via rule packs | N/A | N/A | N/A | N/A | N/A | Python only (.py, .pyw) | N/A | Java, Python, Go, Node.js, PHP, Ruby, .NET (representative rules) |
| SAST custom-rule authoring | N/A | CodeQL query language (Datalog-derived) | N/A | N/A | Via Semgrep rules | N/A | N/A | N/A | Limited — closed engine | Not native — rule additions require Go contributions upstream (or Vulnetix opa-gosec Rego port) | YAML pattern rules | Native — Rego queries (Open Policy Agent) | N/A | N/A | N/A | N/A | Upstream Ruff rules are Rust-only (closed authoring); opa-py-ruff exposes the ported rules as editable Rego files under rules/ | N/A | Limited — rule additions via VDB |
| IaC formats covered | N/A | Limited — via custom queries | N/A | N/A | Limited — Semgrep IaC packs | N/A | N/A | Commercial — Terraform, CloudFormation, Kubernetes, Helm, Pulumi | N/A | N/A | Terraform, Kubernetes, Dockerfile via rule packs | Native — 20+ platforms (Terraform / OpenTofu / Kubernetes / Helm / CloudFormation / ARM / Bicep / Ansible / Pulumi / Crossplane / OpenAPI / GitHub Workflows / Serverless / SAM / CDK / Knative / Docker / Compose / Buildah / Databricks / NIFCloud / TencentCloud) | N/A | N/A | Native — Terraform / CloudFormation / Kubernetes / Helm / Dockerfile / Azure ARM (via trivy config) | Terraform / CloudFormation / Kubernetes / Helm / Docker Compose | N/A | N/A | Native — Terraform / OpenTofu / Nix / k8s / Helm / Dockerfile |
| IaC rules count | N/A | Custom | N/A | N/A | Per-pack | N/A | N/A | Commercial — hundreds | N/A | N/A | 1000s via Semgrep registry | Native — large built-in query library (hundreds of Rego queries across all platforms) | N/A | N/A | Hundreds — built-in policies (Defsec / Misconfig DB) + optional opa-aquasecurity-trivy (Rego bundle re-implementing intent inside Vulnetix CLI) | ~hundreds (CIS Benchmark + commercial pack) | N/A | N/A | 8 first-party Terraform rules (VNX-TF-001..008) + Nix flake handling + optional opa-checkmarx-kics pack (~205 KICS-shaped rules: 48 Dockerfile, 14 Ansible-AWS, 16 Terraform-AWS, 127 Terraform Azure/GCP) via --rule Vulnetix/opa-checkmarx-kics |
| Secrets signature breadth | N/A | N/A | Native — GitHub Secret Scanning catalogue (300+ providers) | N/A | N/A | gitleaks ruleset (~100 providers) | N/A | N/A | N/A | Limited — G101 hardcoded-credentials heuristic + G117 marshalling exposure | Custom rule packs | Native — regex-based secrets queries (on by default; --disable-secrets to opt out) | N/A | File-pattern matcher only | ~100 providers — gitleaks-style ruleset | Narrow — AWS / GitHub / generic regex (~30 patterns) | Partial — flake8-bandit S1xx hard-coded credential rules only; no token-provider patterns | N/A | Native — AWS / GitHub PAT / Slack / Stripe / GCP / Azure / Twilio / SendGrid / JWT / generic entropy |
| Secrets git-history scanning | N/A | N/A | Native — scans entire repo history on enrolment | N/A | N/A | Native — gitleaks scans history | N/A | N/A | N/A | Not native | Custom | Not native (current tree only) | N/A | Not native | Not native — current-tree only | Not native — current tree only | Not native | N/A | Native — vulnetix:secret-scan --staged-only for pre-commit, full repo otherwise |
| Secrets validation (live token check) | N/A | N/A | Native — validity: active/inactive/unknown for major providers | N/A | N/A | Not native | N/A | N/A | N/A | Not native | Not native | Not native | N/A | Not native | Not native | Not native | Not native | N/A | Native — token-validity probe |
| Secrets custom-rule support | N/A | N/A | Limited — partner-program providers | N/A | N/A | Via custom gitleaks config | N/A | N/A | N/A | Via opa-gosec Rego rules | Native — rule packs | Native — --secrets-regexes-path for custom regex config | N/A | Not native | Via custom --secret-config (regex rule pack) | Native — Console rule editor | Via custom Ruff rules (not supported upstream) / via custom Rego in opa-py-ruff | N/A | Native — VDB pattern registry |
| Capability | Dependabot | CodeQL | GH Secrets | GL Deps | GL SAST | GL Secrets | GL DAST | Snyk OSS | Snyk SAST | gosec | Semgrep | KICS | osv-scanner | Grype | Trivy | Prisma | Ruff | Dep-Track | Vulnetix |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| JSON | REST / GraphQL via gh api | SARIF (JSON encoding) | REST | gemnasium Security Report JSON | Per-analyser JSON + SARIF | gitleaks JSON | ZAP JSON | Native | Native | Native — flagship | Native | Native — flagship format | Native | Native — rich | Native — rich (-f json) | Native — rich | Native — --output-format json / json-lines | Native — REST API JSON + Finding Packaging Format (FPF) round-trip | Native — rich, multi-tool aggregation |
| SARIF dialect | Via Code Scanning API (flat) | Rich — codeFlows[] + partialFingerprints + security-severity numeric | Via Code Scanning API (limited) | Native — via analyser | Native — varies per analyser | Limited | Limited | Flat (SCA) | codeFlow + properties.snyk | Native (-fmt sarif) — flat (no codeFlows) | OSS flat / Pro codeFlow | Native — --report-formats sarif (flat) | Flat | Flat (-o sarif) | Native — -f sarif (flat; no codeFlows[]) | Native (--output-format sarif) | Native — --output-format sarif (flat; no codeFlows[]) | Not native — emits CycloneDX VEX / VDR instead | Rich — properties.security-severity numeric + Vulnetix rule metadata |
| CycloneDX SBOM | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Native — --report-formats cyclonedx (--bom enrichment) | Not native | Via syft companion (1.4 / 1.5 / 1.6) | Native — -f cyclonedx (1.4 / 1.5 / 1.6) | Native — 1.4 via twistcli sbom | Not native | Native — emits v1.5; ingests up to v1.6 (v4.11.4+) | Native — 1.4 / 1.5 / 1.6 / 1.7 |
| SPDX SBOM | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Via syft companion (2.2 / 2.3) | Native — -f spdx / -f spdx-json (2.2 / 2.3) | Not native | Not native | Not native (convert SPDX to CycloneDX before upload) | Native — 2.2 / 2.3 / 3.0 |
| CycloneDX VEX emit | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native (consumes only via --vex) | Not native | Not native | Native — flagship VEX emitter; per-project + portfolio | Native — vulnetix:vex-publish (auto-picks for PURL-backed findings) |
| OpenVEX emit | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native (consumes only via --vex) | Not native | Not native | Not native | Native — vulnetix:vex-publish (auto-picks for non-PURL findings) |
| HTML / Markdown / PDF report | Via UI only | Via UI only | Via UI only | Via UI / pipeline artefact | Via UI | Via UI | Via UI | Via UI + CLI HTML | Via UI + CLI HTML | HTML via -fmt html; text/golint / sonarqube | Markdown / SARIF | Native — html / pdf (plus CSV / SonarQube / CodeClimate / ASFF formats) | Table / Markdown | Table / Markdown | Native — template-driven (-f template --template ...) for HTML / Markdown / table | Console UI | Not native — concise / full / grouped text formats | Via SPA UI only | Native — Markdown summaries + compliance bundle |
| GitLab gemnasium JSON | Not native | Not native | Not native | Native — flagship format | Native — per analyser | Native — per analyser | Native — per analyser | Not native | Not native | Not native | Not native | Native — --report-formats glsast | Not native | Not native | Native — -f gitlab codeclimate-shaped JSON for GitLab Container Scanning ingestion | Not native | Native — --output-format gitlab | Not native | Not native — emit via SARIF pivot |
| GitHub Code Scanning ingest | Native — primary surface | Native — primary surface | Native — secret-scanning surface | Not native (GitHub-only) | Not native | Not native | Not native | Via SARIF upload | Via SARIF upload | Via SARIF upload | Via SARIF upload | Via SARIF upload | Via SARIF upload | Via SARIF upload | Via SARIF upload | Via SARIF upload | Via SARIF upload (--output-format sarif); native --output-format github for Actions annotations | Not native — official GH Action uploads SBOM to D-Track, not findings to Code Scanning | Via SARIF upload |
| JUnit XML (CI ingestion) | Not native | Not native | Not native | Native — per analyser | Native — per analyser | Native | Native | CLI option | CLI option | Native (-fmt junit-xml) | Native | Native — --report-formats junit | Not native | Not native | Native — -f junit | Native | Native — --output-format junit | Not native | Native — for --exit-code gating |
| STIX 2.1 IOC export | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native — Defender IOCs are proprietary | Not native | Not native | Native — vulnetix:ioc-pivot --format=stix |
| Mermaid threat-model graphs | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Native — vulnetix:exploits flowcharts |
Where the triage decision lives once you’ve made it, plus what non-code mitigation the tool can synthesise.
| Capability | Dependabot | CodeQL | GH Secrets | GL Deps | GL SAST | GL Secrets | GL DAST | Snyk OSS | Snyk SAST | gosec | Semgrep | KICS | osv-scanner | Grype | Trivy | Prisma | Ruff | Dep-Track | Vulnetix |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| VEX consumption (suppression loop) | Not native | Via dismissal API (orthogonal) | Via resolution status | Via dashboard dismissal | Via dashboard dismissal | Via dashboard dismissal | Via dashboard dismissal | Not native | Not native | Inline #nosec only — per-rule, not file-based | Inline nosemgrep: suppression | Native — -x / --exclude-results by similarity_id | Native — osv-scanner.toml ignore rules | Native — --vex flag | Native — --vex flag (consumes CycloneDX VEX and OpenVEX); legacy .trivyignore flat-file alternative | Not file-based — Console exception UI / policy API (proprietary) | Inline # noqa: <rule-code> suppression + [tool.ruff.lint.per-file-ignores] in pyproject.toml | Native — CycloneDX VEX ingest auto-applies to AnalysisState / Justification / Response; round-trips cleanly | Native — .vulnetix/memory.yaml + re-scan suppression |
| VEX consumption format | — | — | — | Proprietary (dashboard state) | Proprietary | Proprietary | Proprietary | — | — | Inline #nosec comments with optional -- justification | Inline comments | Similarity-ID list (proprietary; not OpenVEX) | Proprietary TOML (ignore-rule shape, not strict OpenVEX) | OpenVEX only | CycloneDX VEX + OpenVEX (auto-detected) | Proprietary (Console policy / exception) | Inline source comments / TOML config (not OpenVEX) | CycloneDX VEX only (no OpenVEX, no CSAF) | OpenVEX + CycloneDX VEX + memory.yaml |
| Triage memory mechanism | GitHub alert state (per-repo) | GitHub alert state | GitHub alert state | GitLab Vulnerability Dashboard (per-project) | GitLab dashboard | GitLab dashboard | GitLab dashboard | Snyk Monitor SaaS dashboard | Snyk Monitor SaaS dashboard | Inline source comments (#nosec annotations) | Inline source comments | None — re-scan suppression via similarity_id only | osv-scanner.toml — file-based ignore rules with reason / expiry / vulnerability-id / ecosystem filters | None | .trivyignore flat-file (legacy) or external VEX file — no built-in audit history | Prisma Console SaaS dashboard (per-tenant) | Inline # noqa + pyproject.toml per-file-ignores — committed to repo, no audit trail | PostgreSQL — AnalysisState + AnalysisJustification + AnalysisResponse + comments + suppression per (project, component, vulnerability); full audit trail in DB | .vulnetix/memory.yaml — file-based, committed to repo, append-only history[] |
| Cross-scan deduplication | Alert number stability | SARIF partialFingerprints | Alert number | Dashboard finding-ID UUID | Per-analyser fingerprints | Fingerprints | Fingerprints | Snyk finding fingerprint | Snyk finding fingerprint | Not native | extra.fingerprint | similarity_id per finding | Per-vuln ID | Per-match purl+id | VulnerabilityID + PkgIdentifier.PURL | Console finding-ID | Stable Ruff rule code + path:line:col | (project, component PURL, vulnerability ID) triple | Stable aliases[] + memory.yaml row identity |
| Engineer Triage outcome recording | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Native — AnalysisState ∈ {EXPLOITABLE, IN_TRIAGE, FALSE_POSITIVE, NOT_AFFECTED, RESOLVED, NOT_SET}; CycloneDX VEX-shaped justifications | Native — decision.choice ∈ {fix-applied, risk-accepted, deferred, mitigated, inlined, risk-avoided, not-affected, risk-transferred} |
| Coordinator decision recording | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native (no SSVC field) | Native — surfaced from VDB into memory.yaml |
| Snort / Suricata signature generation | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native — Defender uses closed runtime format | Not native | Not native | Native — vdb snort-rules get <CVE> + vulnetix:detection-rules |
| YARA rule generation | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Native — vdb yara-rules |
| Nuclei template generation | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Native — vdb nuclei get <CVE> |
| Sigma rule generation | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Native — see Sigma rules guide |
| ModSecurity / WAF rule generation | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native — Prisma WAAS is a separate product | Not native | Not native | Native — see ModSecurity rules guide |
| Traffic-filters | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Defender runtime ruleset (closed format) | Not native | Not native | Native — vdb traffic-filters <CVE> |
| IOC export (STIX 2.1 / SIEM-ready) | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Console webhook → SIEM (proprietary) | Not native | Not native — Webhook → SIEM payloads carry finding JSON only | Native — for Splunk / Sentinel / Cortex / Tines ingestion |
| Capability | Dependabot | CodeQL | GH Secrets | GL Deps | GL SAST | GL Secrets | GL DAST | Snyk OSS | Snyk SAST | gosec | Semgrep | KICS | osv-scanner | Grype | Trivy | Prisma | Ruff | Dep-Track | Vulnetix |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Cosign signing of outputs | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native — external post-processing step required | Native — compliance-bundler sub-agent signs SBOM + SARIF + VEX bundles |
| in-toto attestations | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Native — SLSA-style provenance metadata in bundles |
| SLSA provenance | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Native — bundle level satisfies SLSA Level 2/3 evidence shape |
| Compliance bundle (SBOM + SPDX + SARIF + VEX + cosign + manifest) | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native — Console dashboards instead | Not native | Partial — emits CycloneDX VDR (Vulnerability Disclosure Report — SBOM + vulns + analysis state in one CycloneDX document); not signed, no manifest.json | Native — compliance-bundler agent emits ZIP with manifest.json + SHA-256 sums + Markdown index |
| GitHub Actions / GitLab CI / Jenkins integration | Native (GitHub) | Native (GitHub Actions; CI elsewhere via CLI) | Native (GitHub) | Native (GitLab CI) | Native (GitLab CI) | Native (GitLab CI) | Native (GitLab CI) | Native — all major CIs | Native — all major CIs | Native — GitHub Actions (securego/gosec@v2), GitLab CI, Bazel nogo analyzer | Native — all major CIs | Native — GitHub Actions / GitLab CI / Jenkins / CircleCI / Azure Pipelines / Bitbucket Pipelines (documented) | Native — all major CIs | Native — all major CIs | Native — all major CIs (official aquasecurity/trivy-action) | Native — all major CIs | Native — official astral-sh/ruff-action; standard CI invocation everywhere else | Native — official Jenkins plugin + official dependency-track/gh-upload-sbom-action; GitLab CI via REST curl | Native — all major CIs + per-step hook gates |
| Pre-commit / git hooks | Not native | Not native | Push-protection blocks the commit | Not native | Not native | Push-protection (commercial) | Not native | CLI hook recipe (manual) | CLI hook recipe (manual) | Community hook (not first-party) | Native — semgrep --pre-commit | Recipe (manual; Docker image) | CLI hook recipe (manual) | CLI hook recipe (manual) | Native — official aquasecurity/trivy pre-commit hook | CLI hook recipe (manual) | Native — official astral-sh/ruff-pre-commit repo | Not native — server-side platform; no client-side hooks | Native — pre-commit-scan.sh, manifest-edit-scan.sh, dockerfile-edit-gate.sh, dep-install-gate.sh, git-push-gate.sh |
| IDE extensions | GitHub IDE plugins (limited) | Via GitHub IDE plugins + CodeQL CLI | Via GitHub IDE plugins | Via GitLab Workflow extension | Same | Same | Same | Native — Snyk plugins for VS Code / IntelliJ / Eclipse / Eclipse Theia / Visual Studio | Same as Snyk OSS | Not native | Native — Semgrep extension for VS Code / IntelliJ / Vim | Community VS Code extension | None — CLI only | None — CLI only | Native — first-party VS Code / IntelliJ extensions | Prisma IDE plugin (limited — VS Code / IntelliJ) | Native — first-party LSP (ruff server) wired into VS Code / Cursor / Zed / PyCharm / Neovim / Helix / Sublime | Not native | Via AI Coding Agent — Claude Code / Cursor / Windsurf / Copilot / Gemini / Codex / Augment / Cline / Amazon Q / OpenHands / Codebuddy / Cortex / Qoder / Qwen / Kiro / iFlow |
| AI Coding Agent slash-commands | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Not native | Via Vulnetix opa-gosec Rego port + vulnetix sast skill | Not native | Not native | Not native | Not native | Not native | Not native | Indirect — opa-py-ruff rule pack is consumed by vulnetix:sast-scan; otherwise CLI-only | Not native | Native — 33+ skills + 7 sub-agents + 30+ hooks; see AI Coding Agent |
| REST / GraphQL API | REST + GraphQL via gh api | REST via gh api | REST via gh api | GitLab REST | GitLab REST | GitLab REST | GitLab REST | REST + Snyk API | REST + Snyk API | Not native — CLI only | REST (commercial) + Semgrep app API | Not native (CLI only) | Not native (CLI only) | Not native (CLI only) | Not native (CLI only) | Native — Console REST API | Not native (CLI / LSP only) | Native — OpenAPI REST API is the canonical interface; all UI features routed through it | REST API + CLI + AI Coding Agent skill wrappers |
| Tool license | Closed (free for repos) | Free public / GHAS commercial private | Closed (free) | GitLab tiers (Free / Premium / Ultimate) | Same | Same | Same | Commercial — free tier with test caps | Commercial | Apache-2.0 OSS | LGPL-2.1 OSS / commercial Pro tier | Apache-2.0 OSS | Apache-2.0 OSS | Apache-2.0 OSS | Apache-2.0 OSS | Commercial — Prisma Cloud licence required | MIT (Ruff) / Apache-2.0 (opa-py-ruff Vulnetix rule pack) | Apache-2.0 OSS — OWASP Flagship Project | Commercial — free / Vulnetix Pro / Enterprise tiers; AI Coding Agent plugin Apache-2.0 OSS |
| Free-tier feature set | Full SCA + auto-MRs (public + private) | Full on public repos; private requires GHAS | Full on public; partner program for org-wide | GitLab Free has dep scanning; SAST + DAST in higher tiers | Same | Same | Premium+ only | Monthly test caps + open-source projects | Same | Fully OSS | Full OSS engine; cloud features behind login | Fully OSS | Fully OSS | Fully OSS | Fully OSS | Trial only — no permanent free tier | Fully OSS — all rules + all output formats | Fully OSS — every feature free; only VulnDB / Snyk external analyzer subscriptions cost extra | AI Coding Agent + CLI + most VDB queries free; advanced enrichment and bulk-triage in paid tier |
| Self-host vs SaaS | SaaS only (GitHub.com / GHE) | SaaS — runs in Actions / GHE | SaaS only | Both — GitLab.com or self-host | Both | Both | Both | Both — Snyk SaaS or on-prem (commercial) | Both | Self-host (CLI binary) | Both — local CLI or Semgrep Cloud | Self-host (CLI binary / Docker image) | Self-host (CLI binary) | Self-host (CLI binary) | Self-host (CLI binary); Aqua Platform SaaS for the commercial tier | Both — Console SaaS or on-prem | Self-host only (CLI binary + LSP) | Self-host only — Docker / Compose / Swarm / Helm / JAR (PostgreSQL or MSSQL backend) | Both — local CLI / hosted VDB / on-prem deployment |
The matrix’s “Database quality tier” row uses a five-tier scale. Tiers below shape what your scanner can detect — a scanner reading CVE/NVD only is missing half the ecosystem advisories.
| Tier | Coverage | Verdict | Tools |
|---|---|---|---|
| CVE/NVD only | NIST-curated CVE records, often weeks behind ecosystem advisories | Insufficient | (Tools at this tier are increasingly rare; most modern scanners aggregate at least GHSA.) |
| CVE + GHSA | + npm, pip, Maven, NuGet, RubyGems, Composer, Go via GitHub Advisory DB | Minimal | Dependabot |
| CVE + OSV | + RUSTSEC, PYSEC, GO, MAL/Malicious-Packages, plus broad distro coverage (Alpine, Debian, Ubuntu, RHEL, Rocky, Alma, SUSE, Fedora, Mageia, Chainguard, Wolfi, Bitnami, Curl, Android, Linux kernel) and ecosystem aggregation via the OSV aggregator | Sufficient — nearly comprehensive at the source level | osv-scanner |
| Commercial-curated + exploit-intel | Commercial feed blending NVD + GHSA + distro feeds + first-party exploit-intel via heuristic flags (riskFactors); no AI / sightings / weaponisation enrichment | Sufficient + exploit-intel heuristic | Prisma Cloud (twistcli) |
| CVE + OSV + GCVE | + Community-curated GCVE entries | Good coverage | No scanner currently ships this tier. |
| Vulnetix VDB | Every feed above plus first-party enrichment: x_affectedFunctions, sightings (honeypot + CrowdSec), weaponisation indicators, x_attackPaths, maintainer-health (OpenSSF Scorecard + account age + 2FA), AI-malware families, traffic-filters (Snort/Suricata/Nuclei) | Full coverage | Vulnetix |
OSV’s feed coverage is nearly comprehensive at the source level — the “Sufficient” label reflects the absence of first-party AI enrichment (sightings, weaponisation, x_affectedRoutines, attack-paths), not gaps in advisory feeds. For raw “is this CVE in any feed” lookups, osv-scanner ties Vulnetix.
Snyk’s commercial database is a curated catalogue that augments GHSA — broader than CVE+GHSA-only, narrower than OSV. GitLab’s Advisory Database is a similar shape. Both sit between “Minimal” and “Sufficient” depending on advisory. Prisma’s Intelligence Stream sits one tier higher: comparable feed coverage to OSV plus first-party exploit-intel surfaced as riskFactors, but without the enrichment that distinguishes Vulnetix VDB.
vulnetix vdb even when a different scanner originated the finding.