Scan Engines
On the CLI, each scan runs five engines locally and pushes only findings metadata to the cloud; managed scans run the same engines server-side instead. Container scanning is a sixth, separate flow covered in Container Scanning.
Static Analysis (SAST)
Section titled “Static Analysis (SAST)”OpenGrep with community rules and your own custom rules. Detects SQL injection, XSS, command injection, insecure crypto, hardcoded credentials in code, missing authentication checks, and other code-level vulnerabilities. Custom rules let you encode organization-specific patterns.
Supply Chain (SCA)
Section titled “Supply Chain (SCA)”osv-scanner against the OSV vulnerability database. Checks direct and transitive dependencies for known CVEs. Supports Python (requirements.txt, pyproject.toml, poetry.lock, Pipfile.lock), Node.js (package.json, package-lock.json, yarn.lock), Go (go.mod, go.sum), Ruby (Gemfile.lock), Rust (Cargo.lock), PHP (composer.lock), and Java (pom.xml, gradle.lockfile).
Secret Detection
Section titled “Secret Detection”Gitleaks with 200+ built-in patterns plus Vygl’s custom rules. Detects hardcoded API keys, passwords, tokens, and private keys. Suppress test fixtures with inline novygl comments (the same comment marker works for SAST too).
Infrastructure as Code (IaC)
Section titled “Infrastructure as Code (IaC)”Checkov with the latest community ruleset. Scans Terraform, Dockerfile, Kubernetes manifests, and CloudFormation for misconfigurations — public S3 buckets, missing encryption, overly permissive IAM, exposed ports, and more.
Malicious Packages (Malware)
Section titled “Malicious Packages (Malware)”GuardDog — heuristic detection of malicious open-source packages. Where SCA asks “does this dependency have a known CVE?”, Malware asks “is this dependency itself trustworthy?”. Catches typosquats (reqeusts vs requests), install-script malware, exec/base64 payloads, exfiltration patterns, hijacked GitHub Actions (the tj-actions/changed-files attack class), and brand-new zero-history packages.
Covers five ecosystems:
- PyPI — Python packages from any manifest the catalog parser finds.
- npm — JavaScript/TypeScript packages.
- Go — modules from
go.mod/go.sum. - RubyGems — gems from
Gemfile.lock/Gemfile. - GitHub Actions —
uses:references in.github/workflows/*.yml.
The engine fetches each package’s contents from the public registry, runs GuardDog’s heuristic rules, and emits a finding when a rule fires. Per-rule severity defaults are curated by Vygl — install-script and release-zero are intentionally softened (HIGH severity but LOW confidence) so legitimate native-build packages don’t dominate the queue. Common false-positive packages (psycopg2, pillow, lxml, numpy, cryptography, …) are muted by default.
Malware detection is opt-in — new orgs ship with it off so the first scan isn’t dominated by a noisy new engine. Org admins turn it on from Settings → Organization → Scan Engines, and each project can override with a tri-state (use org default / on / off) under Project Settings → Scanning & AI Overrides. The org-level switch is a hard gate: a project’s “on” override has no effect if the org has the engine off.
Individual GuardDog rules can be disabled or have their severity overridden from Rules → Malicious Packages.
How engines pick what to scan
Section titled “How engines pick what to scan”The CLI walks your repo once and picks engines based on what’s present:
- SAST runs on any source code in supported languages.
- SCA runs when manifest files (
package.json,requirements.txt, etc.) are detected. - Secrets runs on every text file (with binary detection to skip images and archives).
- IaC runs when Terraform, Dockerfile, Kubernetes, or CloudFormation files are present.
- Malware runs against the same manifests SCA reads, plus any
.github/workflows/*.yml.
Restrict which engines run with --scan-types sast,secrets on the CLI.
Tuning per engine
Section titled “Tuning per engine”Each engine has its own configuration block in .vygl.yml:
scan.sast.exclude_paths— skip vendor/test/generated code.scan.sast.exclude_rules— drop specific rule IDs (passed to OpenGrep as--exclude-rule).scan.sca.exclude_packages— skip dependencies with documented mitigations.scan.iac.frameworks— restrict Checkov to a subset (terraform,dockerfile,kubernetes,cloudformation).scan.iac.exclude_checks— skip specific Checkov check IDs (e.g.CKV_AWS_46).scan.malware.mute— additional(ecosystem, package)pairs to skip on top of the default mute list (example:[["PyPI", "my-internal-native-pkg"]]).
For Secrets, suppression today is via novygl comments in source — there is no .vygl.yml allow-list that the active Gitleaks engine reads. See Configuration for the full schema.
Engine isolation
Section titled “Engine isolation”A failure in one engine never blocks the others. If GuardDog crashes mid-scan, the SAST/SCA/Secrets/IaC findings still come back. Each engine runs under a wall-clock budget (default 10 minutes, override via scan.engine_timeout_seconds), and timeouts, constructor errors, or malformed cloud-rule policies are surfaced as a per-engine status line in the CLI summary — not as a scan abort.
Custom rules
Section titled “Custom rules”SAST rules can be extended in the dashboard or imported from a git repository — see Custom Rules.
Browsing results
Section titled “Browsing results”SCA findings roll up into the org-wide Dependency Inventory — searchable by package and ecosystem, with a where-used breakdown and vulnerability status per package.