Skip to content

Scan Engines

On the CLI, each scan runs five engines locally and pushes only findings metadata to the cloud; managed scans run the same engines server-side instead. Container scanning is a sixth, separate flow covered in Container Scanning.

OpenGrep with community rules and your own custom rules. Detects SQL injection, XSS, command injection, insecure crypto, hardcoded credentials in code, missing authentication checks, and other code-level vulnerabilities. Custom rules let you encode organization-specific patterns.

osv-scanner against the OSV vulnerability database. Checks direct and transitive dependencies for known CVEs. Supports Python (requirements.txt, pyproject.toml, poetry.lock, Pipfile.lock), Node.js (package.json, package-lock.json, yarn.lock), Go (go.mod, go.sum), Ruby (Gemfile.lock), Rust (Cargo.lock), PHP (composer.lock), and Java (pom.xml, gradle.lockfile).

Gitleaks with 200+ built-in patterns plus Vygl’s custom rules. Detects hardcoded API keys, passwords, tokens, and private keys. Suppress test fixtures with inline novygl comments (the same comment marker works for SAST too).

Checkov with the latest community ruleset. Scans Terraform, Dockerfile, Kubernetes manifests, and CloudFormation for misconfigurations — public S3 buckets, missing encryption, overly permissive IAM, exposed ports, and more.

GuardDog — heuristic detection of malicious open-source packages. Where SCA asks “does this dependency have a known CVE?”, Malware asks “is this dependency itself trustworthy?”. Catches typosquats (reqeusts vs requests), install-script malware, exec/base64 payloads, exfiltration patterns, hijacked GitHub Actions (the tj-actions/changed-files attack class), and brand-new zero-history packages.

Covers five ecosystems:

  • PyPI — Python packages from any manifest the catalog parser finds.
  • npm — JavaScript/TypeScript packages.
  • Go — modules from go.mod / go.sum.
  • RubyGems — gems from Gemfile.lock / Gemfile.
  • GitHub Actionsuses: references in .github/workflows/*.yml.

The engine fetches each package’s contents from the public registry, runs GuardDog’s heuristic rules, and emits a finding when a rule fires. Per-rule severity defaults are curated by Vygl — install-script and release-zero are intentionally softened (HIGH severity but LOW confidence) so legitimate native-build packages don’t dominate the queue. Common false-positive packages (psycopg2, pillow, lxml, numpy, cryptography, …) are muted by default.

Malware detection is opt-in — new orgs ship with it off so the first scan isn’t dominated by a noisy new engine. Org admins turn it on from Settings → Organization → Scan Engines, and each project can override with a tri-state (use org default / on / off) under Project Settings → Scanning & AI Overrides. The org-level switch is a hard gate: a project’s “on” override has no effect if the org has the engine off.

Individual GuardDog rules can be disabled or have their severity overridden from Rules → Malicious Packages.

The CLI walks your repo once and picks engines based on what’s present:

  • SAST runs on any source code in supported languages.
  • SCA runs when manifest files (package.json, requirements.txt, etc.) are detected.
  • Secrets runs on every text file (with binary detection to skip images and archives).
  • IaC runs when Terraform, Dockerfile, Kubernetes, or CloudFormation files are present.
  • Malware runs against the same manifests SCA reads, plus any .github/workflows/*.yml.

Restrict which engines run with --scan-types sast,secrets on the CLI.

Each engine has its own configuration block in .vygl.yml:

  • scan.sast.exclude_paths — skip vendor/test/generated code.
  • scan.sast.exclude_rules — drop specific rule IDs (passed to OpenGrep as --exclude-rule).
  • scan.sca.exclude_packages — skip dependencies with documented mitigations.
  • scan.iac.frameworks — restrict Checkov to a subset (terraform, dockerfile, kubernetes, cloudformation).
  • scan.iac.exclude_checks — skip specific Checkov check IDs (e.g. CKV_AWS_46).
  • scan.malware.mute — additional (ecosystem, package) pairs to skip on top of the default mute list (example: [["PyPI", "my-internal-native-pkg"]]).

For Secrets, suppression today is via novygl comments in source — there is no .vygl.yml allow-list that the active Gitleaks engine reads. See Configuration for the full schema.

A failure in one engine never blocks the others. If GuardDog crashes mid-scan, the SAST/SCA/Secrets/IaC findings still come back. Each engine runs under a wall-clock budget (default 10 minutes, override via scan.engine_timeout_seconds), and timeouts, constructor errors, or malformed cloud-rule policies are surfaced as a per-engine status line in the CLI summary — not as a scan abort.

SAST rules can be extended in the dashboard or imported from a git repository — see Custom Rules.

SCA findings roll up into the org-wide Dependency Inventory — searchable by package and ecosystem, with a where-used breakdown and vulnerability status per package.