Skip to content

How Scanning Works

HarborGuard runs six open-source security scanners in a unified workflow, deduplicating findings across engines and attributing each vulnerability to the scanner that detected it.

Scanner Suite

Each scan executes up to six scanners:

  • Trivy — Comprehensive vulnerability scanner for OS packages and application dependencies
  • Grype — Fast vulnerability matcher with broad ecosystem coverage
  • Syft — SBOM generator producing complete package inventories
  • Dockle — CIS Docker Benchmark checker for image configuration
  • OSV-Scanner — Google's open-source vulnerability database scanner
  • Dive — Image layer analyzer for efficiency and waste detection

Scan Origins

Scans can be triggered from three sources:

  • Cloud — Executed on HarborGuard's infrastructure (or Fly Machines in production)
  • Sensor — Executed on your infrastructure via a lightweight agent
  • CI/CD — Triggered from your pipeline via the API

Previous

Sync & Health Monitoring

Next

How Scanning Works

On this page