Six scanners. One pipeline. Zero re-architecture.

Comprehensive vulnerability scanner with CVE, license, IaC, and secret detection.

Trivy is the broadest-coverage open-source scanner: OS packages, language deps, IaC misconfig, secrets, and licenses in one binary.

Vulnerability matcher tuned for SBOM-driven workflows.

Grype consumes SBOMs (typically from Syft) and matches packages against the NVD, GitHub Security Advisories, Alpine secdb, and others.

SBOM generator covering 25+ ecosystems.

Syft produces a Software Bill of Materials — every package and version inside a container — without phoning home.

Container image best-practices linter aligned to CIS Docker.

Dockle catches misconfigurations: writable root, leaked secrets, latest tags, and CIS Docker Benchmark violations.

Open Source Vulnerability database scanner from Google.

OSV-Scanner cross-references your dependencies against the OSV.dev database — the same feed Google uses for its own supply-chain protection.

Layer-by-layer image efficiency analyzer.

Dive tells you exactly what each Docker layer adds, where waste is, and how to slim images before they ship.