Safeguard
Product · Scanner Suite

Eleven scanners. One verdict you can actually act on.

Every scanner has a job. The platform runs all eleven, deduplicates findings across them, and lets Eagle and Griffin reason about the combined output — instead of leaving developers to triage eleven disjoint queues.

11
Integrated scanners
7
Enrichment feeds
2
SBOM formats (CycloneDX / SPDX)
0
Manual dedup required
The eleven scanners

Best-of-breed coverage across every surface.

Containers, source, secrets, manifests, infrastructure, dependencies, advisories, maintainer signals — one platform reads them all.

01

Grype

Package vulnerability scanning across distros and language ecosystems.

02

Trivy

Multi-target scanner for containers, filesystems, git repos, IaC, and Kubernetes.

03

License scanner

SPDX-aware open-source licence detection and policy enforcement.

04

Gitleaks

Secret detection in source, git history, and commit messages.

05

OSV scanner

OSV.dev-backed vulnerability matching for open-source packages.

06

GHSA

GitHub Security Advisory feed lookup and matching.

07

OpenSSF Scorecard

Supply-chain hygiene scoring for OSS dependencies.

08

Hipcheck

Heuristic risk scoring for upstream maintainers and repositories.

09

SonarQube integration

Pull-through of SAST findings from your existing SonarQube.

10

Malicious-package detection

Typosquat / dependency-confusion / known-malicious package matching.

11

SCC (Source Code Complexity)

Code complexity + churn metrics, used as a triage signal.

Enrichment feeds

Seven feeds turn raw matches into ranked signal.

NVD + OSV

Vulnerability data

Authoritative vulnerability records and open-source advisory matching, joined by CPE and PURL.

EPSS + KEV

Exploitability prioritisation

Exploit Prediction Scoring and CISA's Known Exploited Vulnerabilities — the signal that ranks the queue.

GitHub Advisory

Advisory metadata

GHSA enrichments with ecosystem-specific fix ranges and curated descriptions.

VirusTotal + VulnCheck

Additional context

File-level reputation and curated exploit-intel feeds for high-stakes triage decisions.

SBOM output

Two formats. Signed at build time.

Every SBOM ships with an in-toto attestation pinned to the commit and image digest — so what you scan is what you ship.

Default

CycloneDX

OWASP-maintained, exhaustively populated with component, vulnerability, and service metadata.

Export option

SPDX

Linux Foundation standard, ideal for licence-heavy compliance audits and regulator submissions.

How findings get unified

Eleven queues collapse into one verdict.

Six stages from raw matches to a single, evidence-backed finding in your review queue.

01
11 scanners run

Grype, Trivy, Gitleaks, OSV, GHSA, Scorecard, Hipcheck, SonarQube, malicious-package, License, SCC fire in parallel.

02
Dedup

Findings collapsed across scanners by (component, CVE, location). One row per real issue.

03
Enrich

NVD, OSV, EPSS, KEV, GHSA, VirusTotal, VulnCheck join in. Each finding gets a context bundle.

04
Eagle ranks

Wide-angle model scores reachability, blast radius, and exploitability — top candidates surface first.

05
Griffin reasons

Heavy-reasoning pass hypothesises exploit chains, runs adversarial disproof, attaches a patch suggestion.

06
Lands in queue

One row, one verdict, full evidence bundle. SBOM attestation regenerated on each build.

One row, one verdict, one ranked evidence bundle — every finding is replayable from raw scanner output forward.

Eleven scanners. One queue worth working.

Run the suite against your repo and see the deduplicated, enriched, model-ranked verdict the disjoint queues never give you.