Safeguard
Application Security

Vulnerability Scanner Tools: how they work

A breakdown of how SAST, DAST, SCA, and container vulnerability scanner tools actually work, where Veracode fits, and why false positives remain the industry's biggest problem.

Aman Khan
AppSec Engineer
Updated 7 min read

Every security team runs at least one vulnerability scanner, and most run four or five without realizing how differently each one actually works. A SAST engine like Veracode's parses source code or compiled binaries looking for insecure patterns before anything ships. A DAST tool attacks a running application the way an outside attacker would. An SCA scanner cross-references your dependency tree against CVE databases. A container scanner inspects image layers for outdated packages. They all get lumped together as "vulnerability scanner tools," but the mechanics, blind spots, and false-positive rates differ enough that picking the wrong mix leaves real gaps. In 2024, NVD logged over 40,000 new CVEs — a record high and roughly 30% more than 2023 — and no single scanner category catches all of them. This post breaks down how these tools actually work, where Veracode's approach fits, and what tends to get missed.

What Are Vulnerability Scanner Tools and How Do They Work?

Vulnerability scanner tools work by comparing a piece of software — its source code, binary, running behavior, or dependency manifest — against a database of known-bad patterns or known-vulnerable versions, then flagging matches for review. There are four main categories: SAST (static analysis of source or compiled code, no execution required), DAST (dynamic testing against a running app, simulating attacker requests), SCA (software composition analysis, matching open-source dependencies against CVE feeds like NVD or OSV), and container/infrastructure scanners (checking OS packages and image layers against distro security advisories). A typical mid-size engineering org running a Java monolith plus a dozen microservices will use at least three of these simultaneously, because each catches a different class of bug — SAST finds a SQL injection pattern in code that hasn't been deployed yet, while SCA catches that the app is still pulling in Log4j 2.14.1, the version vulnerable to Log4Shell (CVE-2021-44228), disclosed December 9, 2021.

How Do SAST Tools Like Veracode Analyze Code Without Running It?

SAST tools like Veracode analyze code without running it by building an abstract representation of the program — an AST (abstract syntax tree) or control-flow graph — and tracing how untrusted data moves through it, a technique called taint analysis. Veracode's platform specifically works on compiled binaries and bytecode rather than raw source, which lets it scan compiled languages (Java, .NET, C/C++) without needing a full source checkout, but it also means findings get mapped back to source lines after the fact, and minified or heavily optimized builds can obscure that mapping. The core idea: if a variable originates from an HTTP request parameter (a "source") and flows unsanitized into a database query or shell command (a "sink"), the engine flags a potential injection vulnerability. This is powerful for catching bugs early — Veracode's own 2024 State of Software Security report found that 45% of applications have at least one high-severity flaw at first scan — but static analysis can't see runtime configuration, so it routinely misses issues like a misconfigured cloud storage bucket or an auth check that only fails under a specific runtime condition.

Why Do Vulnerability Scanners Produce So Many False Positives?

Vulnerability scanners produce high false-positive rates because pattern-matching and taint analysis can't fully model real-world context — a scanner sees that user input reaches a SQL query, but it often can't tell that the query uses parameterized binding three lines later in a helper function. The OWASP Benchmark project, which tests SAST tools against a corpus of 2,740 known-vulnerable and known-safe test cases, has repeatedly shown commercial and open-source scanners landing anywhere from 20% to over 50% false-positive rates depending on the vulnerability class, with taint-style flaws like path traversal and SSRF among the worst offenders. This matters operationally: a 2023 GitLab DevSecOps survey found 42% of developers say they routinely ignore scanner alerts because there are too many of them, and 44% said false positives were their top complaint about security tooling. The practical effect is scanner fatigue — teams either turn down sensitivity (missing real bugs) or drown triage queues in noise, and the tools that win in practice are the ones that reduce time-to-verdict, not just time-to-detection.

How Do Vulnerability Scanners Handle Open Source Dependencies and SBOMs?

Vulnerability scanners handle open-source dependencies by parsing a project's manifest files (package.json, pom.xml, requirements.txt, go.mod) or generating a Software Bill of Materials, then matching each resolved package version against vulnerability feeds like the NVD, GitHub Advisory Database, or OSV.dev. This is where the industry moved fastest after Log4Shell: Executive Order 14028 (May 2021) and the subsequent NTIA minimum elements guidance pushed SBOM generation from a niche practice to a near-mandatory one for anyone selling into the U.S. federal supply chain, and by 2024 most major scanners — Veracode included, via its 2023 acquisition of SBOM vendor Longbow-adjacent tooling and its own software composition analysis line — added SBOM export in CycloneDX or SPDX format. The catch is that SCA accuracy depends entirely on correct dependency resolution: transitive dependencies (a library your library depends on) account for an estimated 70-80% of vulnerable components in a typical application per Sonatype's 2023 State of the Software Supply Chain report, and scanners that only read top-level manifests without resolving the full graph will systematically undercount exposure.

How Fast Do Vulnerability Scanners Need to Be in CI/CD Pipelines?

Vulnerability scanners need to complete a pull-request-triggered scan in well under five minutes to stay embedded in modern CI/CD without developers routing around them, since most CI pipelines target a total build-and-test time of 10-15 minutes and security checks are competing for that same window. Full deep SAST scans that take 20-40 minutes — common with binary-analysis approaches on large monoliths — get pushed to nightly or pre-release gates instead of every commit, which means the fastest-moving code often ships several commits ahead of its security feedback. Veracode addresses this with "pipeline scan," a lighter-weight, faster static check meant for the commit stage, separate from its full policy-scan engine. The tradeoff is real: faster scans generally mean a narrower ruleset or incomplete cross-file analysis, so teams end up running a fast scan on every push and a comprehensive scan on a schedule or before a release tag — a two-speed model that has become the de facto standard across the vulnerability-scanning market since roughly 2022.

How Safeguard Helps

Safeguard is built around a different starting point than legacy scanners: instead of treating each vulnerability class as a separate tool bolted onto a pipeline after the fact, Safeguard unifies SAST, SCA, container, and supply-chain provenance checks into one scan pass with a shared risk model, so a finding in a dependency is automatically correlated with whether your code actually reaches the vulnerable function — cutting through the exact false-positive noise that drives the 42-44% alert-fatigue numbers cited above. Where Veracode's binary-based SAST approach optimizes for compiled-language coverage, Safeguard scans source directly and resolves the full transitive dependency graph, so the 70-80% of vulnerabilities that hide in indirect packages get surfaced with accurate reachability data instead of a flat "this version has a CVE" flag.

Safeguard also treats SBOM generation as a first-class output rather than an add-on: every scan produces a CycloneDX-compatible SBOM automatically, which matters for teams under NIST SSDF or EO 14028-adjacent compliance requirements and removes the need to run a separate SBOM tool alongside your vulnerability scanner. On speed, Safeguard's incremental scanning analyzes only the files changed in a commit against a cached dependency graph, targeting sub-two-minute feedback on typical pull requests without pushing deep analysis to a slower nightly job — closing the two-speed gap described above rather than accepting it as permanent. And because Safeguard scores findings against exploitability and reachability rather than raw CVSS severity alone, security teams get a prioritized queue instead of a 40,000-CVE-a-year firehose, which is the difference between a scanner that gets triaged in minutes and one that gets ignored.

If your current vulnerability scanner tools are producing more noise than signal, or you're stitching together three separate products to get SAST, SCA, and SBOM coverage, Safeguard is built to replace that stack with one scan that understands how your code, dependencies, and containers actually connect.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.